Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, January 22, 2014

FTC Settles with 12 companies falsely claiming to comply with EU-U.S. Safe Harbor privacy framework

By J. Preston Carter, J.D., LL.M.

Twelve U.S. businesses have agreed to settle Federal Trade Commission charges that they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor that enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law. The companies represent a cross-section of industries, including retail, professional sports, laboratory science, data broker, debt collection, and information security. The companies handle a variety of consumer information, including in some instances sensitive data about health and employment.

“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program,” said FTC Chairwoman Edith Ramirez.

Background. EU data protection law addresses the flow of information between countries in two ways: First, it prohibits impeding the free flow of information between member countries (not just EU, but also European Economic Area countries), so as to promote the smooth functioning of the information society. Second, it prohibits the transmission of information outside the EEA without some kind of assurance that the information will be given an equivalent level of protection in the country to which it is sent. Transfers outside the EEA are allowed only under certain circumstances, even if the sender, in an EEA country, and the receiver, in another country, are only different offices of the same multinational entity. As an initial matter, transfers to recipients in other countries are allowed only if the country provides an "adequate" level of data protection.

Recognizing that impeding the transfer of information from the EU to the United States would have a significant economic impact on all sides, the European Commission and the U.S. Department of Commerce cooperated to establish the "Safe Harbor" program. The U.S.-EU Safe Harbor Framework provides a method for U.S. companies to transfer personal data from the EU to the United States that is consistent with the requirements of the European Union Data Protection Directive.

To participate, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant in the U.S.-EU Safe Harbor Framework may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website.

By signing up for the Safe Harbor, companies subject themselves to enforcement under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices, based on materially false certifications.

Complaints. The FTC complaints charge each company with representing, through statements in their privacy policies or display of the Safe Harbor certification mark, that they held current Safe Harbor certifications, even though the companies had allowed their certifications to lapse. The Commission alleged that this conduct violated Section 5 of the FTC Act. However, this does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor frameworks.

Settlement agreements. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.

Companies: Apperian, Inc.; Atlanta Falcons Football Club, LLC; Baker Tilly Virchow Krause, LLP; BitTorrent, Inc.; Charles River Laboratories International, Inc.; DataMotion, Inc.; DDC Laboratories, Inc.; Level 3 Communications, LLC; PDB Sports, Ltd., d/b/a Denver Broncos Football Club; Reynolds Consumer Products Inc.; Receivable Management Services Corporation; Tennessee Football, Inc.

MainStory: TopStory EnforcementActions IdentityTheft Privacy UDAAP

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.