On June 30, 2020 the Federal Trade Commission (FTC) announced that it reached a settlement in its litigation against NTT Global Data Centers (formerly RagingWire Data Centers) over allegations that the company misled customers about its adherence to the EU-U.S. Privacy Shield framework.1 As part of the settlement, the cloud service provider is required to hire a third-party assessor to annually verify its compliance with the Privacy Shield if it chooses to participate in the framework.2 As noted by three commissioners, this order is "more protective of the Privacy Shield Principles than the 14 orders [the] Commission … has approved in prior Privacy Shield Cases."3
The FTC's Complaint and Consent Order
According to the FTC's complaint, during the time that NTT Global Data Centers was a participant in the Privacy Shield program, it failed to comply with certain Privacy Shield principles, including the requirement to verify through an internal self-assessment or outside compliance review that its assertions about its Privacy Shield privacy practices were true and that those privacy practices had been implemented. It also did not complete an internal verification statement signed by a company officer or outside compliance reviewer. Further, the company allowed its Privacy Shield certification to lapse yet still publicly represented that it was a participant, and it failed to affirm with the Department of Commerce that it would either continue to apply the Privacy Shield principles to any data received prior to the certification lapsing or it would delete or return all such data.
Under the consent order, if NTT Global Data Centers participates in the Privacy Shield program in the future, it must obtain an annual compliance review from an independent third-party assessor approved by the FTC demonstrating the company's compliance with the Privacy Shield principles. It also must continue to apply to the Privacy Shield principles to the personal information it received while participating in the program. In addition, the company cannot misrepresent its compliance with any privacy or security program sponsored by any regulatory organization. If it allows its Privacy Shield certification to lapse, the company must affirm annually that it will continue to apply the Privacy Shield Principles to information obtained while under the Privacy Shield, protect that information by another means authorized under EU or Swiss law, or return or delete that information.4 Finally, the company is required to submit to compliance monitoring and must retain records connected to such compliance.5
Commissioner Chopra's Dissent
Although this settlement is more stringent than previous settlements involving Privacy Shield, Commissioner Rohit Chopra filed a separate dissenting statement arguing that the FTC should reject the settlement and pursue additional remedies including "redress for customers, forfeiture of the company's gains from any deceptive sales practices, or a specific admission of liability that would allow its customers to pursue claims in private litigation."6 He stated that any customers who entered into a contract during the period when the company engaged in the alleged deceptive conduct should be permitted to renegotiate or terminate their contracts.7 He said he would support this approach even if NTT Global Data Centers declined to renegotiate the settlement, requiring administrative ligation to be resumed.8
In a separate statement, a majority of the Commissioners rejected Chopra's argument and pointed out that the "heightened obligation" imposed on the company exceeds the scope of the FTC's initial proposed order against the company and orders in prior Privacy Shield cases.9 They reasoned that continuing litigation would unnecessarily divert resources from other important matters, such as investigating "other substantive violations of the Privacy Shield."10
Key Takeaways
In the FTC's previous enforcement actions involving Privacy Shield, the FTC's complaints were generally limited to allegations that a company had never certified with Privacy Shield or had let its certification lapse. This case is significant in that the complaint includes more detailed allegations about the manner in which the company substantively failed comply with the Privacy Shield principles while it actively participated in the program, and makes clear that the failure to comply constitutes a violation of Section 5 of the FTC Act. Companies that participate in the Privacy Shield program should ensure that they have met all Privacy Shield requirements before joining the program, including conducting and documenting an internal self-assessment or outside compliance review and completing a verification statement signed by a corporate officer or outside compliance reviewer.
Companies that fail to comply with Privacy Shield requirements, or that allow their Privacy Shield certifications to lapse, should expect future FTC consent orders to include requirements for annual third-party assessments, causing companies to expend additional resources to participate in Privacy Shield. Further, should Commissioner Chopra's views take hold in the future, companies may face even more strict consequences, including consumer redress, disgorgement, or a specific admission of liability that would more readily allow customers to pursue claims in private litigation.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and has assisted numerous clients in FTC investigations. For more information, please contact Tracy Shapiro, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.
[1] Data Center Company Settles FTC Privacy Shield Case (June 30, 2020), https://www.ftc.gov/news-events/press-releases/2020/06/data-center-company-settles-ftc-privacy-shield-case?utm_source=govdelivery.
[3] Joseph J. Simons et al., Majority Statement in the Matter of NTT Global Data Centers Americas, Inc. (June 29, 2020), https://www.ftc.gov/system/files/documents/public_statements/1577515/182_3189_majority_statement_final.pdf.
[4] In the Matter of NTT Global Data Centers Americas, Inc., Docket No. 9386, at 2 (June 2020), available at https://www.ftc.gov/system/files/documents/cases/d09386nttragingwireorder.pdf.
[6] Rohit Chopra, Dissenting Statement in the Matter of NTT Global Data Centers Americas, Inc., at 1–2 (June 30, 2020), https://www.ftc.gov/system/files/documents/public_statements/1577527/d09386chopradissent.pdf.
[8] Id. at 3 (noting safety and logistical concerns associated with the current pandemic).
