Home > Legal Library > Article




Join Matindale-Hubbell Connected


A New Era of US-EU Safe Harbor Scrutiny by the FTC? FTC Reaches Consent Agreements with 12 Different Safe Harbor Certified Companies




by:
David L. Anderson
Edwards Wildman Palmer LLP - Los Angeles Office

Ari Z. Moskowitz
Edwards Wildman Palmer LLP - Washington Office

Mark E. Schreiber
Edwards Wildman Palmer LLP - Boston Office

 
February 6, 2014

Previously published on February 3, 2014

Recently announced FTC actions are a signal of renewed focus and enhanced enforcement by the FTC on companies which have pledged to adhere to Safe Harbor obligations. Some see this as a response by the FTC to EU pressures arising from the NSA disclosures and attempts to eliminate or re-align the Safe Harbor framework. Regardless, a new era of attention to Safe Harbor compliance is now upon us.

The Denver Broncos, the Atlanta Falcons, an accounting firm, and one of the largest internet service providers (along with 8 other companies) all settled FTC claims of lack of compliance with the privacy framework known as the U.S.-EU Safe Harbor. The U.S.-EU and Swiss Safe Harbors are a self-certifying program that enables U.S. companies to transfer consumer and other personal data from the European Union (and Switzerland) to the United States so as to adhere to stricter EU (and Swiss) data protection laws.

In order to participate in the Safe Harbor program, a company initially must self-certify with the U.S. Department of Commerce that it complies with each of the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access and enforcement. This requires a detailed privacy policy with particular elements, different from regular web privacy policies. Once certified, the company must renew its certification on an annual basis by continuing to self-certify that it complies.

If companies elect to self-certify and use the Safe Harbor, they should only do so with a complete understanding of the requirements, and undertake the required internal due diligence and precautions. They should be sure also to maintain their certifications accurately if they continue to indicate they are Safe Harbor compliant on their website.

In each of the cases filed by the FTC, the company first self-certified, but then allegedly let the certification lapse, some on the first anniversary and others after several years, but each company continued to indicate in its posted privacy policy that it was compliant with the Safe Harbor.

As a result, the FTC filed claims against each company alleging “deceptive acts or practices” in violation of Section 5 of the FTC Act. This is the latest in a line of enforcement actions by the FTC alleging that a privacy policy that does not accurately reflect actual practices is a deceptive act that violates Section 5. (See, e.g., Edwards Wildman Client Advisory - FTC Announces $800,000 Settlement with Mobile Social Networking App Developer and Mobile Privacy Guidance, February 2013).

Each party entered into similar Consent Agreements/Orders pursuant to which each company has agreed to not misrepresent their compliance with any government, self-regulatory, or standard setting organization's privacy or security program, as well as the usual FTC “housekeeping” enforcement requirements including; (i) maintaining all advertising and other materials related to compliance with the Consent Agreement for five (5) years; (ii) providing a copy of the Consent Agreement to all employees, officers, etc. having responsibility for compliance and obtain a signed acknowledgement of receipt; (iii) notifying the FTC within 14-30 days of any change (sale, bankruptcy, assignment, etc.) that may affect compliance; (iv) submitting a written report of compliance within 60-90 days of the Consent Agreement and thereafter within 10 days of the FTC’s request; and (v) complying with all the foregoing for a period of 20 years (unless a shorter period was designated).

While none of the companies had to pay a monetary fine, they are now subject to potentially twenty years of oversight by the FTC (plus the time and expense of responding to and defending the initial FTC claims), and, of course, they are subject to potential civil penalties if they violate the order.



 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Author
 
David L. Anderson
Ari Z. Moskowitz
Mark E. Schreiber
 
Edwards Wildman Palmer LLP Overview