FTC Settles A Pair of Privacy Shield Cases

The FTC imposes 20 year commitments for two companies who were not meeting their requirements in terms of transferring the personal data of EU residents out of Europe.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Federal Trade Commission (FTC) has announced its second Privacy Shield violation settlement in the last few weeks that will impose obligations over the next 20 years so long as the United States (US) companies choose to transfer and process the data of European Union (EU) citizens and residents. The 2016 agreement requires US entities to self-certify compliance subject to enforcement by the FTC for most companies and violations are punished under the Section 5 prohibition against deceptive practices of the FTC Act. The agreement requires a range of practices for those companies that choose to participate, including heeding standards for notice, consent, accountability for onward transfers, data security, data integrity and purpose limitation. A failure to fully comply represents a violation subject to enforcement.

In the settlement announced this week, the FTC claimed Ortho-Clinical Diagnostics, Inc. “participated in the Privacy Shield framework and complied with the program’s requirements, even though the company had allowed its certification to lapse in 2018” according to the agency’s press release. The FTC added

After Ortho’s certification lapsed, the Department of Commerce warned the company to either remove the claims or take steps to recertify its participation in the Privacy Shield program, which the company failed to do, the complaint alleges. The FTC also alleges Ortho violated the Privacy Shield principles by failing to verify annually that statements about its Privacy Shield practices were accurate. In addition, it also failed to comply with a Privacy Shield requirement that it affirm that the company would continue to apply Privacy Shield protections to personal information collected while participating in the program, according to the complaint.

In a Consent Agreement set to run for 20 years, Ortho-Clinical Diagnostics, Inc. “whether acting directly or indirectly, in connection with the advertising, marketing, promotion, offering for sale, or sale of any product or service, must affirm to the Department of Commerce, within ten (10) days after the effective date of this Order and on an annual basis thereafter for as long as it retains such information, that it will

1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or

2. protect the information by another means authorized under EU (for the EU-U.S. Privacy Shield framework) or Swiss (for the Swiss-U.S. Privacy Shield framework) law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission

If the company decides not to participate in the Privacy Shield, it must delete all data within 10 days.

The FTC meted out a stiffer penalty to NTT Global Data Centers, Inc., formerly known as RagingWire Data Centers for Privacy Shield compliance violations. The company “must hire a third-party assessor to verify that it is adhering to its Privacy Shield promises if it plans to participate in the framework” per the FTC’s press release. The FTC explained

In a complaint filed in November 2019, the FTC alleged that, between January 2017 and October 2018, RagingWire claimed in its online privacy policy and marketing materials that the company participated in the Privacy Shield framework and complied with the program’s requirements. In fact, the FTC alleged, the company’s certification lapsed in January 2018 and it failed to comply with certain Privacy Shield requirements while it was a participant in the program. The FTC also alleged that, upon allowing its certification to lapse, RagingWire failed to take the necessary steps to confirm that it would comply with its continuing obligations relating to data received pursuant to the framework.

In the 20 year Consent Order with NTT Global Data Centers, the FTC stipulated

no later than 120 days after the effective date of this Order and for so long as Respondent is a self-certified participant in Privacy Shield, Respondent and its officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the advertisement, marketing, promotion, offering for sale, or sale of any product or service, shall obtain an annual outside compliance review from an independent third-party assessor approved by the Associate Director for the Division of Enforcement of the Bureau of Consumer Protection at the Federal Trade Commission, that demonstrates that the assertions Respondent makes about its Privacy Shield practices are true, and that those Privacy Shield practices have been implemented as represented and in accord with the Privacy Shield Principles. (emphasis added).

NTT Global Data Centers must also

1. continue to apply the EU-U.S. Privacy Shield framework principles to the personal information it received while it participated in the Privacy Shield; or

2. protect the information by another means authorized under EU (for the EU-U.S. Privacy Shield framework) or Swiss (for the Swiss-U.S. Privacy Shield framework) law, including by using a binding corporate rule or a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission

The FTC split over the Consent Order against NTT Global Data Centers, with Commissioner Rohit Chopra dissenting for these reasons:

• American businesses that participate in the EU-U.S. Privacy Shield Framework should not have to compete with those that break their privacy promises.
• The FTC charged a data center company with violating their Privacy Shield commitments, but our proposed settlement does not even attempt to adequately remedy the harm to the market.
• The evidence in the record raises serious concerns that customers looking to follow the law relied on the company’s representations and may be locked into long-term contracts.
• A quick settlement with a small firm for an inadvertent mistake may be appropriate, but it is inadequate for a dishonest, large firm violating a core pillar of Privacy Shield.
• We must consider seeking additional remedies, including rights to renegotiate contracts, disgorgement of ill-gotten revenue and data, and notice and redress for customers.

Chair Joe Simons and Commissioners Noah Joshua Phillips and Christine Wilson argued in their majority statement that

Commissioner Chopra would ask us to reject a settlement that protects consumers and furthers our Privacy Shield goals, to instead continue litigation during an ongoing pandemic. There is no need and doing so would unnecessarily divert resources from other important matters, including investigations of other substantive violations of Privacy Shield. We do not support moving the goalposts in this manner and for this reason vote to accept the settlement, which not just accords with but exceeds the relief the Commission unanimously sought to obtain at the outset of the case.

Despite these and other Privacy Shield enforcement actions, it is likely EU officials will still find US enforcement lacking. The European Data Protection Board (EDPB or Board) released its most recent annual assessment of the Privacy Shield in December 2019 and again found both the agreement itself and implementation wanting. There was some overlap between the concerns of the EDPB and the European Commission (EC) as detailed in its recently released third assessment of the Privacy Shield, but the EDPB discusses areas that were either omitted from or downplayed in the EC’s report. The EDPB’s authority is persuasive with respect to Privacy Shield and carries weight with the EC; however, its concerns as detailed in previous annual reports have pushed the EC to demand changes, including but not limited to, pushing the Trump Administration to nominate Board Members to the Privacy and Civil Liberties Oversight Board (PCLOB) and the appointment of a new Ombudsperson to handle complaints about how the U.S. Intelligence Community is handling the personal data of EU citizens.

In January 2019, in the “EU-U.S. Privacy Shield – Second Annual Joint Review,” the EDPB noted some progress by the US in implementing the EU-U.S. Privacy Shield. However, the EU’s Data Protection Authorities (DPA) and EDPB took issue with a number of shortcomings in US implementation, many of which have been noted in previous analyses of US efforts to ensure that U.S. companies that agree to the Privacy Shield’s principles. Notably, the EDPB found problems with the assurances provided by the US government regarding the collection and use of personal data by national security and law enforcement agencies. The EDPB also found problems with how the Department of Commerce and FTC are enforcing the Privacy Shield in the US against commercial entities.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by ipse dixit on Unsplash