On Tuesday, January 21, 2014, the Federal Trade Commission (FTC) announced proposed settlements with 12 companies accused of falsely claiming that they had complied with the US-EU Safe Harbor Framework. These 12 companies are varied: they include three National Football League teams as well as a debt collection firm. They handle multiple types of consumer data, including employee records and sensitive health information.
The FTC alleged in its complaints that these companies deceptively claimed that they held current US-EU Safe Harbor and/or US-Swiss Safe Harbor certifications through representations made in their privacy policies and/or by displaying the Safe Harbor certification mark on their websites, even though they had let their certifications lapse. Importantly, the FTC did not allege that any of these companies was not in compliance with the underlying Safe Harbor principles – rather, they had just failed to keep their respective certifications current.
Both frameworks are voluntary programs administered by the U.S. Department of Commerce with the European Commission and Switzerland. Each framework permits U.S. companies to transfer personal data from the European Union to the United States in compliance with EU law. To participate, U.S. companies must self-certify every year that they comply with the seven privacy principles required to meet the EU and Switzerland privacy standards.
The FTC has recently come under pressure from the European Commission to crack down on U.S. companies that are falsely claiming to follow the Safe Harbor principles. It has pledged to investigate a list of companies that the Galexia consulting firm alleged to be failing to honor their Safe Harbor commitments. In a November 2013 report, the European Commission then asserted that the Safe Harbor Framework is not sufficiently protecting EU residents’ personal data. It proposed a list of “recommendations” for reforming the Safe Harbor Framework, including a request to the FTC to “increase efforts to investigate false claims of Safe Harbour [sic] adherence.”
FTC Chairwoman Edith Ramirez has responded that the FTC’s enforcement of the Framework is a “Commission priority” and that “[t]hese 1 cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.” Under the proposed settlements, which are subject to public comment through February 20, 2014 (after which the FTC will decide whether to make the proposed orders final), the companies (i) are prohibited from misrepresenting their participation in data security or privacy protection programs sponsored by governments or other self-regulatory/standard-setting organizations, (ii) are required to retain documents relating to their compliance for a five-year period, (iii) must distribute their respective order to personnel have responsibilities pertaining to the order, and (iv) must submit an initial compliance report to the FTC (and make available to the FTC subsequent reports). These orders would “sunset” after 20 years, with certain exceptions.