The Federal Trade Commission (FTC) recently announced settlements with 12 U.S. companies over allegations that the companies falsely claimed they held current certifications for the U.S.-EU Safe Harbor Privacy Framework.
The FTC also alleged that three of these companies falsely claimed they held current certifications for the U.S.-Swiss Safe Harbor Privacy Framework. The companies involved represent a wide range of industries, including professional sports teams, an accounting firm, and IT service providers.
The Safe Harbor Privacy Frameworks are voluntary self-certification programs developed by the U.S., EU, and Switzerland to reconcile the different approaches to privacy in those areas. The frameworks provide a method for U.S. organizations to comply with the EU’s Directive on Data Protection and the Swiss Federal Act on Data Protection when transferring personal information from the EU and Switzerland to another country. In order to hold a current certification, a company must certify on an annual basis that it complies with the seven Safe Harbor Privacy Principles: notice, choice, onward transfer, access, security, data integrity, and enforcement. The FTC enforces compliance with the frameworks in two ways: 1) by enforcing statements made by organizations regarding the status of their certification and 2) by enforcing the promises made by organizations in order to obtain certification.
The FTC alleged that the companies published statements, privacy policies, and Safe Harbor certification symbols on their websites that stated or implied that the companies held current certifications. The FTC alleged that these statements were deceptive under Section 5 of the FTC Act because although the companies represented that they held current Safe Harbor certifications, in reality they had not self-certified for a period of time and did not hold current certifications.
Settlement
In their settlement agreements with the FTC, the companies agreed to refrain from misrepresenting the extent to which they are a member of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The agreements, which also include reporting requirements, are effective for 20 years from the date of issuance.
Implications
The investigations and settlements are significant, as they demonstrate the FTC’s perhaps renewed focus on enforcing the Safe Harbor Frameworks in the face of recent criticism from the European Commission. Partially in response to recent law enforcement access to personal information, the European Commission published a set of recommendations regarding the U.S.-EU Safe Harbor Framework and questioned the enforcement of the framework by U.S. authorities. The FTC defended past enforcement of the frameworks by U.S. authorities, but the recent settlements demonstrate an additional focus on the area.
Businesses that include statements regarding Safe Harbor certification in their privacy policies or websites should ensure that they have met the certification requirements and establish a process for ensuring that their certification remains up-to-date. Reviewing an organization’s Safe Harbor certification statements also presents a prime opportunity to ensure that any other public privacy or data security representations are clear, reflect current practices, and comply with newly enacted privacy policy requirements that went into effect earlier this year.
See the WSGR piece here.