Recently announced FTC actions are a signal of renewed focus and enhanced enforcement by the FTC on companies which have pledged to adhere to Safe Harbor obligations. Some see this as a response by the FTC to EU pressures arising from the NSA disclosures and attempts to eliminate or re-align the Safe Harbor framework. Regardless, a new era of attention to Safe Harbor compliance is now upon us.

The Denver Broncos, the Atlanta Falcons, an accounting firm, and one of the largest internet service providers (along with 8 other companies) all settled FTC claims of lack of compliance with the privacy framework known as the U.S.-EU Safe Harbor. The U.S.-EU and Swiss Safe Harbors are a self-certifying program that enables U.S. companies to transfer consumer and other personal data from the European Union (and Switzerland) to the United States so as to adhere to stricter EU (and Swiss) data protection laws.

In order to participate in the Safe Harbor program, a company initially must self-certify with the U.S. Department of Commerce that it complies with each of the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access and enforcement. This requires a detailed privacy policy with particular elements, different from regular web privacy policies. Once certified, the company must renew its certification on an annual basis by continuing to self-certify that it complies.

If companies elect to self-certify and use the Safe Harbor, they should only do so with a complete understanding of the requirements, and undertake the required internal due diligence and precautions. They should be sure also to maintain their certifications accurately if they continue to indicate they are Safe Harbor compliant on their website.

In each of the cases filed by the FTC, the company first self-certified, but then allegedly let the certification lapse, some on the first anniversary and others after several years, but each company continued to indicate in its posted privacy policy that it was compliant with the Safe Harbor.

As a result, the FTC filed claims against each company alleging “deceptive acts or practices” in violation of Section 5 of the FTC Act. This is the latest in a line of enforcement actions by the FTC alleging that a privacy policy that does not accurately reflect actual practices is a deceptive act that violates Section 5. (See, e.g., Edwards Wildman Client Advisory – FTC Announces $800,000 Settlement with Mobile Social Networking App Developer and Mobile Privacy Guidance, February 2013).

Each party entered into similar Consent Agreements/Orders pursuant to which each company has agreed to not misrepresent their compliance with any government, self-regulatory, or standard setting organization's privacy or security program, as well as the usual FTC “housekeeping” enforcement requirements including; (i) maintaining all advertising and other materials related to compliance with the Consent Agreement for five (5) years; (ii) providing a copy of the Consent Agreement to all employees, officers, etc. having responsibility for compliance and obtain a signed acknowledgement of receipt; (iii) notifying the FTC within 14-30 days of any change (sale, bankruptcy, assignment, etc.) that may affect compliance; (iv) submitting a written report of compliance within 60-90 days of the Consent Agreement and thereafter within 10 days of the FTC’s request; and (v) complying with all the foregoing for a period of 20 years (unless a shorter period was designated).

While none of the companies had to pay a monetary fine, they are now subject to potentially twenty years of oversight by the FTC (plus the time and expense of responding to and defending the initial FTC claims), and, of course, they are subject to potential civil penalties if they violate the order.

The FTC’s announcement and links to the complaints and orders can be found here.