Twelve U.S. businesses, including the peer-to-peer file sharing provider BitTorrent, last month settled charges brought against them by the Federal Trade Commission (“FTC”), according to which they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor. The Safe Harbor enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law. The U.S.-EU Safe Harbor framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant in the U.S.-EU Safe Harbor framework may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website.
According to the complaints filed by the FTC, the companies deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework. Three of the companies also deceptively claimed certifications under the U.S.-Swiss Safe Harbor framework. The FTC complaints charge each company with representing, through statements in their privacy policies or display of the Safe Harbor certification mark, that they held current Safe Harbor certifications, even though the companies had allowed their certifications to lapse.
Under the settlement agreements (which are still subject to public comments) the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The list of the companies and further details on the case can be viewed here.