FTC proposes twenty-year compliance program for two companies that have settled charges that they misrepresented that they are currently compliant with the US-EU Safe Harbor Framework.
The Safe Harbor was originally negotiated between the European Commission and Department of Commerce and went into effect in 2000. As we previously noted, the US Government has taken a number of actions in the last year to bolster and demonstrate its commitment to the Safe Harbor. The Safe Harbor allows US companies to lawfully transfer personal data on EU consumers outside of Europe in a manner that is consistent with the requirements of the European Union Directive on Data Protection. The Safe Harbor is important to US-based companies because, otherwise, EU privacy law would significantly limit when personal data on EU residents could be transferred and stored in the US.
A key requirement for companies that have self-certified is that they must annually reaffirm their commitment to the Safe Harbor in a filing with the Department of Commerce. The Department of Commerce’s website states that the required filing must reaffirm that:
- The information previously submitted to the Department of Commerce for purposes of self-certification is still correct and accurate;
- The officer is authorized to certify the organization's continued adherence to the safe harbor framework;
- The officer understands that misrepresentations in any information provided by the organization may be actionable under the False Statements Act, 18 USC Section 1001; and
- As a consequence of the annual self-certification, failure to adhere to the Safe Harbor framework may lead to enforcement action by the relevant enforcement authority.
On April 7, 2015, the FTC announced that American International Mailing, Inc. and TES Franchising, LLC had agreed to settle allegations that they falsely claimed in the websites’ privacy policies that they were currently certified under the Safe Harbor. Both companies agreed to twenty-year compliance programs that include mandatory employee acknowledgements, affirmative FTC notification obligations, recordkeeping requirements, and FTC reporting obligations. The FTC brought similar enforcement actions against fourteen companies last June.
- US Steps Up Efforts to Make “Safe Harbor Safe Again” – FTC, Justice Department Work to Keep EU Happy and Avoid Pull Back from Harbor
- European Union’s Highest Court Rules Google Must Remove Links Containing Personal Data
- EU High Court Overturns Telecom Data Retention Requirements
Christopher Avery is a privacy and data security attorney in Davis Wright’s New York City office. He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on how to prepare for, respond to and recover from cybersecurity events.