FTC proposes twenty-year compliance program for two companies that have settled charges that they misrepresented that they are currently compliant with the US-EU Safe Harbor Framework.
The Safe Harbor was originally negotiated between the European Commission and Department of Commerce and went into effect in 2000. As we previously noted, the US Government has taken a number of actions in the last year to bolster and demonstrate its commitment to the Safe Harbor. The Safe Harbor allows US companies to lawfully transfer personal data on EU consumers outside of Europe in a manner that is consistent with the requirements of the European Union Directive on Data Protection. The Safe Harbor is important to US-based companies because, otherwise, EU privacy law would significantly limit when personal data on EU residents could be transferred and stored in the US.
A key requirement for companies that have self-certified is that they must annually reaffirm their commitment to the Safe Harbor in a filing with the Department of Commerce. The Department of Commerce’s website states that the required filing must reaffirm that:
- The information previously submitted to the Department of Commerce for purposes of self-certification is still correct and accurate;
- The officer is authorized to certify the organization’s continued adherence to the safe harbor framework;
- The officer understands that misrepresentations in any information provided by the organization may be actionable under the False Statements Act, 18 USC Section 1001; and
- As a consequence of the annual self-certification, failure to adhere to the Safe Harbor framework may lead to enforcement action by the relevant enforcement authority.
On April 7, 2015, the FTC announced that American International Mailing, Inc. and TES Franchising, LLChad agreed to settle allegations that they falsely claimed in the websites’ privacy policies that they were currently certified under the Safe Harbor. Both companies agreed to twenty-year compliance programs that include mandatory employee acknowledgements, affirmative FTC notification obligations, recordkeeping requirements, and FTC reporting obligations. The FTC brought similar enforcement actions against fourteen companies last June.