The Federal Trade Commission sued a Nevada data storage services company over allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before allowing its certification to lapse.
The EU-U.S. Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program.
The FTC also alleges that while RagingWire was a participant of the Privacy Shield program, the company failed to comply with the three following Privacy Shield requirements:
- To verify annually that it had made accurate statements about its Privacy Shield privacy practices;
- to maintain a dispute resolution process for consumers who had privacy-related complaints about the company; and
- to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
The complaint includes a proposed order that would prohibit RagingWire from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization and would require the company to comply with FTC reporting requirements. If its certification of participation in the Privacy Shield framework lapses in the future, RagingWire also would be required to continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information, according to the proposed order.
The Commission voted 5-0 to issue the administrative complaint.