The Federal Trade Commission (“FTC”) continued its recent, high-profile efforts to demonstrate vigilance in its enforcement of the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks with the announcement earlier this week that it had reached proposed settlements with 13 companies. The FTC alleged that the companies misled consumers by claiming they were certified members of the cross-border data transfer mechanisms when in reality they had never applied for membership in the programs or their certifications had lapsed.
Background on the Safe Harbor Frameworks
The U.S.-EU Safe Harbor Program permits U.S. companies to transfer personal data from the EU to the United States based on their declared compliance with seven privacy principles (found in the 1995 EU Data Protection Directive (95/46/EC)): notice, choice, onward transfer, security, data integrity, access and enforcement. Under the similar U.S.-Swiss program, companies attest that they will comply with Switzerland’s data protection law principles in their transfer of data to the United States. Self-certification with the principles must be resubmitted to the U.S. Department of Commerce on an annual basis.
Six companies allegedly violated the FTC Act by claiming certification in one or both Safe Harbor programs despite never having actually applied for membership: Dale Jerrett Racing Adventure, SteriMed Medical Waste Solutions, California Skate-Line, Just Bagels Mfg., Inc., One Industries Corp., and Inbox Group, LLC.
Seven others are alleged to have violated the FTC Act by falsely claiming to have a current certification in one or both Safe Harbor programs when their certifications had not been renewed: Golf Connect, LLC, Pinger, Inc., NAICS Association, LLC, Jubilant Clinsys, Inc., IOActive, Inc., Contract Logix, LLC, and Forensics Consulting Solutions, LLC.
The terms of the proposed settlement agreements – which are subject to public comment for 30 days – prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
The settlements impose no fines but contain reporting and compliance provisions, including the requirements that the companies (i) retain documents relating to their compliance with the orders for a five-year period, (ii) notify the FTC of any changes in corporate status and (iii) submit an initial compliance report to the FTC and submit additional reports if requested by the FTC. The orders will terminate after 20 years, with limited exceptions.
Increased Enforcement Efforts Follow EU Criticism
These 13 settlements are the latest in more than two dozen FTC cases alleging false claims regarding Safe Harbor compliance. This recent ramp up of enforcement follows a surge of criticism of the EU Safe Harbor and concerns about third-party access to data transferred to the United States, fueled in part by the 2013 PRISM scandal and Edward Snowden’s allegations regarding U.S. government surveillance. A European Commission (“EC”) investigation, published in November 2013, recommended that the Safe Harbor should be revised to improve transparency. Notably, the EC specifically recognized the “persisting problem of false claims of Safe Harbour adherence,” noting that the FTC “is competent to intervene in cases of deceptive trade practices and non-compliance of the Safe Harbour principles” and, more generally, recommended increased enforcement efforts by U.S. agencies.
Others in Europe have called for the outright elimination of the Safe Harbor mechanism, notwithstanding the fact that removal of the Safe Harbor likely would drive trans-Atlantic data transfers “underground” through more widespread use of less transparent “model contracts” and other bilateral arrangements.
For companies, the FTC’s increased focus makes it all the more imperative to ensure the accuracy of statements regarding participation in the Safe Harbor programs. Businesses should pay close attention to renewal deadlines and, provided they still satisfy the program requirements, renew their self-certifications annually as required.