The FTC recently settled with two companies, American International Mailing and TES Franchising, over the companies' "not current" EU-US Safe Harbor self-certifications with the US Department of Commerce.

As we have reported in the past, the Safe Harbor program was created by the US and EU to address European restrictions on sending personal information to companies located in countries without “adequate” privacy protections. To ensure the free flow of information to the US, which has no overarching, generally applicable privacy law similar to that in Europe, US companies could participate in the Safe Harbor program by self-certifying their compliance with the program’s principles. Those principles mirror the fundamental tenets of the EU Data Privacy Directive.

This is one of a few options open to US companies for the transfer of personal data from Europe to the US. Should they chose to use it, companies register their self-certification with the US Department of Commerce. The FTC began enforcing lapsed self-certification representations last year, and these two new cases continue that trend. Both American international and TES mentioned their adherence to Safe Harbor in their privacy policies, but both were listed as “not current” with the Department of Commerce. The FTC found that the representations were misleading, and in the case of American International Marketing, had been going on since 2010 (the representation had been made in the company’s privacy policy since that time, however its self-certification lapsed in that year). The FTC did not look at whether or not the companies were, in fact, adhering to the Safe Harbor Principles.

In the settlements, both companies agreed, inter alia, not to misrepresent that they were participating in a privacy program endorsed by the government or standard setting body if in fact they were not.

TIP: The Safe Harbor Program has been around for some time, and many companies may have self-certified with the US Department of Commerce. This case is a reminder to check your company’s status (which can be done here) and ensure that there are no references to Safe Harbor Program participation in your privacy policy if your company status is not current.