Claiming Safe Harbor on Your Website? Recent FTC Enforcements Provide Some Lessons About Certification Lapses

The Federal Trade Commission (“FTC”) announced on Monday two more Safe Harbor-related settlements with two companies for misrepresenting their participation in the U.S.-EU Safe Harbor framework, which is subject to the FTC’s deception authority under Section 5 of the FTC Act. The U.S.-EU Safe Harbor framework is a method whereby U.S. companies can comply with EU data protection requirements for the transfer of consumer data from the European Union to the United States. To obtain Safe Harbor status, companies must file a self-certification annually with the U.S. Department of Commerce agreeing to comply with seven Privacy Principles, including notice, choice, onward transfer, access, security, data integrity and enforcement. The organization must likewise declare in its published privacy policy statement that it adheres to the Safe Harbor Privacy Principles.

The companies involved – TES Franchising, LLC (“TES”) and American International Mailing, Inc. (“AIM”) -- claimed in privacy policies and statements on their company webpages that they were current U.S.-EU Safe Harbor framework participants. However, TES and AIM had not renewed their self-certification since March 2013 and May 2010, respectively. TES also misrepresented its participation in the U.S.-Swiss Safe Harbor framework. Identical to the U.S.-EU Safe Harbor framework, the U.S.-Swiss Safe Harbor framework permits U.S. companies to comply with requirements for the transfer of consumer data from Switzerland to the United States under the Swiss Federal Act on Data Protection. TES represented on its company webpage that it was current with this framework even though it had not self-certified since March 2013.

The settlement with TES also touched on the importance of making truthful representations about the mechanism available for dispute resolutions under Safe Harbor frameworks. According to the TES Safe Harbor certification, European data protection authorities were the authorized mechanism to resolve Safe Harbor-related disputes. These authorities performed this function at no cost to the consumer and without an in-person hearing. The FTC alleged that TES made false and misleading statements when it represented to its customers that Safe Harbor-related disputes would be resolved in Connecticut with the costs of arbitration equally divided amongst the parties.

With these two settlements, the FTC has now brought 26 enforcement actions regarding Safe Harbor compliance. The lesson for companies here is to (1) if participating, timely re-certify Safe Harbor each year to the U.S. Department of Commerce; and (2) before filing such recertification, confirm the accuracy and consistency of privacy policies and publicly facing statements to ensure that Safe Harbor claims are truthful and supported by the facts.