A provider of medical diagnostic devices and services has agreed to settle Federal Trade Commission allegations that the company misled consumers about its participation in the EU-U.S. Privacy Shield framework.

In a complaint, the FTC alleges that New Jersey-based Ortho-Clinical Diagnostics, Inc. claimed that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though the company had allowed its certification to lapse in 2018.

The EU-U.S. Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program.

After Ortho’s certification lapsed, the Department of Commerce warned the company to either remove the claims or take steps to recertify its participation in the Privacy Shield program, which the company failed to do, the complaint alleges. The FTC also alleges Ortho violated the Privacy Shield principles by failing to verify annually that statements about its Privacy Shield practices were accurate. In addition, it also failed to comply with a Privacy Shield requirement that it affirm that the company would continue to apply Privacy Shield protections to personal information collected while participating in the program, according to the complaint.

As part of the proposed settlement with the FTC, Ortho is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government or self-regulatory or standard-setting organization. It also is required either to continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or to return or delete the information.

The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with the company. The FTC published a description of the consent agreement package in the Federal Register. The agreement will be subject to public comment until May 7, 2020, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments are in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.