On Tuesday, January 21, the Federal Trade Commission (“FTC”) announced twelve proposed settlements with companies accused of falsely claiming that they complied with the US-EU Safe Harbor Framework. These companies range from three National Football League teams to a debt collection firm. They handle various types of consumer data, including sensitive health and employment data.
The FTC alleged in its complaints that the twelve companies deceptively claimed that they held current US-EU Safe Harbor and/or US-Swiss Safe Harbor certifications through statements in their privacy policies and/or by displaying the Safe Harbor certification mark on their websites, even though the companies had let their certifications lapse.
Both Frameworks are voluntary programs administrated by the US Department of Commerce, in consultation with the European Commission and Switzerland. The Frameworks allow US companies to transfer personal data from the European Union to the United States in compliance with EU law. To participate, companies must self-certify every year that they comply with the seven privacy principles required to meet the EU and Switzerland adequacy standards.
The FTC is under heavy pressure from the European Commission to crack down on US companies that falsely claim to be following the Safe Harbor principles. It pledged to investigate a long list of companies that the Galexia Consulting firm complained failed to live up to their safe harbor commitments. In a November 2013 report, the European Commission asserted that the safe harbor framework, while valuable, is not sufficiently protecting EU residents’ personal data. It issued a list of “recommendations” for reforming the Safe Harbor Framework. Among these was a plea to the FTC to “increase efforts to investigate false claims of Safe Harbour [sic] adherence.”
FTC Chairwoman Edith Ramirez made clear that FTC enforcement of the Framework is a “Commission priority” and that “[t]hese twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.”
To double-check your company’s certification status, you may visit the Department of Commerce’s Safe Harbor website (http://export.gov/safeharbor), which lists all “current” members of the Framework.