Privacy & Information Security Law Blog

On January 21, 2014, the Federal Trade Commission announced settlements with twelve companies that allegedly falsely claimed that they complied with the U.S.-EU Safe Harbor Framework. The settlements stem from allegations that the companies violated Section 5 of the FTC Act by falsely representing that they held current Safe Harbor certifications despite having allowed their certifications to expire. The companies involved represent a variety of industries, ranging from technology and accounting to consumer products and National Football League teams.

The U.S.-EU Safe Harbor Framework is a cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. To join the Safe Harbor Framework, a company must self-certify to the Department of Commerce that it complies with seven privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and related requirements that have been deemed to meet the EU’s adequacy standard.

In its complaints, the FTC alleged that the companies represented, through statements in their privacy policies or by displaying the Safe Harbor certification mark, that they were “current” participants in the Safe Harbor Framework, even after failing to renew their Safe Harbor certifications on an annual basis. Accordingly, the FTC found such representations “false and misleading.” According to the complaints, “a company under the FTC’s jurisdiction that claims it has self-certified to the Safe Harbor principles, but in fact failed to self-certify to Commerce, may be subject to an enforcement action based on the FTC’s deception authority under Section 5 of the FTC Act.” Although the Commission alleged that the companies’ conduct violated Section 5 of the FTC Act, the FTC noted that this does not necessarily mean the companies committed any substantive violations of the Safe Harbor Framework’s privacy principles.

The proposed settlement agreements prohibit the relevant companies from misrepresenting, expressly or by implication, the extent to which they participate in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.

In the press release accompanying the settlement, FTC Chairwoman Edith Ramirez stated that “Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.”

Read the FTC Business Center Blog’s post about the Safe Harbor settlements and our previous posts on the Department of Commerce’s Key Points document on the Safe Harbor Frameworks and the future of the U.S.-EU Safe Harbor Framework.

Update: On June 25, 2014, the FTC approved the final settlement orders with the twelve companies.