• Firms Settle Charges over EU-U.S. Privacy Program
  • November 12, 2009
  • Law Firm: Manatt, Phelps & Phillips, LLP - Los Angeles Office
  • On October 6, the Federal Trade Commission announced settlements with six U.S. companies charged with misleading consumers by falsely claiming they were in compliance with a program permitting data transfers from the European Union to the United States.

    The settlements resolved six separate administrative complaints charging the companies with misrepresenting that they held up-to-date certifications under the EU-U.S. Safe Harbor framework. In fact, each of the defendants had allowed its certificate to lapse. The defendants are World Innovators, Inc., Expatedge Partners, LLC, Onyx Graphics, Inc., Directors Desk LLC, Progressive Gaitways LLC, and Collectify, LLC.

    Under the proposed settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party.

    The agency’s actions are a sign that it is stepping up its enforcement efforts in the privacy arena. In the past, privacy advocates had expressed concerns that the safe harbor program had not been adequately policed or enforced. The Commission has announced only one previous enforcement action under the nine-year-old program -- a July settlement of charges against Javian Karnani, who was accused of falsely claiming to participate in the safe harbor program.

    The safe harbor framework is a voluntary program administered by the Department of Commerce in consultation with the European Commission. It was launched in 2000 to ensure that U.S. businesses could have uninterrupted transfers of personal information from Europe to the United States. The program was designed to address the EU Data Protection Directive (95/46/EC), which generally bans data transfers to non-EU countries that lack “adequate” levels of privacy protection. The United States is not among the handful of countries deemed adequate by the EU.

    To participate in the program, a company must self-certify annually to the Commerce Department that it complies with a defined set of privacy principles, such as offering consumers the opportunity to opt out of having their personal information disclosed to third parties. Failure to comply can result in an enforcement action by the FTC.

    Roughly 1,700 U.S. companies have been certified to the safe harbor program. Only companies within the jurisdiction of the FTC or Transportation Department may join. Financial services companies are not eligible, nor are insurance companies, telecommunications carriers, nonprofits, or organizations under the jurisdiction of the Agriculture Department.

    Why it matters: The FTC’s announcement helps bolster confidence in the safe harbor program, which had been criticized for its lack of enforcement. The cases may also indicate that the FTC plans to be more aggressive on privacy issues in general. Companies that participate in the program are advised to review their compliance.