U.S. companies that transfer personal data from the European Economic Area (i.e., the 27 Member States of the European Union (EU) and Iceland, Liechtenstein and Norway) (EEA) to the United States, and misrepresent that they have self-certified under the Safe Harbor framework, risk Federal Trade Commission (FTC) enforcement action under Section 5 of the Federal Trade Commission Act.

EU Data Protection Directive

By way of background, a company that transfers personal data from the EEA to the United States must comply with the EU Data Protection Directive (95/46/EC). Personal data means information about any identified or identifiable natural person (e.g., a person’s address, credit card number and bank statements). Transfers include sending paper documents via post or electronic documents via e-mail. In general, transfers of personal data from the EEA to the U.S. are prohibited unless they qualify for one of the following exceptions: (i) the data subject freely and unambiguously provides specific consent, (ii) the transfer is necessary on various grounds (i.e., performance or conclusion of a contract, legally required for the public interest or legal claims or protection of the vital interests of the data subject) or (iii) the transfer is made from a register intended to provide information to the public in accordance with law. If no exception is available, a company may utilize one of the following methods to comply with the Directive: (A) uses a model contract signed by both the EU data exporter and U.S. data importer, (B) adopts binding corporate rules approved by the EU countries from which personal data is to be transferred or (C) self-certifies to the U.S. Department of Commerce under the Safe Harbor framework initially and thereafter self-certifies on an annual basis. The FTC serves as a backstop enforcement authority for the Safe Harbor framework.

Self-Certification under the Safe Harbor Framework

To self-certify under the Safe Harbor framework, a company agrees to develop and publicly disclose a privacy policy that entails complying with seven Safe Harbor principles (i.e., notice, choice, onward transfer, access, security, data integrity and enforcement). In addition, a company must establish and implement an independent recourse mechanism (i.e., cooperate and comply with EU Data Protection Authorities or utilize a private sector dispute resolution program). A company also must accept the jurisdiction of the FTC (or the U.S. Department of Transportation in the case of air carriers and ticket agents). Finally, a company must submit a self-certification to the U.S. Department of Commerce. Not less than annually, Safe Harbor compliance must be monitored and verified (including reviewing policies and procedures) and a new self-certification must be submitted to the U.S. Department of Commerce.

FTC Enforcement Actions

In July 2009, the FTC brought its first enforcement action, obtaining a temporary restraining order against a U.S. company - Balls of Kryptonite – that advertised on its websites that it had self-certified, where there was no record of its participation in the Safe Harbor, in violation of Section 5 of the Federal Trade Commission Act. The order prohibited this company from misrepresenting the extent to which it was a member of, adhered to, complied with, was certified by, was endorsed by or otherwise participated in any privacy, security or other compliance program sponsored by any government or third party. According to the FTC, it ultimately stipulated to a preliminary injunction against this company.

The FTC subsequently brought enforcement actions against six other U.S. companies – World Innovators, ExpatEdge Partners (a Minnesota company), Onyx Graphics, Directors Desk, Collectify and Progressive Gaitways. The FTC issued consent orders in November 2009 and in January 2010 settling charges that these companies falsely claimed to have complied with the Safe Harbor framework in violation of Section 5 of the Federal Trade Commission Act. Each company previously had self-certified under the Safe Harbor framework. However, although each company had failed to self-certify annually as required by the Safe Harbor framework, it represented through privacy policies and statements on its website that it was a current participant in the Safe Harbor. These orders, which are in effect for approximately 20 years, require that the companies in question (i) not misrepresent expressly or by implication the extent to which they are a member of, adhere to, comply with, are certified by, are endorsed by or otherwise participate in any privacy, security or other compliance program sponsored by the government or any other third party; (ii) file with the FTC written reports regarding the manner and form of their compliance with the orders and (iii) maintain and upon request make available to the FTC copies of all documents relating to compliance with the orders for 5 years. The companies also could be subject to civil penalties if they engage in any such misrepresentations going forward.

Conclusion

U.S. companies need to be careful with the language they use in their privacy statements and other public documents regarding their self-certification status or compliance with the Safe Harbor or the seven Safe Harbor principles. Before representing that they adhere to the Safe Harbor framework, U.S. companies should ensure that they have in fact self-certified with the U.S. Department of Commerce and formally renewed their Safe Harbor compliance registration each year.