Recent enforcement activity by the Federal Trade Commission (FTC) should serve as an alarm to all current and potential participants of the European Union (EU)-U.S. and U.S.-Swiss Safe Harbor mechanisms to ensure that their Safe Harbor certifications are up-to-date and that they are complying with the substantive requirements of the data transfer mechanisms.  Twelve U.S. companies faced FTC charges that they falsely claimed they were in compliance with the Safe Harbor even though their voluntary certifications had lapsed.  On January 21, 2014, the FTC announced proposed settlements with each of the 12 companies.

The Safe Harbor allows eligible U.S. companies to receive personal data from Europe if they agree to treat EU personal data in accordance with seven Safe Harbor Principles, which approximate the requirements of EU data privacy laws.  To join the U.S.-EU Safe Harbor, companies must self-certify to the U.S. Department of Commerce (DOC) that they comply with the Safe Harbor principles.  The U.S.-Swiss Safe Harbor requires similar certifications that companies will comply with Swiss data protection laws before receiving or transferring Swiss data.  Both programs require an annual recertification that can be achieved by reaffirming the existing self-certification.

Lapsed Certifications

Notably, the FTC’s complaints against the 12 companies do not allege any substantive violations of  the Safe Harbor’s privacy principles. Instead, the FTC claims only that the companies deceptively claimed, either through statements in their privacy policies or by displaying the Safe Harbor certification mark on their websites, that they held current certifications under the Safe Harbor framework, even though they had allowed their certifications to lapse.  Put differently, these cases involved companies that joined the Safe Harbor but then failed to file the required annual certification.  There is no indication that the FTC examined these companies’ compliance with the Safe Harbor privacy requirements beyond the formality of annual filings.

False claims of Safe Harbor participation previously have been a focus of FTC enforcement activity and the subject of seven prior enforcement actions.  The FTC explains that “[a] company under the FTC’s jurisdiction that claims it has self-certified to the Safe Harbor principles, but failed to self-certify to Commerce, may be subject to an enforcement action based on the FTC’s deception authority under Section 5 of the FTC Act.”  If a company’s privacy policy promises Safe Harbor protections, that company could run afoul of the FTC’s enforcement authority if it does not keep up its annual certifications at the DOC. 

Under the proposed no-fault settlements, all 12 companies are prohibited from misrepresenting the extent to which they participate in any privacy or security program, including the U.S.-EU and U.S.-Swiss Safe Harbor frameworks.  The companies also must maintain and, upon request, make available to the FTC all documents relating to compliance with the settlement agreements for a period of five years.  A violation of the agreements—which terminate 20 years from the date of their issuance—could result in a civil penalty.

EU Pressure

The FTC’s recent enforcement activity likely is a response to increasing pressure from Europe to show that the Safe Harbor can be an effective data protection mechanism.  Top EU officials are challenging the viability of the U.S.-EU Safe Harbor program—egged on, perhaps, due to concerns about U.S. surveillance activities outside the scope of the Safe Harbor—and are criticizing a perceived lack of FTC enforcement.  On November 27, 2013, the European Commission released 13 recommendations to improve the functioning of the Safe Harbor in an effort to restore trust in data flows between the U.S. and the EU, including a request that the FTC increase efforts to investigate false claims of Safe Harbor compliance.  More recently, the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament released a Draft Report on mass surveillance that called for the immediate suspension of U.S.-EU data flows.

FTC Chairwoman Edith Ramirez, in turn, has made clear that “[e]nforcement of the U.S.-EU Safe Harbor framework is a Commission priority.”  Given the current attention on the Safe Harbor, companies should expect that the FTC may investigate substantive violations. To avoid potential FTC enforcement liability, companies should confirm the status of their Safe Harbor certifications and assess their compliance with the Safe Harbor principles.  The Safe Harbor remains a viable framework for transferring EU personal information to the United States that holds many advantages for eligible U.S. companies, but participants in the program must expect a greater level of scrutiny.