Capitol building in Washington

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

January 22, 2014

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

By: Michelle Cohen

Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.

The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status.  The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse.  The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements.    The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.

As background, European Union countries have strict standards regarding the transfer of personal information outside of the EU.  Back in 2000, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework..  This “Safe Harbor” permits U.S. companies to transfer personal data lawfully from the EU.  To participate in the Safe Harbor, a company must self-certify to the Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard for ensuring the protection of personal data.  These principles are: notice, choice, onward transfer (i.e., transfer to third parties), access, security, data integrity, and enforcement.  A company’s privacy policy must address these principles. The FTC, among other agencies, may enforce Safe Harbor compliance.

The process is entirely voluntary.  Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere.  Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.

The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current.  Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations.  The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.

While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.

In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.”  The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date.  While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.

Michelle Cohen

Michelle Cohen

At Ifrah Law, Michelle’s practice focuses on helping clients establish powerful and enduring relationships with their customers and prospects while remaining compliant with state and federal law governing privacy and advertising laws and regulations.

Related Practice(s)
Other Posts
FTC: Data Brokers That Compile Tenant Data May Be Covered by FCRA
FTC Beat |
May 2, 2013

FTC: Data Brokers That Compile Tenant Data May Be Covered by FCRA

By: Steven Eichorn
FTC, Rent-to-Own Stores Settle Charges of Spying on Consumers Via Rented Computers
FTC Beat |
Apr 26, 2013

FTC, Rent-to-Own Stores Settle Charges of Spying on Consumers Via Rented Computers

By: Ifrah Law
What’s That Charge on My Mobile Phone Bill? The FTC Wants to Know
FTC Beat |
Apr 25, 2013

What’s That Charge on My Mobile Phone Bill? The FTC Wants to Know

By: Michelle Cohen
A Q&A With Jeff Ifrah on the FTC’s Latest Draconian Tactics
FTC Beat |
Apr 23, 2013

A Q&A With Jeff Ifrah on the FTC’s Latest Draconian Tactics

By: Jeff Ifrah

Subscribe to Ifrah Law’s Insights