Accused of deceptively claiming to abide by the U.S.-EU Safe Harbor privacy framework, 12 companies reached a deal with the Federal Trade Commission to halt future misrepresentations about their participation in privacy or data security programs.
The companies, ranging from the Atlanta Falcons to P2P network BitTorrent to aluminum foil maker Reynolds to accounting firm Baker Tilly Virchow Krause, told consumers they had current certifications under the Safe Harbor framework.
Launched in 2000, the Safe Harbor program is administered by the U.S. Department of Commerce in consultation with the European Commission and allows American countries to transfer data from the European Union to the United States without violating EU’s data laws. To participate, companies must annually self-certify compliance with the seven principles in the EU’s standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. To demonstrate compliance, companies can place the Safe Harbor certification on a Web site.
According to the FTC’s complaints, certifications for all companies had lapsed. (Three of the companies also falsely claimed to be certified under the U.S.-Swiss Safe Harbor, the agency added.) Despite this, and in violation of Section 5 of the FTC Act, the 12 defendants held themselves out as currently certified by using statements in their privacy policies or displaying the certification mark.
The FTC noted that it was not alleging that any of the companies committed substantive violations of the Safe Harbor privacy principles and therefore made no monetary demands. Instead, the 12 companies pledged to refrain from misrepresenting their involvement in any privacy or data security program, whether government-sponsored or self-regulatory. The agreements are open for public comment until February 20.
To read the complaints and proposed settlement agreements, click here.
Why it matters: “Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority,” FTC Chairwoman Edith Ramirez said in a press release about the settlements. “These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.” At a minimum, the agency’s actions should serve as a reminder to companies that a Safe Harbor compliance audit must be conducted annually in order to maintain certification.