Capitol building in Washington

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

January 22, 2014

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

By: Michelle Cohen

Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.

The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status.  The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse.  The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements.    The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.

As background, European Union countries have strict standards regarding the transfer of personal information outside of the EU.  Back in 2000, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework..  This “Safe Harbor” permits U.S. companies to transfer personal data lawfully from the EU.  To participate in the Safe Harbor, a company must self-certify to the Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard for ensuring the protection of personal data.  These principles are: notice, choice, onward transfer (i.e., transfer to third parties), access, security, data integrity, and enforcement.  A company’s privacy policy must address these principles. The FTC, among other agencies, may enforce Safe Harbor compliance.

The process is entirely voluntary.  Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere.  Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.

The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current.  Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations.  The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.

While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.

In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.”  The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date.  While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.

Michelle Cohen

Michelle Cohen

At Ifrah Law, Michelle’s practice focuses on helping clients establish powerful and enduring relationships with their customers and prospects while remaining compliant with state and federal law governing privacy and advertising laws and regulations.

Related Practice(s)
Other Posts
FTC Revises Online Advertising Disclosure Guidelines: Say It and Say It Clearly
FTC Beat |
Mar 15, 2013

FTC Revises Online Advertising Disclosure Guidelines: Say It and Say It Clearly

By: Michelle Cohen
Web Analytics Firm Settles FTC Charges Over Intrusive Data Tracking
FTC Beat |
Mar 12, 2013

Web Analytics Firm Settles FTC Charges Over Intrusive Data Tracking

By: Ifrah Law
FTC Remains Tough on ‘Robocalls’ with New Enforcement Case
FTC Beat |
Feb 27, 2013

FTC Remains Tough on ‘Robocalls’ with New Enforcement Case

By: Ifrah Law
Blood Bank Settles FTC Complaint About Customer Data Privacy
FTC Beat |
Feb 8, 2013

Blood Bank Settles FTC Complaint About Customer Data Privacy

By: Ifrah Law

Subscribe to Ifrah Law’s Insights