On June 30, the U.S. Federal Trade Commission announced that an operator of data centers, RagingWire Data Centers (now known as NTT Global Data Centers) settled FTC allegations that it misled consumers about how it participated in the EU-U.S. Privacy Shield Framework and failed to adhere to the program’s requirements.

Now, some of you may be thinking that this is probably just another typical enforcement action relating to an inaccurate statement about the company's participation in the Privacy Shield Framework. The FTC has indeed initiated enforcement actions against dozens of companies that made false or deceptive representations about their Privacy Shield participation and in this case, one of the FTC's complaints does indeed raise an allegation to that effect. However, this case deserves a closer look due to the unique specificities of the facts, as well as the FTC's focus on some of the other (often-overlooked) Privacy Shield Framework requirements.

First, the company had contended that any alleged misrepresentation about its compliance with the Privacy Shield Framework “was not and could not have been material to RagingWire’s customers” because of the unique nature of its business, that is, the operation of data centers.

In particular, the company claimed that "it is in the business of providing physical spaces to house servers owned and operated by its customers, and that RagingWire is not itself in the data business and does not have access to data on its customers’ servers." Because the company "simply provides physical locations to house servers" for customers, it argued that Privacy Shield compliance was and could not have been material to its customers, on the basis that customers cared more about the physical security of its locations, the resilience and redundancy of its systems, and the physical location of its data centers.

However, the FTC responded that the company's misrepresentations were, in fact, material because the company had made "express false claims" that it complied with and had certified its adherence to the Privacy Shield Framework. In addition, the statements made by the company were material according to the FTC because these statements related to the customers’ legal obligations under European data protection law and the Privacy Shield Framework.

According to the FTC, the company had stated between January 2017 and October 2018 in the privacy policy available on its website that it “complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.” The FTC further alleges that the company made similar statements in marketing and sales materials. However, the FTC contends that even though the company initially participated in the Privacy Shield framework (and its predecessor, the Safe Harbor Certification program), it later allowed its Privacy Shield certification to lapse in January 2018. Despite two warnings from the U.S. Department of Commerce, the FTC contends that the company did not revise its privacy policy or its marketing materials to change the statement about its Privacy Shield participation.

Secondly, another interesting element of this case is that the FTC examined the company's practices and compliance while the company was still officially a Privacy Shield participant (i.e., during the January 2017–18 period). The FTC contends that during that period:

  • The company did not verify, either through self-assessment or outside compliance review, that its assertions about its Privacy Shield privacy practices were true and that those privacy practices had been implemented.
  • The company did not complete a verification statement signed by an officer or outside compliance reviewer that the assertions it had made about its Privacy Shield privacy practices during the time it participated in the program were true and that those privacy practices had been implemented.
  • The company did not renew its dispute resolution subscription with its dispute resolution mechanism provider.

As a reminder, in accordance with Supplemental Principle 7 of the Privacy Shield Principles, companies are required to have procedures in place to verify the accuracy of the attestations and assertions made about their Privacy Shield practices. To meet this verification requirement, companies must verify the attestations and assertions either through self-assessment or outside compliance reviews. In the case of a self-assessment, the statement verifying the self-assessment "must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance."

In addition, Principle 7(a)(i) of the Privacy Shield Principles requires, among other things, that companies participating in the Privacy Shield Framework provide “readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles.” Supplemental Principle 11(a) further specifies that participating companies may comply with Principle 7(a)(i) by using a qualifying private-sector program.

Finally, the FTC alleged that the company did not properly withdraw from the Privacy Shield Framework.

When a company withdraws from the Privacy Shield Framework, it is required to (1) continue to apply the Privacy Shield Principles to such data; (2) return or delete such data; or otherwise (3) provide "adequate" protection for the information by another authorized means (for example, by using a contract that incorporates the relevant EU standard contractual clauses). This requirement can be found in Supplemental Principle 6(f) of the Privacy Shield Principles, which requires that any participant that withdraws from Privacy Shield affirm to the Department of Commerce that it will continue to apply the Privacy Shield Principles to any data received pursuant to Privacy Shield or will delete or return all such data. Supplemental Principle 7 requires companies to respond promptly to inquiries and other requests for information from Commerce relating to the company’s adherence to the Privacy Shield Principles.

So if your company relies on Privacy Shield, what are the key points you should take away?

  • Ensure that any statements made by your company relating to Privacy Shield are accurate. It does not matter if your customers are businesses only. Ensure that any statement made by your company in relation to Privacy Shield — for example, in the company's privacy policy or marketing materials — are accurate, up to date and reflect the company's current status. The Department of Commerce’s list of active and inactive participants in the Privacy Shield Framework may be a good starting point to verify the company's status.
  • Remember that participation in the Privacy Shield Framework is not a one-time operation. The company needs to renew its participation, and there are a number of requirements that are ongoing, such as the need to verify the attestations and assertions made by the company, either through self-assessment or outside compliance reviews. If your company decides to participate in the Privacy Shield Framework, it must comply with all of the EU-U.S. Privacy Shield Principles and Supplemental Principles
  • Do not forget the dispute resolution mechanism. One of the requirements of the Privacy Shield Principles is to have in place and to maintain a “readily available independent recourse mechanism” to handle consumer complaints. A regulator can easily verify if the company terminated or otherwise let lapse the contract with the dispute resolution provider.
  • Do not forget the annual recertification. Companies are required to recertify to the Shield annually. Companies will need to set their own reminders to submit their recertification. An email is usually sent out to remind about the recertification deadline, but there have been situations where such emails were not received, so it is preferable that companies themselves set an annual reminder in their calendar to avoid missing the deadline. A company may be removed from the Privacy Shield list if it misses the deadline.
  • Skipping the recertification is not an adequate withdrawal. If your company decides to leave the Privacy Shield Framework for whatever reason, the company is still subject to various requirements, including obligations regarding the covered data that your company collected during its participation in the Privacy Shield Framework. More information about withdrawal from the Privacy Shield Framework is available here.

Not all commissioners agreed with the decision. In a dissenting statement, Commissioner Rohit Chopra expressed the view that while a quick settlement may be appropriate when dealing with a small firm for an inadvertent mistake, his view is that a settlement, in this case, would be inappropriate due to the size of the firm and the fact that "a core pillar of Privacy Shield" was at issue. According to Chopra, "there was clear evidence of reliance" from customers on the company's representations in relation to privacy "as a prerequisite for purchasing." Accordingly, Chopra indicated that, in his view, a "more appropriate settlement would include redress for customers, forfeiture of the company’s gains from any deceptive sales practices, or a specific admission of liability that would allow its customers to pursue claims in private litigation."

Photo by ipse dixit on Unsplash