Data Center Company Settles FTC Privacy Shield Case

An operator of secure data centers has settled Federal Trade Commission allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before and after allowing its certification to lapse.

As part of the proposed settlement, NTT Global Data Centers, Inc., formerly known as RagingWire Data Centers, Inc. (RagingWire), must hire a third-party assessor to verify that it is adhering to its Privacy Shield promises if it plans to participate in the framework. The Privacy Shield framework allows participants to transfer data from European Union countries to the U.S. in compliance with EU law.

In a complaint filed in November 2019, the FTC alleged that, between January 2017 and October 2018, RagingWire claimed in its online privacy policy and marketing materials that the company participated in the Privacy Shield framework and complied with the program’s requirements. In fact, the FTC alleged, the company’s certification lapsed in January 2018 and it failed to comply with certain Privacy Shield requirements while it was a participant in the program. The FTC also alleged that, upon allowing its certification to lapse, RagingWire failed to take the necessary steps to confirm that it would comply with its continuing obligations relating to data received pursuant to the framework.

The proposed settlement also prohibits the company from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization. If its certification of participation in the Privacy Shield framework lapses in the future, the company also must continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information.

After counsel for the Commission reached a settlement agreement with the company on April 16, 2020, the matter was withdrawn from administrative litigation for the purpose of allowing the Commission to consider the consent agreement.

The Commission vote to accept the proposed consent agreement was 3-1-1. Commissioner Rebecca Kelly Slaughter did not participate, while Commissioner Rohit Chopra voted no and issued a dissenting statement. Chairman Joe Simons along with Commissioners Noah Joshua Phillips and Christine S. Wilson issued a separate statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.

Leave a comment

Your email address will not be published. Required fields are marked *