From: Lexology
Sheila A. Millar and Tracy P. Marshall | Keller and Heckman LLP
If a company claims to be certified under the EU-U.S. Privacy Shield framework when it hasn’t even completed the paperwork, the Federal Trade Commission (FTC) isn’t likely to let it slide. ReadyTech, a California-based online training services company, made such a claim on its website, in violation of the FTC Act’s prohibition against deceptive acts or practices, according to the FTC’s complaint against the company.
The Privacy Shield is one of the approved mechanisms through which U.S. companies can lawfully transfer personal data from the EU to the U.S. in compliance with the EU General Data Protection Regulation (GDPR). ReadyTech stated on its website that it was “in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” However, according to the FTC, while the company initiated the process of self-certifying to the U.S. Department of Commerce in 2016, it was never completed.
Leave a Reply