Home > Legal Library > Article




Join Matindale-Hubbell Connected


FTC Finalizes Settlements of Alleged Safe Harbor Violations Against 14 Companies




by:
Nathan S. Cardon
Tracy P. Marshall
Sheila A. Millar
Keller and Heckman LLP - Washington Office

 
July 9, 2014

Previously published on July 2, 2014

The Federal Trade Commission (FTC) approved final orders on Wednesday, June 25, in settlements with 14 U.S. companies over the FTC’s allegations that the companies misrepresented their current participation in the U.S. Department of Commerce’s (DOC) U.S.-EU Safe Harbor Framework. Companies that claim participation in the program must certify annually to the DOC. The actions appear to be an effort by the FTC to flex its enforcement muscle to reassure individuals and the agency’s foreign counterparts that it takes the protection of individuals’ personal information seriously in the wake of troublesome revelations of information gathering by the U.S. National Security Agency and recent prominent data breaches suffered by large U.S. companies.

Among others, the settling companies included

  • technology firms, including an ISP, an app developer, and a peer-to-peer file sharing service;

  • medical technology firms, including a drug development lab and a DNA testing lab;

  • three National Football League teams;

  • an accounting firm; and

  • a collections agency.

The FTC sought public comment when it published the proposed settlements earlier this year. Commenters included foreign- and U.S.-based individuals, privacy consultants, and privacy advocates. One commenter criticized TRUSTe, which has developed a U.S.-EU Safe Harbor program, because some of the settling companies participated in the TRUSTe program and were recertified by TRUSTe even though the companies’ privacy policies included false statements about their current participation in the Safe Harbor Framework. The FTC refused to comment on whether it was investigating any particular companies or allegations, but noted that it “takes seriously the role of self-regulatory privacy programs that certify compliance with the Safe Harbor framework, such as TRUSTe.” The Electronic Privacy Information Center (EPIC) urged the FTC to formally require adherence to the Consumer Privacy Bill of Rights. Sports teams were singled out by some commenters who suggested that consent agreements bar them from playing certain games, strip them of titles, or take other action.

The FTC responded to each of the commenters, but finalized the consent orders without change. Notably, there was no indication that any of the respondents violated any of the underlying substantive requirements regarding data protection, but failed to maintain current Safe Harbor status.

These latest in a series of FTC Safe Harbor enforcement efforts are intended to illustrate that the Safe Harbor has teeth at a time when privacy advocates and some EU regulators are pushing for reform. Given the strong U.S. interest in maintaining the Safe Harbor as one of the options to meet adequacy requirements when transferring data from the EU to the U.S., continued FTC scrutiny is expected. Companies that say they participate in the U.S.-EU (or U.S.-Swiss) Safe Harbor should ensure that their certification with the DOC is current, remembering that certifications must be made annually. This is true even for companies that rely on other organizations’ Safe Harbor dispute resolution programs.



 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Author
 
Nathan S. Cardon
Tracy P. Marshall
Sheila A. Millar
Practice Area
 
Internet Law
Media Law
 
Keller and Heckman LLP Overview