An online retailer recently agreed to be enjoined from making misrepresentations that it is in voluntary compliance with the U.S.-EU Safe Harbor Framework. The European Union Data Directive requires EU member countries to implement legislation that prohibits the transfer of personal data outside the EU except to countries that the EU has found to provide laws that are substantially equivalent to the EU’s privacy laws. The Safe Harbor was developed by the U.S. Department of Commerce and the EU because the EU believes United States data protection laws do not meet the EU standards. Personal data can be transferred outside the EU to U.S. companies that self-certify to the U.S. Department of Commerce that they comply with the Safe Harbor principles. In this case, the defendants represented that they self-certified to the U.S. Department of Commerce that they comply with the Safe Harbor when, in fact, the defendants never self-certified. The FTC’s consent judgment indicates that this representation is false and misleading and constitutes a deceptive act or practice in violation of Section 5 of the FTC Act.
TIP: A company that self-certifies to the Safe Harbor principles but fails to implement those principles may be subject to an FTC enforcement action under Section 5 of the FTC Act.