[BreachExchange] FTC brings first cases enforcing EU-U.S. Privacy Shield

Inga Goddijn inga at riskbasedsecurity.com
Mon Sep 18 21:17:28 EDT 2017


https://www.complianceweek.com/blogs/enforcement-action/ftc-brings-first-cases-enforcing-eu-us-privacy-shield#.WcBvk9OGPOQ

The U.S. Federal Trade Commission this month brought its first cases
<https://www.ftc.gov/news-events/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed?utm_source=govdelivery&_ga=2.254469645.488316773.1505783699-2145190925.1505783699>
enforcing
the EU-U.S. Privacy Shield, which was put in place last year to replace the
U.S.-EU Safe Harbor framework.

In separate complaints, the FTC alleged that three U.S. companies violated
the FTC Act by falsely claiming that they were certified to participate in
the EU-U.S. Privacy Shield, which allows companies to transfer consumer
data from EU member states to the United States in compliance with EU law.
Those three companies are HR software company Decusoft; printing services
company Tru Communication; and Md7, which manages real estate leases for
wireless companies.

The FTC also alleged
<https://www.ftc.gov/news-events/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed?utm_source=govdelivery>
that
Decusoft falsely claimed participation in the Swiss-U.S. Privacy Shield
framework, which took effect in April and is identical to the EU-U.S.
framework. Despite the claims they made, all three companies failed to
complete the certification process for the Privacy Shield, the FTC
complaint states.

“Today’s actions highlight the FTC’s commitment to aggressively enforce the
Privacy Shield frameworks, which are important tools in enabling
transatlantic commerce,” Acting FTC Chairman Maureen Ohlhausen said in a
statement. “Companies that want to benefit from these agreements must keep
their promises or we will hold them accountable.”

Each of the proposed orders consist of six parts, setting out the following
compliance measures:

   - Part I of the proposed orders prohibits making misrepresentations
   about its membership in any privacy or security program sponsored by the
   government or any other self-regulatory or standard-setting organization,
   including, but not limited to, the EU-U.S. Privacy Shield framework;
   - Parts II of the proposed orders requires acknowledgement of the order
   and dissemination of the order now and in the future to persons with
   responsibilities relating to the subject matter of the order.
   - Part III ensures notification to the FTC of any changes in corporate
   status and mandates that each company submit an initial report to the FTC.
   - Part IV requires each company to retain documents relating to its with
   the order for a five-year period.
   - Part V mandates that each company make available to the FTC
   information or subsequent reports, as requested.
   - Part VI is a provision “sunsetting” the order after 20 years, with
   certain exceptions.

The FTC said the purpose of the analysis is “to facilitate public comment”
on the proposed orders; hey are “not intended to constitute an official
interpretation” of the proposed complaints or orders or to modify the
orders’ terms in any way.

The FTC brought 39 enforcement actions against companies under the previous
U.S.-EU Safe Harbor Framework. The three recent cases join the four
enforcement actions the FTC brought related to the Asia-Pacific Economic
Cooperation (APEC) Cross-Border Privacy Rules
<https://www.ftc.gov/terms/asia-pacific-economic-cooperation-apec> (CBPR)
system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170918/c79389e1/attachment.html>


More information about the BreachExchange mailing list