Recent Safe Harbor-related Enforcement
The companies settling with the FTC represent a cross-section of industries, including retail, professional sports, laboratory science, data broker, debt collection, and information security. The companies handle a variety of consumer information, including in some instances sensitive data about health and employment.
According to the twelve complaints filed by the FTC, the companies deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework and, in three of the complaints, also deceptively claimed certifications under the U.S.-Swiss Safe Harbor framework. The FTC complaints charge each company with representing, through statements in their privacy policies or display of the Safe Harbor certification mark, that they held current Safe Harbor certifications, even though the companies had allowed their certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. However, this does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor frameworks.
Under the proposed settlement agreements the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
The FTC issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the FTC that a proceeding is in the public interest. When the FTC issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.
Note: These cases are being brought with the valuable assistance of the U.S. Department of Commerce.
Seminars, Roundtables, and Webinars
Additional Resources and Noteworthy Website Developments
Specific “Not Current” Notice Posted December 2013: The explanatory note, which has been added to existing information on the public Safe Harbor List web pages, is meant to highlight and clarify the implications of an organization being designated as “Not Current”. The notice states the following:
Safe Harbor Key Points First Distributed December 2013 / Posted January 2014: A document, which the Safe Harbor Team has prepared providing useful information about the benefits, oversight, and enforcement of the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, is available via the link provided herein. This document is meant to complement information provided elsewhere on the Safe Harbor website.
Overview of Safe Harbor Review Process Originally Posted May 2013: A document, the Safe Harbor Team has prepared clarifying the various steps taken and criteria assessed during the review of first time Safe Harbor self-certification submissions, as well as Safe Harbor recertification submissions, is available via the link provided herein. This document is meant to provide a useful summary of information provided elsewhere on the Safe Harbor website.
Clarifications Regarding the U.S.-EU Safe Harbor Framework and Cloud Computing Posted April 2013: A document, which the Safe Harbor Team has prepared clarifying various aspects of the U.S.-EU Safe Harbor Framework, and its applicability to the cloud computing sector, is available via the link provided herein. This document is meant to provide prospective or existing participants in the U.S.-EU Safe Harbor program with a resource that they can refer to and refer others to when concerns are raised about the interplay between the program and cloud computing.
Summary of FTC Enforcement Posted August 2012: A summary, which the Safe Harbor Team prepared in early August 2012, of Federal Trade Commission (FTC) enforcement of Safe Harbor commitments is available via the link provided herein. Please note that the FTC updated the Safe Harbor material on its own website in late 2012 to include detailed information regarding such enforcement.
New Survey Feature Launched in June 2012: Organizations participating in the U.S.-EU and U.S.-Swiss Safe Harbor programs will be invited to complete a new survey to help the ITA’s Safe Harbor Team better evaluate the programs and how they support U.S. exports. The survey consists of five short questions and should only take a few minutes to complete. Those organizations self-certifying for the first time or recertifying on-line will be prompted to complete the survey prior to arriving at the payment page. We hope that organizations participating in one or both of the Safe Harbor programs will take this important opportunity to communicate directly with the ITA regarding the programs to help us better serve the Safe Harbor community.
New Safe Harbor List Search Function Launched in June 2012: In an effort to further enhance the functionality of the Safe Harbor website (export.gov/safeharbor), the ITA’s Safe Harbor Team launched a new search function making the U.S.-EU and U.S.-Swiss Safe Harbor Lists searchable by organization certification status (i.e. “Current” or “Not Current”). We hope that this enhancement will make the Safe Harbor Lists and the Safe Harbor website even more useful to all Safe Harbor stakeholders.
U.S.-EU Safe Harbor Cooperation
November 22, 2012, European Voice, Brussels, Belgium
March 19, 2012, Washington, DC
“In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework. This Framework, which has been in place since 2000, is a useful starting point for further interoperability. Since its inception, over 3,000 companies have self-certified to the Framework to demonstrate their commitment to privacy protection and to facilitate transatlantic trade. The European Commission and the Department of Commerce look forward to continued close U.S.-EU collaboration to ensure the continued operation and progressive updates to this Framework. As the EU and the United States continue to work on significant revisions to their respective privacy frameworks over the next several years, the two sides will endeavor to find mechanisms that will foster the free flow of data across the Atlantic. Both parties are committed to work towards solutions based on non-discrimination and mutual recognition when it comes to personal data protection issues which could serve as frameworks for global interoperability that can promote innovation, the free flow of goods and services, and privacy protection around the world. The EU and the United States remain dedicated to the operation of the Safe Harbor Framework-as well as to our continued cooperation with the Commission to address issues as they arise-as a means to allow companies to transfer data from the EU to the United States, and as a tool to promote transatlantic trade and economic growth.”
March 19, 2012, Washington, DC
This European Commission hosted conference covered transatlantic privacy issues and focused on current policy and legislative initiatives in the European Union and the United States. The conference also included a discussion of the US-EU Safe Harbor Framework.
• Additional information regarding the conference is available via the link provided above.