Noting that “enforcement of the US-EU Safe Harbor Framework is a Commission priority,” the Federal Trade Commission (FTC) announced on January 21 that it had entered settlement agreements with 12 US businesses over charges that they falsely claimed they were abiding by the international privacy framework, when in fact they had allowed certifications under the program to lapse.
The US-EU Safe Harbor Framework is a voluntary program administered by the US government in consultation with the European Commission that helps reduce barriers to the transfer of personal data between the US and the European Union. It was implemented after the EU adopted strict new privacy standards that threatened to hamper trans-Atlantic transactions for many US organizations. In order to take advantage of the Safe Harbor, companies must self-certify annually to the Department of Commerce that they comply with seven privacy principles required under EU law, specifically: notice, choice, onward transfer, security, data integrity, access, and enforcement. Once certified, companies are permitted to advertise to consumers that they comply with the Safe Harbor Framework, lending an official “seal of approval” to their data practices.
The FTC alleged that the companies involved in the Safe Harbor settlement agreements violated Section 5 of the FTC Act by deceptively claiming — either in privacy policies or by advertising their certification on their websites — that their self-certifications were current when in fact they had been allowed to lapse.
The settlement agreements prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement agreements are a reminder to companies that participate in the Framework that they need to keep their certifications and their privacy policies up-to-date. More generally, they are also a reflection of the FTC’s continued attention to the field of data privacy.