Less than two months after the European Commission issued a report urging the Federal Trade Commission (“FTC”) to step up enforcement of the EU-U.S. Safe Harbor framework, the FTC announced a settlement with twelve companies – including an Internet service provider, makers of consumer goods, three National Football League teams, and a developer of mobile applications – over allegations that they deceptively claimed to be certified under Safe Harbor. According to the FTC, each of these companies represented that they maintained an active Safe Harbor certification with the U.S. Department of Commerce when in fact they did not.
Under the Safe Harbor framework, companies self-certify that they adhere to the seven Safe Harbor privacy principles developed by the U.S. Department of Commerce and the European Commission, one of the methods by which companies can lawfully transfer personal information from the EU to the United States.
The FTC did not claim that any of the companies failed to live up to the substantive requirements of the Safe Harbor privacy principles. Instead, the FTC alleged that all twelve companies stated in privacy policies or marketing materials that they were certified under the Safe Harbor, when in fact they did not maintain active certifications. The FTC also alleged that three of the companies misrepresented their certification in the Swiss-U.S. Safe Harbor program, which similar to the EU-U.S. Safe Harbor allows for transfers of personal information from Switzerland to the United States. One of the companies allegedly let its Safe Harbor certification lapse between April and November 2013 without removing Safe Harbor certification marks or claims from its website, and that was the sole basis for the FTC’s complaint.
The terms of the settlements prohibit the companies from making further misrepresentations about their participation in privacy or security programs offered by the government or other standard-setting organizations, including self-regulatory bodies. If one of these companies were to violate the terms of the settlement, it would be subject to civil penalties of $16,000 per violation.
Several EU officials have argued in favor of suspending data transfers to the United States in light of surveillance revelations and perceived weaknesses in the U.S. privacy framework (for example, see here, here, here, and here). One of the concerns expressed by EU stakeholders has been the lack of Safe Harbor-related enforcement. These settlements will help the U.S. government continue to address such concerns.
In light of these Safe Harbor settlements, companies participating in Safe Harbor – or any standard setting program for privacy or security practices, such as online behavioral targeting self-regulatory programs – would be prudent to take steps to confirm that they are living up to their commitments and formal certification requirements.