Federal Trade Commission settles with US companies falsely claiming certification with the international Safe Harbour Privacy framework.

January 22, 2014 |

The FTC has issued a press release announcing settlement with 12 companies who were caught falsely claiming compliance with the US – EU Safe Harbor Framework.  The nub of the problem was the companies claimed they held current certification where they had not.  Some of the companies are quite well known, including Bit Torrent Inc and the Atlanta Falcons, an NFL franchise.

The Safe Harbor Framework is a flawed structure but it is as good as it gets at the moment in having some companies comply with what the EU regardas as adequate standards on 7 core privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.  It is therefore important for the Department of Commerce to ensure there is integrity in the certification process, particularly with companies claiming to compliance.  And when there is non compliance the FTC steps in and prosecutes on the basis of deceptive representations.

The press release is found here.  It provides:

Twelve U.S. businesses have agreed to settle Federal Trade Commission charges that they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor that enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law.

The companies settling with the FTC represent a cross-section of industries, including retail, professional sports, laboratory science, data broker, debt collection, and information security. The companies handle a variety of consumer information, including in some instances sensitive data about health and employment. The twelve companies are:

“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program,” said FTC Chairwoman Edith Ramirez.

According to the twelve complaints filed by the FTC, the companies deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework and, in three of the complaints, also deceptively claimed certifications under the U.S.-Swiss Safe Harbor framework. The U.S.-EU and U.S.-Swiss Safe Harbor frameworks are voluntary programs administered by the U.S. Department of Commerce in consultation with the European Commission and Switzerland, respectively.  To participate, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant in the U.S.-EU Safe Harbor framework may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website.

The FTC complaints charge each company with representing, through statements in their privacy policies or display of the Safe Harbor certification mark, that they held current Safe Harbor certifications, even though the companies had allowed their certifications to lapse. The Commission alleged that this conduct violated Section 5 of the FTC Act. However, this does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor frameworks.

Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.

Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program may visit http://export.gov/safeharbor to see if the company holds a current self-certification.

These cases are being brought with the valuable assistance of the U.S. Department of Commerce. These companies were also the subject of complaints filed in 2013 by Chris Connolly and Galexia, Inc.

The Commission votes to accept the consent agreement packages containing the proposed consent orders for public comment were 4-0. The FTC will publish descriptions of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through Feb. 20, 2014, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following Web links:

Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

Just in case the message was not heard loud and clear the FTC has blogged on the settlement and set out, in broad terms, how the certification process works.  The post by Lesley Fair is found here and provides:

Business may seem borderless these days, but it’s important that companies honor applicable legal principles.  That’s especially true when it comes to privacy.  The good news for U.S. businesses is that federal regulators and their EU and Swiss counterparts have international frameworks in place to honor EU privacy standards and streamline compliance responsibilities when transferring data from the European Union and Switzerland to the United States.  When companies participate, it’s a win-win for consumers and business.  But according to a dozen law enforcement settlements filed by the FTC, some household names claimed to hold current Safe Harbor certifications, but had allowed their certifications to lapse.

First, a few words about the frameworks.  They’re voluntary programs administered by the Department of Commerce in consultation with the European Commission and Switzerland. To participate, a company must self-certify annually to the Department of Commerce that it complies with the seven principles required to meet the EU’s adequacy standard:  notice, choice, onward transfer, security, data integrity, access, and enforcement.  A participating company can highlight its compliance with the program by displaying the Safe Harbor mark on its website, mentioning its certification in its privacy policy, or conveying that information to consumers in other ways.

How is the FTC involved?  On this side of the Atlantic, the program is run by the Department of Commerce, but what a company says about its participation is a claim, subject to the FTC Act’s ban on deceptive representations.  When companies say they’re participants – either through express or implied statements or through visuals like the Safe Harbor mark – but have let their certification lapse, that means their representation is false, in violation of the FTC Act.  And that’s what the FTC says happened in these cases.

The businesses reflect a cross-section of the economy and handle a broad range of sensitive information about employees, health, etc.  Named in the settlements are:

  • Apperian – a company specializing in apps for business enterprises and security;
  • Atlanta Falcons Football Club – yes, those Atlanta Falcons
  • Baker Tilly Virchow Krause – an accounting firm
  • BitTorrent – a P2P file sharing protocol provider
  • Charles River Laboratories International – a company involved in pharmaceutical research
  • DataMotion – a platform provider for encrypted email and secure file transport
  • DDC Laboratories – the world’s largest paternity testing company
  • Level 3 Communications – one of the world’s largest ISPs
  • PDB Sports – you know them as the Denver Broncos
  • Reynolds Consumer Products – the foil people and makers of other consumer products
  • Receivable Management Service Corporation – a global provider of accounts receivable, third-party recovery, and other business services
  • Tennessee Football – more commonly known as the Tennessee Titans

Bear in mind that the FTC lawsuits focused only on the companies’ allegedly deceptive claims that they were current program participants.  This doesn’t necessarily mean the companies committed any substantive violations of the Safe Harbor framework’s privacy principles.  You can file comments about the the proposed settlements by the February 20, 2014, deadline.

The message for business?  If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must “re-up” every year.  The Department of Commerce has information for businesses interested in learning more about the Safe Harbor program.  Bookmark the Business Center’s U.S.-EU Safe Harbor Framework page for details about FTC law enforcement.

The name and shame policy of the FTC coupled with settlements is a longstanding practice.  It is also a policy adopted by many privacy and information commissioners around the world.  It will be interesting to see whether this approach is taken up, and if so how, by the Australian Privacy Commissioner when he is armed with own motion investigative powers and can obtain enforceable undertakings.

Leave a Reply