The Federal Trade Commission sued a Nevada data storage services company over allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before allowing its certification to lapse.
The EU-U.S. Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program.
In a complaint, the FTC alleges that between January 2017 and October 2018, RagingWire Data Centers, Inc. claimed in its online privacy policy that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018. The Department of Commerce warned Raging Wire twice to either remove the claims or take steps to recertify its participation in the Privacy Shield program. The company, however, failed to recertify until it was contacted by the FTC in October 2018.
The FTC also alleges that while RagingWire was a participant of the Privacy Shield program, the company failed to comply with the three following Privacy Shield requirements:
- To verify annually that it had made accurate statements about its Privacy Shield privacy practices;
- to maintain a dispute resolution process for consumers who had privacy-related complaints about the company; and
- to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
The complaint includes a proposed order that would prohibit RagingWire from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization and would require the company to comply with FTC reporting requirements. If its certification of participation in the Privacy Shield framework lapses in the future, RagingWire also would be required to continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information, according to the proposed order.
The Commission voted 5-0 to issue the administrative complaint.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The issuance of the administrative complaint marks the beginning of a proceeding in which the allegations will be tried in a formal hearing before an administrative law judge.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.