WASHINGTON—Five companies have reached settlements with the Federal Trade Commission over allegations they falsely claimed certification under the EU-U.S. Privacy Shield framework, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law.
In separate actions, the FTC alleges that management software provider DCR Workforce, Inc.; cloud-based file transfer software provider Thru, Inc.; LotaData, Inc., which provides analysis of mobile users’ data; and facial recognition software provider 214 Technologies, Inc. all falsely claimed in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework. The FTC alleges that LotaData, Inc. also falsely claimed that it was a certified participant in the Swiss-U.S. Privacy Shield framework, which establishes a data transfer process similar to the EU-U.S. Privacy Shield framework.
The FTC alleges that while 214 Technologies, Thru, LotaData and DCR Workforce each submitted applications under the Privacy Shield, all four companies failed to complete the necessary steps to obtain certification from the Department of Commerce, which administers the Privacy Shield frameworks. The FTC enforces the promises companies make when joining the frameworks.
“These companies made false claims about complying with Privacy Shield, and today’s settlements show that the FTC is protecting Privacy Shield’s integrity and supporting the thousands of U.S. businesses who do it right,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
Other Allegations
The FTC also alleges that statistical analysis and support services provider EmpiriStat, Inc., falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse in 2018. In addition, the FTC alleges that EmpiriStat falsely claimed it complied with the Privacy Shield principles when in fact it failed to verify that its published policy was accurate and completely implemented, an annual requirement under the framework.
As part of the proposed settlements with the FTC, all five companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information.