FTC proposes twenty-year compliance program for two companies that have settled charges that they misrepresented that they are currently compliant with the US-EU Safe Harbor Framework.

Safe Harbor

Does your company rely on the US-EU Safe Harbor Framework in order to transfer personal consumer data about EU residents outside of Europe? If so, you probably have a statement like the following in your website’s privacy policy: “We comply with the US-EU Safe Harbor Framework and have certified our adherence to the Safe Harbor Privacy Principles.” If this statement is not accurate because your Safe Harbor status has lapsed, the Federal Trade Commission may bring an action against your company alleging that your privacy policy is false and misleading in violation of Section 5 of the FTC Act. The FTC has brought twenty-six enforcement actions related to the Safe Harbor to date.

The Safe Harbor was originally negotiated between the European Commission and Department of Commerce and went into effect in 2000. As we previously noted, the US Government has taken a number of actions in the last year to bolster and demonstrate its commitment to the Safe Harbor. The Safe Harbor allows US companies to lawfully transfer personal data on EU consumers outside of Europe in a manner that is consistent with the requirements of the European Union Directive on Data Protection. The Safe Harbor is important to US-based companies because, otherwise, EU privacy law would significantly limit when personal data on EU residents could be transferred and stored in the US.

A key requirement for companies that have self-certified is that they must annually reaffirm their commitment to the Safe Harbor in a filing with the Department of Commerce. The Department of Commerce’s website states that the required filing must reaffirm that:

  1. The information previously submitted to the Department of Commerce for purposes of self-certification is still correct and accurate;
  2. The officer is authorized to certify the organization's continued adherence to the safe harbor framework;
  3. The officer understands that misrepresentations in any information provided by the organization may be actionable under the False Statements Act, 18 USC Section 1001; and
  4. As a consequence of the annual self-certification, failure to adhere to the Safe Harbor framework may lead to enforcement action by the relevant enforcement authority.

If your company fails to make this required reaffirmation, the list of Safe Harbor companies is updated to reflect that your company’s certification is “not current.” It is misleading to continue to indicate that you are complying with the Safe Harbor in your website’s privacy policy if you have not completed the annual reaffirmation.

On April 7, 2015, the FTC announced that American International Mailing, Inc. and TES Franchising, LLC had agreed to settle allegations that they falsely claimed in the websites’ privacy policies that they were currently certified under the Safe Harbor. Both companies agreed to twenty-year compliance programs that include mandatory employee acknowledgements, affirmative FTC notification obligations, recordkeeping requirements, and FTC reporting obligations. The FTC brought similar enforcement actions against fourteen companies last June.

Bottom line

Check your website’s privacy policy to make sure that it does not contain any errant representations about the US-EU Safe Harbor Framework and, if self-certified, make sure to file your annual reaffirmation with the Department of Commerce to keep your Safe Harbor active.  

Related posts:

Christopher Avery is a privacy and data security attorney in Davis Wright’s New York City office. He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on how to prepare for, respond to and recover from cybersecurity events.