FTC Challenges Privacy Safe Harbor Certification Claims

This posting was written by Jeffrey May, Editor of CCH Trade Regulation Reporter.

Six U.S. businesses have agreed to refrain from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party, under the terms of proposed Federal Trade Commission consent orders.

The consent orders would settle the first FTC challenges to deceptive claims regarding certification under an international privacy safe harbor program administered by the U.S. Department of Commerce in consultation with the European Commission.

The cases were brought with the assistance of the Department of Commerce. The Department of Commerce maintains a public website where it posts the names of companies that have self-certified to the safe harbor.

The companies claimed that they were current participants in the safe harbor, even though their certifications had lapsed, according to the agency.

The safe harbor provides a mechanism for U.S. companies to transfer data outside the European Union consistent with European law. To join the safe harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles and related requirements.

Companies are required to recertify every yearin order to retain their status as “current” members of the safe harbor framework, the FTC explained.

The FTC announced the complaint and proposed consent orders on October 6, which are available in the CCH Trade Regulation Reporter and here on the FTC website.