The Federal Trade Commission (“FTC”) has recently increased its examination of company privacy policies that claim to be U.S.-EU Safe Harbor certified. For those companies that are not currently certified, whether by mistakenly letting the certification lapse or other cause, the FTC is issuing draft complaints alleging deceptive acts or practices and demanding companies enter into a consent decree.
The FTC has sent numerous companies a “proposed” consent decree, which imposes a number of potentially onerous burdens on companies relating to future compliance and filing reports with the FTC, including a provision that spans a 20-year period. To avoid the legal fees and hassle of an FTC action, it would be prudent to check immediately the status of your company’s safe harbor certification and ensure that any claims made in that regard on your website are consistent.
U.S.-EU Safe Harbor Framework
The U.S.-EU Safe Harbor Framework provides a method for companies in the United States to transfer personal data outside the EU in a manner that is consistent with the EU Data Protection Directive, to address European privacy concerns. For a company to join the Safe Harbor, it must self-certify to the U.S. Department of Commerce that it complies with EU standards.
The Safe Harbor Framework has seven principles for compliance:
- choice for individuals
- onward transfer of user information to a third-party agent only if the third party meets certain standards
- user access to their information
- security for user information
- data integrity and
- enforcement of these standards via an appropriate recourse mechanism.
What To Do
If there is any doubt, the company should immediately remove all reference to the U.S.-EU Safe Harbor until the company becomes fully compliant and is certified.