Have You Had Your Annual Checkup? The FTC Cracks Down on Inaccurate U.S.-EU Safe Harbor Claims

While the U.S.-EU “Safe Harbor” Framework for transferring data into the United States is hardly new — it was approved 15 years ago — the Federal Trade Commission has recently focused its enforcement efforts on companies that inaccurately represent their certification under the framework. The FTC has brought more than two dozen actions against companies in the past several months and recently announced proposed settlements with 13 more.

The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks allow companies to transfer consumer data from the EU and Switzerland to the U.S. in compliance with the EU Data Protection Directive. Companies that want to avail themselves of safe harbor status under these frameworks must ensure that their policies and practices satisfy the seven privacy principles required to meet the EU’s standard of “adequacy” in connection with data protection safeguards: notice, choice, onward transfer, security, data integrity, access and enforcement. Companies that self-certify with the U.S. Department of Commerce that they comply with the frameworks must renew that self-certification annually.

As with the previous enforcement actions, the FTC charged the 13 companies, which hail from a diverse range of industries, with violating Section 5 of the FTC Act by misrepresenting their safe harbor certifications. In about half of the cases, the companies had undertaken the self-certification process but failed to renew their status annually as required. In the other cases, the companies claimed that they were certified but had never applied for that status. The FTC’s proposed consent orders in this recent spate of cases prohibit future misrepresentations and impose additional reporting burdens on the settling companies; any violations of the consent orders can result, however, in monetary fines of up to $16,000 per violation.

The Commission’s enforcement history in recent months, including its action against Nomi Technologies (see our alert here), demonstrates an emphasis on accuracy in privacy policies — regardless of a company’s industry or size. Companies must ensure that their practices conform to their written policies — adopting a template policy can be dangerous, with the FTC demanding that all companies “practice what they promise.”

These recent cases serve as a reminder that companies must be conscientious not only in satisfying Safe Harbor Frameworks, but also in keeping certifications up to date. Experienced counsel can assist companies with navigating the data privacy landscape — and avoid potentially costly enforcement actions.