According to the FTC, the companies falsely claimed that they were certified under the EU-U.S. Privacy Shield, which allows for the transfer of consumer data between EU counties and the United States.
The FTC has reached settlements with five companies that allegedly falsely claimed certification under the EU-U.S. Privacy Shield framework, which allows companies to transfer consumer data from European Union countries to the United States in compliance with EU law. In separate actions, the FTC alleged that the companies falsely claimed in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework (In re DCR Workforce, Inc., FTC File No. 1823188; In re Thru, Inc., FTC File No. 1823196; In re LotaData, Inc., FTC File No. 1823194; In re 214 Technologies, Inc., FTC File No. 1823193; In re EmpiriStat, Inc., FTC File No. 1823195).
The complaints against the following alleged that the respondents submitted applications under the Privacy Shield, but failed to complete the steps necessary to obtain certification from the Department of Commerce: management software provider DCR Workforce, Inc.; cloud-based file transfer software provider Thru, Inc.; LotaData, Inc., which provides analysis of mobile users’ data; and facial recognition software provider 214 Technologies, Inc. The FTC also alleged that LotaData, Inc. falsely claimed that it was a certified participant in the Swiss-U.S. Privacy Shield framework, which establishes a data transfer process similar to the EU-U.S. Privacy Shield framework.
Additionally, statistical analysis and support services provider EmpiriStat, Inc. is said to have falsely claimed that it was a current participant in the Privacy Shield even after it allowed its certification to lapse in 2018. In the complaint, the FTC alleged that EmpiriStat falsely claimed it complied with the Privacy Shield principles when in fact it failed to verify that its published policy was accurate and completely implemented, an annual requirement under the framework. The company also failed to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
As part of the proposed settlements with the FTC, all five companies would be prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information.
Attorneys: Monique F. Einhorn for FTC. Joshua James (Bryan Cave Leighton Paisner LLP) for Thru, Inc. Andrew Cove (Cove Law, P.A.) for DCR Workforce. Kevin Vela (Vela Wood, P.C.) for 214 Technologies, Inc.
Companies: 214 Technologies, Inc.; DCR Workforce, Inc.; EmpiriStat; LotaData, Inc.; Thru, Inc.
MainStory: TopStory CyberPrivacyFeed Enforcement Privacy
Interested in submitting an article?
Submit your information to us today!Learn More
Banking and Finance Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.