NTT Data Center Subsidiary Settles with FTC in Privacy Spat

A subsidiary of Japanese tech communications giant NTT has settled with the Federal Trade Commission over a complaint that it misled customers about its participation in the Privacy Shield framework.

NTT Global Data Centers used to be called RagingWire, but the Japanese telco acquired a majority 80% stake in the business in 2014, buying the remaining stock in January 2018. In November 2019, the FTC accused the Nevada-based data storage company of not being honest about its participation in the EU-US Privacy Shield framework.

Privacy Shield is a legal framework that lets companies transfer consumer data from EU countries to the US. It imposes privacy conditions on those companies to ensure that they remain compliant with EU law. It replaced the prior Safe Harbor agreement that existed between the two countries after a legal challenge ended that arrangement.

The FTC said that RagingWire claimed to participate in the Privacy Shield framework in its online privacy policy between January 2017 and October 2018, even though it had allowed its certification to lapse in January 2018. The Department of Commerce, which administers the framework, asked it twice to remove the claims or restore its certification, but it ignored the requests until the FTC approached it in October 2018.

The company also failed to meet a key Privacy Shield condition, according to the FTC complaint: after its certification lapsed, it didn't continue to apply the framework's protections to personal information collected while participating in the program.

The consent agreement says that NTT Global Data Centers will not misrepresent its role in government privacy programs again. It will also hire an independent third-party assessor to review its compliance for as long as it remains self-certified under Privacy Shield. It must also protect personal information it collects while operating under the framework even after its certification lapses, or return or delete that data.

The FTC's legal team reached the settlement agreement with the company in April 2020, suspending its lawsuit until FTC commissioners could consider the proposal. They voted 3-1-1 in favor, with one commissioner not participating and one dissenting.

The statement from those voting in favor said that the data center operator "was, in fact, touting its participation in Privacy Shield as a selling point."

What’s Hot on Infosecurity Magazine?