InfoBytes Blog
FTC Actions Allege Violations Of International Safe Harbor Privacy Framework
On January 21, the FTC announced agreements with 12 companies to resolve allegations that the companies falsely claimed compliance with an international privacy framework. The FTC complaints explain that the U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data outside of the EU that is consistent with the requirements of the European Union Directive on Data Protection. The Directive sets forth EU requirements for privacy and the protection of personal data and requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. To participate in the Framework, a U.S. company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard. The FTC claimed that the companies indicated compliance with the Safe Harbor principles, for example through privacy policies or certification marks, when the companies had allowed their self-certifications to lapse. The FTC alleged that this conduct violated Section 5 of the FTC Act. The companies did not admit the allegations, and the FTC acknowledged that the allegations do not necessarily mean that the companies committed any substantive violations of the privacy principles of the Safe Harbor framework. The proposed settlement agreements would prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.