On January 21, 2014, the FTC announced that it charged 12 companies that falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor. This framework enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law.
The 12 companies included a cross section of the business, especially the Atlanta Falcons, BitTorrent, Level 3 Communications and the Tennessee Titans. According to the complaints, the companies deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework. The U.S.-EU and U.S.-Swiss Safe Harbor frameworks are voluntary programs administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement.
Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
These cases serve as an important reminder that if you feature the Safe Harbor mark on your site or refer to your participation, remember that you must apply and get accepted every year.