On October 6, 2009, the FTC announced that it had obtained consent orders against six companies for deceptively claiming that they were abiding by the requirements of the US-EU Safe Harbor program. This announcement follows closely the August 2009 complaint by the FTC against Balls of Kryptonite, LLC for, among other things, falsely claiming to be a current participant in the Safe Harbor program. While these actions by the FTC do not represent substantive enforcement within the Safe Harbor program, they do signify that companies need to be even more vigilant about the content of their privacy policies and marketing assertions.
The Safe Harbor program is a mechanism by which a company may self-certify that it adheres to a series of privacy principles negotiated by the U.S. Department of Commerce and the European Commission. It is one of the easier ways in which a company with personal information originating in Europe may transfer that data to the United States. The European Union has criticized the United States for a lack of visible enforcement within the Safe Harbor program. The FTC has actively pursued companies for allegedly deceiving consumers by asserting privacy protections that were apparently not fulfilled. These “deceptiveness” actions are distinguished from the “unfairness” actions the FTC has leveled against companies for not adequately securing personal information. The use of the deceptiveness claims in the context of the Safe Harbor program is a novel way for the FTC to assuage European concerns while leveraging existing enforcement authority.
Each of the six firms that have entered into consent agreements with the FTC reportedly had been a Safe Harbor program participant in good standing at one time. However, at varying points, each firm allowed its certification to lapse while retaining the assertion of current certification in privacy policies and other materials. The issue that resulted in the FTC's deceptiveness complaints then could have been prevented by either fulfilling annual renewal of the certification or by updating policies and other documentation to reflect the change in status. By presenting themselves as current Safe Harbor program participants but not in fact being current, the firms left themselves open to prosecution by the FTC.
While the impetus for the FTC's investigations and subsequent complaints is unclear, a report published in 2008 by Galexia, an Australian consulting outfit, identified more than 200 organizations that apparently claimed to have self-certified but, in fact, were not current members of the Safe Harbor program. The simple message for companies to consider is that if you allow your certification to lapse (which is perfectly legal), you will need to update any policies or materials so that there are no longer any representations about Safe Harbor program participation.