Last week, the Federal Trade Commission (FTC) reached settlements with five companies regarding allegations that they had falsely claimed to be compliant with the EU-U.S. Privacy Shield framework.

The framework allows companies to transfer data from the U.S. to the EU without running afoul of privacy laws like the General Data Protection Regulation (GDPR), but—and this is a big "but"—companies have to certify ahead of time with the Department of Commerce or potentially face the wrath of the FTC.

So far, the FTC hasn't been shy about cracking down on violators, and that momentum could potentially signify the regulator's willingness to seriously enforce other GDPR-related standards on privacy in the future.

"When Privacy Shield was adopted by [the U.S. and EU], the FTC made a commitment to give priority to enforcement," said David Shonka, a partner at Redgrave LLP and former acting general counsel at the FTC.

The numbers would tend to bear him out. Even before the Privacy Shield framework was officially adopted in 2016, Shonka estimates that the FTC filed about 40 cases related to false certifications under the initiative's predecessor, the EU-U.S. Safe Harbor program.

Those actions continued once Safe Harbor evolved into the Privacy Shield. This June, for example, the FTC announced a settlement with a background screening company who claimed false certification.

Myriah Jaworski, a certified information privacy professional at Beckage, indicated that the FTC wasn't exercising its authority in a particularly novel way, but may be attempting to draw more attention to those efforts.

"I think that the FCC is branding itself as the United States supervisory authority, where it's trying to sort of capture the public's perception of it as being a consumer data watchdog," Jaworski said.

Companies who catch the attention of said watchdog may potentially be exposing their partners overseas to GDPR-related liabilities. Even if an EU company was unaware that their American collaborator's shield credentials were false, Shonka pointed out that a list of certified entities is readily available online.

In other words, regulators could be disinclined to view ignorance as a suitable excuse, commencing a set of legal difficulties that could eventually rebound back onto American partners.

"There very well could be a breach of contract in there too if a company didn't 't know their partners were not certified," Shonka said.

If that all sounds very complicated, get used to it. The GDPR and the FTC don't appear to be disentangling themselves any time soon, especially considering the latter's capacity as a consumer protection agency in a cultural climate increasingly subsumed with talk of privacy or even a national American privacy law.

Companies looking to both appease consumer concerns and retain business opportunities in EU countries are folding GDPR principles into their privacy practices. However, Jaworski said there may sometimes be a gap between placing those policies on paper and actually following them in everyday business practices.

"I think that to the extent the FTC determines that it will be sort of like the supervisory authority to the U.S., then we will likely see it acting in this realm. I wouldn't be surprised or I would anticipate [the] FTC enforcement of GDPR promises made in privacy policies," Jaworski said.