Capitol building in Washington

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

January 22, 2014

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

By: Michelle Cohen

Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.

The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status.  The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse.  The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements.    The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.

As background, European Union countries have strict standards regarding the transfer of personal information outside of the EU.  Back in 2000, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework..  This “Safe Harbor” permits U.S. companies to transfer personal data lawfully from the EU.  To participate in the Safe Harbor, a company must self-certify to the Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard for ensuring the protection of personal data.  These principles are: notice, choice, onward transfer (i.e., transfer to third parties), access, security, data integrity, and enforcement.  A company’s privacy policy must address these principles. The FTC, among other agencies, may enforce Safe Harbor compliance.

The process is entirely voluntary.  Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere.  Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.

The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current.  Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations.  The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.

While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.

In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.”  The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date.  While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.

Michelle Cohen

Michelle Cohen

At Ifrah Law, Michelle’s practice focuses on helping clients establish powerful and enduring relationships with their customers and prospects while remaining compliant with state and federal law governing privacy and advertising laws and regulations.

Related Practice(s)
Other Posts
’60 Minutes’ Show Gets Facts All Wrong in Report on Credit Reporting Agencies
FTC Beat |
Aug 27, 2013

’60 Minutes’ Show Gets Facts All Wrong in Report on Credit Reporting Agencies

By: Ifrah Law
FTC ‘Checks’ In With $3.5 Million Consent Order Under Fair Credit Reporting Act
FTC Beat |
Aug 16, 2013

FTC ‘Checks’ In With $3.5 Million Consent Order Under Fair Credit Reporting Act

By: Ifrah Law
FTC to Search Engines: Distinguish Paid Search Results or Risk FTC Action
FTC Beat |
Jun 30, 2013

FTC to Search Engines: Distinguish Paid Search Results or Risk FTC Action

By: Michelle Cohen
Wyndham Case Challenges FTC’s Authority Over Cybersecurity
FTC Beat |
Jun 12, 2013

Wyndham Case Challenges FTC’s Authority Over Cybersecurity

By: Ifrah Law

Subscribe to Ifrah Law’s Insights