FTC Pursuing Incorrect U.S.-EU Safe Harbor Certifications in Privacy Policies

The Federal Trade Commission (“FTC”) has recently increased its examination of company privacy policies that claim to be U.S.-EU Safe Harbor certified.  For those companies that are not currently certified, whether by mistakenly letting the certification lapse or other cause, the FTC is issuing draft complaints alleging deceptive acts or practices and demanding companies enter into a consent decree.

The FTC has sent numerous companies a “proposed” consent decree, which imposes a number of potentially onerous burdens on companies relating to future compliance and filing reports with the FTC, including a provision that spans a 20-year period.  To avoid the legal fees and hassle of an FTC action, it would be prudent to check immediately the status of your company’s safe harbor certification and ensure that any claims made in that regard on your website are consistent. 

U.S.-EU Safe Harbor Framework

The U.S.-EU Safe Harbor Framework provides a method for companies in the United States to transfer personal data outside the EU in a manner that is consistent with the EU Data Protection Directive, to address European privacy concerns.  For a company to join the Safe Harbor, it must self-certify to the U.S. Department of Commerce that it complies with EU standards.

The Safe Harbor Framework has seven principles for compliance: 

• notice
• choice for individuals
• onward transfer of user information to a third-party agent only if the third party meets certain standards
• user access to their information
• security for user information
• data integrity and
• enforcement of these standards via an appropriate recourse mechanism. 

What To Do

To avoid becoming the target of FTC action, companies should immediately check their privacy policy to determine whether it states the company is U.S.-EU Safe Harbor certified.  If the policy makes this representation, the company should verify whether: (i) it is in fact registered with the Department of Commerce; (ii) its registration is current (companies must re-register annually); and (iii) its privacy policy meets all of the requirements of the U.S.-EU Safe Harbor Framework.

If there is any doubt, the company should immediately remove all reference to the U.S.-EU Safe Harbor until the company becomes fully compliant and is certified.