Recently announced FTC actions are a signal of renewed focus and enhanced enforcement by the FTC on companies which have pledged to adhere to Safe Harbor obligations. Some see this as a response by the FTC to EU pressures arising from the NSA disclosures and attempts to eliminate or re-align the Safe Harbor framework. Regardless, a new era of attention to Safe Harbor compliance is now upon us.
The Denver Broncos, the Atlanta Falcons, an accounting firm, and one of the largest internet service providers (along with 8 other companies) all settled FTC claims of lack of compliance with the privacy framework known as the U.S.-EU Safe Harbor. The U.S.-EU and Swiss Safe Harbors are a self-certifying program that enables U.S. companies to transfer consumer and other personal data from the European Union (and Switzerland) to the United States so as to adhere to stricter EU (and Swiss) data protection laws.
If companies elect to self-certify and use the Safe Harbor, they should only do so with a complete understanding of the requirements, and undertake the required internal due diligence and precautions. They should be sure also to maintain their certifications accurately if they continue to indicate they are Safe Harbor compliant on their website.
Each party entered into similar Consent Agreements/Orders pursuant to which each company has agreed to not misrepresent their compliance with any government, self-regulatory, or standard setting organization's privacy or security program, as well as the usual FTC “housekeeping” enforcement requirements including; (i) maintaining all advertising and other materials related to compliance with the Consent Agreement for five (5) years; (ii) providing a copy of the Consent Agreement to all employees, officers, etc. having responsibility for compliance and obtain a signed acknowledgement of receipt; (iii) notifying the FTC within 14-30 days of any change (sale, bankruptcy, assignment, etc.) that may affect compliance; (iv) submitting a written report of compliance within 60-90 days of the Consent Agreement and thereafter within 10 days of the FTC’s request; and (v) complying with all the foregoing for a period of 20 years (unless a shorter period was designated).
While none of the companies had to pay a monetary fine, they are now subject to potentially twenty years of oversight by the FTC (plus the time and expense of responding to and defending the initial FTC claims), and, of course, they are subject to potential civil penalties if they violate the order.