|July 9, 2014|
Previously published on July 2, 2014
The Federal Trade Commission (FTC) approved final orders on Wednesday, June 25, in settlements with 14 U.S. companies over the FTC’s allegations that the companies misrepresented their current participation in the U.S. Department of Commerce’s (DOC) U.S.-EU Safe Harbor Framework. Companies that claim participation in the program must certify annually to the DOC. The actions appear to be an effort by the FTC to flex its enforcement muscle to reassure individuals and the agency’s foreign counterparts that it takes the protection of individuals’ personal information seriously in the wake of troublesome revelations of information gathering by the U.S. National Security Agency and recent prominent data breaches suffered by large U.S. companies.
Among others, the settling companies included
technology firms, including an ISP, an app developer, and a peer-to-peer file sharing service;
medical technology firms, including a drug development lab and a DNA testing lab;
three National Football League teams;
an accounting firm; and
a collections agency.
The FTC sought public comment when it published the proposed settlements earlier this year. Commenters included foreign- and U.S.-based individuals, privacy consultants, and privacy advocates. One commenter criticized TRUSTe, which has developed a U.S.-EU Safe Harbor program, because some of the settling companies participated in the TRUSTe program and were recertified by TRUSTe even though the companies’ privacy policies included false statements about their current participation in the Safe Harbor Framework. The FTC refused to comment on whether it was investigating any particular companies or allegations, but noted that it “takes seriously the role of self-regulatory privacy programs that certify compliance with the Safe Harbor framework, such as TRUSTe.” The Electronic Privacy Information Center (EPIC) urged the FTC to formally require adherence to the Consumer Privacy Bill of Rights. Sports teams were singled out by some commenters who suggested that consent agreements bar them from playing certain games, strip them of titles, or take other action.
The FTC responded to each of the commenters, but finalized the consent orders without change. Notably, there was no indication that any of the respondents violated any of the underlying substantive requirements regarding data protection, but failed to maintain current Safe Harbor status.
These latest in a series of FTC Safe Harbor enforcement efforts are intended to illustrate that the Safe Harbor has teeth at a time when privacy advocates and some EU regulators are pushing for reform. Given the strong U.S. interest in maintaining the Safe Harbor as one of the options to meet adequacy requirements when transferring data from the EU to the U.S., continued FTC scrutiny is expected. Companies that say they participate in the U.S.-EU (or U.S.-Swiss) Safe Harbor should ensure that their certification with the DOC is current, remembering that certifications must be made annually. This is true even for companies that rely on other organizations’ Safe Harbor dispute resolution programs.