The Federal Trade Commission recently agreed to settle claims against two companies alleging that the companies were not abiding by the U.S.-EU Safe Harbor international privacy framework. While the U.S.-EU Safe Harbor permits companies to self-certify compliance and transfer data from the EU to the U.S. in compliance with EU law, these latest cases highlight the importance of making sure the certifications are accurate and up to date.
The FTC has stressed that these cases “send an important message that businesses must not deceive consumers about whether they hold these certifications, and by extension, the ways in which they protect consumers.”
The Department of Commerce offers some helpful hints on self-certifying. Among them, self-certifying organizations may choose to use a private sector dispute resolution program, or they may choose to cooperate with and comply with the EU data protection authorities. The BBB EU Safe Harbor Program, TRUSTe, Direct Marketing Association, the Entertainment Software Rating Board, JAMS and the American Arbitration Association all offer programs in compliance with the Safe Harbor’s Enforcement Principle.
However, as illustrated in the latest FTC cases, an organization should pay close attention to selecting and correctly identifying its independent recourse mechanism, because a selection of one dispute resolution program in certification documents while displaying another form of dispute resolution on an organization’s website may be deceptive to consumers.