The Federal Trade Commission’s (FTC’s) enforcement actions for claims of compliance with Safe Harbor privacy frameworks by U.S. companies have increased significantly over the past few months. In the first two months of 2014 alone, the FTC announced settlements with 13 U.S. companies over allegations that the companies falsely claimed they held current certifications under the U.S.-EU Safe Harbor Privacy Framework.¹ The FTC’s focus has not been limited to the EU framework, as three of the settlements include claims that the companies falsely represented holding current certifications under the U.S.-Swiss Safe Harbor Privacy Framework.

Background

The Safe Harbor privacy frameworks are voluntary self-certification programs developed by the U.S., EU, and Switzerland to reconcile the different approaches to privacy in those areas. The frameworks provide a method for U.S. organizations to comply with the EU’s Directive on Data Protection and the Swiss Federal Act on Data Protection when transferring personal information from the EU and Switzerland to another country. In order to hold a current certification, a company must certify on an annual basis that it complies with the seven Safe Harbor Privacy Principles: notice, choice, onward transfer, access, security, data integrity, and enforcement. The FTC enforces compliance with the frameworks in two ways. First, the FTC enforces statements made by organizations regarding the status of their certification, which have been the focus of the recent enforcement actions. Second, the FTC enforces the promises made by organizations in order to obtain certification, which have resulted in significant settlements in prior years, most recently with Myspace in 2012.²

The FTC alleged that the companies published statements, privacy policies, and Safe Harbor certification symbols on their websites that stated or implied that the companies held current certifications. The FTC alleged that these statements were deceptive under Section 5 of the FTC Act because although the companies represented that they held current Safe Harbor certifications, in reality they had not self-certified for a period of time and did not hold current certifications at the time of the representations. The companies involved represent a wide range of industries, including professional sports teams, an accounting firm, IT service providers, and a children’s online entertainment company.

Settlements

In their settlement agreements with the FTC, the companies agreed to refrain from misrepresenting the extent to which they are a member of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.³ The agreements, which also include reporting requirements, are effective for 20 years from the date of issuance.

Implications

The investigations and settlements are significant, as they demonstrate the FTC’s perhaps renewed focus on enforcing the Safe Harbor frameworks in the face of criticism from the European Commission.⁴ Partially in response to reports of law enforcement access to personal information, on November 27, 2013, the European Commission published a set of recommendations regarding the U.S.-EU Safe Harbor Framework and questioned the enforcement of the framework by U.S. authorities. The FTC defended past enforcement of the frameworks by U.S. authorities, but the recent settlements demonstrate an additional focus on the area, especially statements of certification under the frameworks.

Businesses that include statements regarding Safe Harbor certification in their privacy policies or websites should ensure that they have met the certification requirements, including compliance with the seven Safe Harbor Privacy Principles, and establish a process for ensuring that their certification remains up-to-date. Reviewing an organization’s Safe Harbor certification statements also presents a prime opportunity to ensure that any other public privacy or data security representations are clear, reflect current practices, and comply with applicable state and federal privacy policy requirements.

¹ http://www.ftc.gov/news-events/press-releases/2014/01/ftc-settles-twelve-companies-falsely-claiming-comply; http://www.ftc.gov/news-events/press-releases/2014/02/ftc-settles-childrens-gaming-company-falsely-claiming-comply.

² Agreement Containing Consent Order, In the Matter of Myspace LLC, No. 102 3058, http://www.ftc.gov/sites/default/files/documents/cases/2012/05/120508myspaceorder.pdf.

³ See e.g., Agreement Containing Consent Order, In the Matter of DataMotion, Inc., No. 142 3023, http://www.ftc.gov/sites/default/files/documents/cases/140121datamotionagreement.pdf; Agreement Containing Consent Order, In the Matter of Fantage.com, Inc., No. 142 3026, http://www.ftc.gov/system/files/documents/cases/140107fantageagree.pdf.

⁴ See Stephen Gardner, “U.S. Officials Respond to EU Concerns over Safe Harbor Data Transfer Program,” Bloomberg BNA (December 16, 2013), http://www.bna.com/us-officials-respond-n17179880742/.