Agency of Privacy Shield: FTC Expands Enforcement of Privacy Shield Principles

On September 3, 2019, the FTC announced proposed settlements with five companies that falsely claimed to participate in the EU-US Privacy Shield framework (“Privacy Shield”).  As in several past enforcement actions, most of the companies falsely claimed they participated in Privacy Shield, when in fact they had never completed the certification process. But unlike past enforcement actions, one case focused on a Privacy Shield participant’s failure to comply with the substantive requirements of the program.  That case teaches some important lessons for companies that participate—or are considering participating—in the Privacy Shield. 

The case involved EmpiriStat, a Maryland-based company that provides statistical analysis and clinical trial support services.  Empristat self-certified to the Privacy Shield in 2017, but let that certification lapse when it failed to complete an annual recertification application in 2018.  Despite failing to renew its certification, EmpriStat continued to represent in its website privacy policy that it participated in the Privacy Shield.  After EmpiriStat failed to heed the FTC’s warning to remove those representations from its Privacy Policy until it successfully completed the recertification process, the FTC brought an enforcement action.

The FTC’s complaint faulted EmpiriStat for misrepresenting its participation in the Privacy Shield after it allowed its certification to lapse.  But it also alleged that EmpiriStat failed to comply with a key substantive requirement of the framework.  Specifically, the FTC alleged that Empiristat had failed to comply with Privacy Shield Supplemental Principle 7, which requires Privacy Shield participants to verify, at least once a year, through self-assessment or outside compliance review, that the assertions it makes about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented.  The Verification Principle also requires the company to document the verification in a statement signed by a corporate officer. The FTC alleged that EmpiriStat failed to provide its attested verification statement to the FTC.   

The EmpiriStat settlement is the first case in which the FTC has focused on a business’s compliance with the Verification Principle and could signal a shift in the FTC’s approach to Privacy Shield compliance.  Companies participating in Privacy Shield (or those considering certification) should therefore keep the following points in mind:  

• Annual Recertification. Applying for recertification is an annual requirement that must be completed before the expiration of a participant’s current annual certification.  EmpiriStat began the recertification process but did not take the steps necessary to complete its application for recertification, despite warnings from the FTC.  Companies should be mindful that merely starting the recertification application is not sufficient, and that continuing to claim participation in the Privacy Shield despite a lapse in certification will be viewed by the FTC as an actionable misrepresentation.
• Annual Verification Requirement. Companies must annually verify that the assertions they make about their Privacy Shield practices are true and have been fully implemented. Critically, compliance with that requirement requires more than simply logging in to the Privacy Shield website and completing the online re-certification process. The organization must substantively verify—through self-assessment or outside compliance review—that the commitments it has made in its privacy policy have been fully implemented as an operational matter.  The inability to produce a signed statement documenting that the verification has been completed can lead to enforcement proceedings in the event of an investigation — as the EmpirStat case demonstrates.
• Proper Withdrawal. Companies that wish to withdraw from the framework (or those that fail to properly recertify, as was the case for EmpiriStat) must comply with Privacy Shield’s withdrawal To properly withdraw, a company must notify the Department of Commerce of its withdrawal and state whether it will return, delete, or retain the personal information received in reliance on the Privacy Shield. If a company chooses to retain that personal information, it must verify that it will continue to apply the Privacy Shield Principles to the personal information received while participating in the framework and affirm its commitment to do so to the Department of Commerce on an annual basis for as long as it retains the information.

The EmpiriStat case suggests that as Privacy Shield’s validity is challenged in Europe, the FTC is likely to take a deeper look at whether companies are complying with the substantive requirements of the framework. Any company that has certified—or is thinking about certification—should thus ensure they understand in detail what the framework requires.