The Federal Trade Commission (FTC) has struck again in the data privacy world, this time at 13 companies that allegedly misrepresented in their privacy statements that they were U.S.-EU or U.S.-Swiss Safe Harbor certified. This latest enforcement sweep demonstrates the FTC’s privacy focus and reinforces the need for companies to make accurate public representations.
The FTC charged the 13 companies with misleading consumers and has proposed placing them under a familiar 20-year consent order. The consent order requires the companies to refrain from misrepresenting privacy or security program adherence and to keep strict records for the FTC’s overview. For the next 20 years, any companies that disobey the consent order will be subject to a $16,000 civil penalty per violation.
The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks (collectively, “Safe Harbor”) are the most popular of several mechanisms through which companies can legally transfer personal data from Europe to the United States. There are currently over 4,300 U.S. companies certified to the U.S.-EU Safe Harbor.
As FTC Chairwoman Edith Ramirez said this week, “The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are important agreements, and the FTC remains strongly committed to enforcing them. Companies must not deceive consumers about their participation in these programs.”
The FTC’s focus on Safe Harbor enforcement, and privacy enforcement in general, raises concerns for companies of all sizes. Indeed, the FTC has now undertaken 39 Safe Harbor-related enforcement actions against both small and large U.S. companies in the past five years. Here are five key items for companies to review based on the lessons learned from these settlements: