FTC Continues Crackdown on Companies Making False US-EU Safe Harbor Reps in Privacy Policies

eu safe harborFTC Continues Crackdown on Companies Making False US-EU Safe Harbor Reps in Privacy Policies

TES Franchising, LLC, and American International Mailing, Inc. became the latest companies nabbed by the FTC for false claims they comply with the U.S.-EU Safe Harbor Framework, when in fact their certifications had lapsed years earlier.  That is why a regular privacy policy review is important to ensure the representations being made are accurate.

Under EU law, personal data generally may be transferred only to a non-EU country that provides an adequate level of privacy protection.  The European Commission, together with the U.S. government, created the U.S. – EU Safe Harbor Framework.  The European Commission has determined that companies participating in the Framework provide an “adequate level of protection” for EU data. This allows companies in the EU to transfer personal information to the United States in a way that is consistent with the requirements of EU law.

The protections under the Safe Harbor Framework fall under seven Principles:

  • Notice: A Safe Harbor company must inform you about its information practices, including the purposes for which it collects and uses personal data, the company contact information, the types of third parties it transfers the data to, and what choices you have for limiting uses and disclosures.
  • Choice: A Safe Harbor company must give you the opportunity to choose how your personal information is used and disclosed to third parties.
  • Onward Transfer: A Safe Harbor company may disclose data to a third party only under certain conditions, and it must ensure that the data remains protected at least at the same level as is required under Safe Harbor Principles or otherwise in accordance with EU law.
  • Security: A Safe Harbor company must take reasonable steps to prevent loss, misuse or unauthorized disclosures.
  • Data Integrity: A Safe Harbor company must only collect data that is relevant for purposes for which it is to be used and should take reasonable steps to keep it current.
  • Access: As a general rule, a Safe Harbor company must provide you access to your data and an opportunity for you to correct or amend inaccurate data.
  • Enforcement: A Safe Harbor company must provide you with a mechanism to resolve your dispute over whether it is following the Principles.

To join the Safe Harbor, a company must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation, and it must self-certify to the U.S. Department of Commerce that it complies with the Safe Harbor Privacy Principles. The Department of Commerce makes information about the Safe Harbor program available on its website. It includes an overview of the program as well as frequently asked questions.

The Department of Commerce also maintains an authoritative list of companies that are current participants in the Safe Harbor program.  The FTC has sued companies that claimed in their privacy policies that they were Safe Harbor participants, but were not.  The FTC has also sued companies that improperly used the Safe Harbor certification mark, as well as companies that did not comply with the Safe Harbor principles.  If you have a question about whether a particular company is a current participant in the Safe Harbor program, you should check the Department of Commerce’s list.

Here is a list of the 26 companies the FTC has gone after over the years on this issue.

September 11, 2012

August 10, 2012

October 24, 2011

January 19, 2010

January 19, 2010

January 19, 2010

January 19, 2010

January 19, 2010

2 thoughts on “FTC Continues Crackdown on Companies Making False US-EU Safe Harbor Reps in Privacy Policies

  1. Pingback: Cyber Report: A Dozen Things You Need to Know (Patriot’s Day Edition) | Cyber Report

  2. Pingback: Next CLBR – Francoise Gilbert Navigates The Tempest Over US-EU Safe Harbor | Cyber Law & Business Report

Comments are closed.