The FTC (Federal Trade Commission) Means It: Another EU Safe Harbor Enforcement Action
The Allegations and Order
According to this recent FTC complaint, Fantage.com failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework. From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status.
In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed. The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:
“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.”
While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company. The Settlement Agreement Containing Consent Order:
enjoins Fantage.com from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
imposes on Fantage.com detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.
If Fantage.com violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.
Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:
check its certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline.
remove all references to the Safe Harbor program from publicly available privacy policies and statements if the company’s certification status is unclear; and
review substantive compliance with the Safe Harbor program and institute corrective action and controls to ensure that compliance is maintained.