Earlier this month, the FTC announced that it had reached settlements with six US companies over allegations that the businesses misrepresented their participation in, and certifications under, the Safe Harbor Framework, a voluntary program under the aegis of the Department of Commerce and in conjunction with the European Commission. According to the FTC, the companies -- World Innovators, Inc., ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC – represented to customers that their certifications under the Safe Harbor program were current, even though those certifications had been allowed to lapse. In each case, the accused company had, after a number of years of annually recertifying its compliance with Safe Harbor, allowed its status to lapse while still publicly representing on its website that it remained a participant in the Safe Harbor program.
The US-EU Safe Harbor Framework allows US businesses under the jurisdiction of the FTC and the Department of Transportation to receive personal data from entities located in the EU member nations subject to strict safeguards consistent with the EU Data Protection Directive (Directive) adopted in 1995. The Directive, as implemented by the individual 27 EU member nations through their respective legislative bodies, comprehensively regulates the security, integrity, and privacy of all “personal data.” The Directive specifically prohibits the transfer of personal data to nonmember nations that fail to provide data security and privacy measures deemed “adequate” by the European Commission (EC), and allows the EC to block transfers of personal data to countries whose data privacy enforcement and regulatory regimes are not “adequate.” Following adoption of the Directive, the European Commission determined that US data privacy and security measures were not “adequate” and, therefore that special protections would be required for any transfers of personal data from the EU to the United States. One such form of special protection is the “Safe Harbor Framework” agreed to by the EU with the United States, which allows US entities that commit to the Directive’s basic privacy protection obligations to receive personal data from EU member nations without undertaking special contractual obligations.
The FTC’s recent action to enforce its deception authority under Section 5 of the FTC Act against the companies named in the World Innovator et al. complaints may have a chilling effect on US businesses’ election of the Safe Harbor as a method of compliance with the Directive. Since Safe Harbor certification is not the only way to obtain personal data from EU member nations for commercial purposes, companies seeking to limit potential liability or enforcement action by the FTC may wish to consider alternative methods for complying with the Directive.
At a minimum, companies that have already committed to the Safe Harbor should be careful to confirm that their certifications are current (i.e., recertified annually). The FTC’s recent enforcement interest in this area more generally serves as a cautionary tale against allowing stale and/or misleading information to remain (and be republished) on company websites.
