On January 21, 2014, the US Federal Trade Commission (FTC) announced that it had reached settlements with 12 companies regarding false claims that they were abiding by the EU/US Safe Harbor framework for the transfer of personal information from the European Union and Switzerland to the US. Each of the companies had represented publicly that they held current Safe Harbor certifications, but the companies had allowed their certifications to expire. In no instance, however, did the FTC allege that the companies had substantively violated the Safe Harbor Privacy Principles that are at the heart of the framework.
The settlements set forth continuing reporting obligations for each company regarding its compliance efforts with the Safe Harbor Framework, as well as obligations to inform current and future employees regarding its Safe Harbor obligations. These obligations are effective for 20 years. No monetary penalties are assessed. The FTC’s notice announcing the settlements is available to read online. The settlements are not final pending a public comment period.
A few thoughts regarding the settlements. First, the settlements should be seen – and certainly are intended – as a further demonstration by the US government of its commitment to enforce the Safe Harbor Framework in the face of significant criticism from Europe as to the efficacy of the program, including the European Commission’s (EC) November 2013 set of 13 recommendations from the EC to revise Safe Harbor. (The timing of the FTC’s release may have been, in part, to inform meetings this month in Brussels between the US Department of Commerce and the EC on the framework.)
Second, the 12 companies are not small, fly-by-night organizations, but include well-known and respected businesses, such as one of the world’s largest ISPs, a P2P file sharing protocol provider, a developer of business apps and security, and a platform provider for encrypted email and secure file transport. Other companies include an accounting firm, a consumer products company, a medical research lab and three professional football teams.
Third, while the FTC is making efforts to publicize the success of its enforcement efforts, it notes that its investigation resulted from complaints filed with the agency, including from a consulting firm in the data privacy space that has been a very vocal critic of the Safe Harbor Framework and the FTC’s enforcement efforts. Absent the complaints, it is unknown if the FTC would have otherwise initiated the investigations.
Finally, it is imperative that companies keep their self-certifications current. If they do not, any representations to the contrary could be considered a false representation under the FTC Act and subject to enforcement. It is easy to check on status. The publicly available list of self-certified companies from the US Department of Commerce’s website provides the current status and renewal dates of each participating entity.