The Federal Trade Commission (FTC) finalized settlements with five companies for claiming EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield certification.  Those companies included organizations focused on providing workforce solutions, collaboration platforms, artificial intelligence analytics, clinical trial management, and other IT providers.

The actions

In each case, the FTC alleged that each company wrongfully claimed current certification under either the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield.  Both frameworks establish a mechanism for companies to legally transfer personal consumer data between countries while complying with data protection requirements.

While four of the companies falsely claimed certification under either the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield, one had previously been a participant in the Privacy Shield, but allowed its certification to lapse while continuing to claim participation.

Under the terms of the settlement with the FTC, the companies are prohibited from misrepresenting their participation in any privacy of data security program sponsored by the government or any another self-regulatory or standard-setting organization.  Further, one of the violators must continue to apply the Privacy Shield protections to personal data about EU data subjects, or delete or return that personal data.

Recommended action

Without a doubt, US authorities remain vigilant against companies falsely claiming Privacy Shield certification.  For companies currently Privacy Shield certified, be sure to stay current, re-certify on a timely basis, and ensure your practices comply with the Privacy Shield Framework requirements. 

Further information

If you have any questions about this enforcement action or any other privacy law, please do not hesitate to reach out to partners Brian Hengesbaugh and Harry Valetk.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.