Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Jan. 22 --Twelve companies have agreed to no-fault consent orders with the Federal Trade Commission to settle commission charges that they falsely claimed they were in compliance with the U.S.-European Union and U.S.-Switzerland Safe Harbor programs, although they had let their certifications lapse, the FTC announced Jan. 21.
The proposed consent agreements cover National Football League teams, including the Super Bowl XLVIII-bound Denver Broncos, and Level 3 Communications LLC, which the FTC says is one of the six largest Internet service providers in the world.
Under the U.S.-EU Safe Harbor program, U.S. companies operating in the EU are permitted to transfer the data of EU customers out of the bloc on the basis that they declare compliance with the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC).
Under the U.S.-Swiss program, companies give similar attestations that they will comply with Swiss data protection law principles in order to transfer data to the U.S. Switzerland isn't a member of the EU, but its laws closely follow EU data protection practices.
Both programs require an annual recertification that can be achieved by “reaffirming” the “existing self-certification.”
The U.S. Department of Commerce administers the programs, including maintaining the registry of self-certified companies. But the FTC is authorized to take enforcement action related to the programs.
In its administrative complaints against the 12 companies, the FTC charged that they violated Section 5 of the FTC Act by including statements in their privacy policies or posting certification notices on their websites that indicated their “current” compliance with the relevant Safe Harbor framework principles.
None of the complaints alleges substantive violations of the Safe Harbor principles. Rather, the FTC charged that the companies made false claims concerning their certification status under the U.S.-EU program and that three of the same companies made false claims relating to their status U.S.-Swiss program.
Commenting on the FTC action, Hogan Lovells LLP said in a Jan. 22 blog post, “companies participating in Safe Harbor--or any standard setting program for privacy or security practices, such as online behavioral targeting self-regulatory programs--would be prudent to take steps to confirm that they are living up to their commitments and formal certification requirements.”
The FTC's move comes in the wake of challenges by some in the EU to the viability of the U.S.-EU Safe Harbor program due to an alleged lack of enforcement by the FTC and concerns over the U.S. National Security Agency's surveillance programs.
In considering a proposed data protection regulation to replace the EU Privacy Directive, some EU lawmakers have suggested that the program be abolished, or at least amended.
A draft report and resolution recently introduced in the European Parliament seeks to establish a “European digital habeas corpus” that would require suspension of the U.S.-EU Safe Harbor program . The resolution represents the conclusion of an inquiry into NSA surveillance conducted by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs--the lead committee considering the proposed data protection regulation.
BNA INSIGHTS ARCHIVE
European Commission Reaffirms Safe Harbor and Identifies 13 Recommendations to Strengthen the Arrangement--Brian Hengesbaugh, Amy de La Lama and Michael Egan, Baker & McKenzie LLP
The European Commission, the EU's executive arm, said Nov. 27, 2013, that the U.S.-EU Safe Harbor Program should be reviewed and strengthened, suggesting ways to improve data protection but holding back from calling for its suspension (12 PVLR 2012, 12/9/13).
One of the European Commission's recommendations was for stronger enforcement of U.S. companies' self-certification under the U.S.-EU Safe Harbor program.
“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program,” FTC Chairwoman Edith Ramirez said in the Jan. 21 statement announcing the new settlements.
The 12 companies entering agreements with the FTC are:
• Mobile applications company Apperian Inc.;
• The NFL's Atlanta Falcons Football Club LLC;
• Accounting firm Baker Tilly Virchow Krause LLP;
• Peer-to-peer file sharing company BitTorrent Inc.;
• Drug company Charles River Laboratories International Inc.;
• E-mail encryption services company DataMotion Inc.;
• DNA testing company DDC Laboratories Inc.;
• ISP Level 3 Communications LLC;
• PDB Sports Ltd., d/b/a Denver Broncos Football Club;
• Foil and other consumer products maker Reynolds Consumer Products Inc.;
• Receivable Management Services Corp., an accounts receivable and third-party recovery company; and
• Tennessee Football Inc., the Tennessee Titans NFL team.
The FTC has only made public Safe Harbor certification claims a handful of times previously, including in May 2012 against social media company MySpace Inc. (11 PVLR 791, 5/14/12), in November 2011 against social media company Facebook Inc. (10 PVLR 1759, 12/5/11) and in March 2011 against Internet giant Google Inc. (10 PVLR 511, 4/4/11).
In October 2009, in an action similar to that announced Jan. 21, the commission reached settlements with six companies for failing to keep their U.S.-EU Safe Harbor program certifications current
To contact the reporter on this story: Donald G. Aplin in Washington at email@example.com
To contact the editor responsible for this story: Barbara Yuill at firstname.lastname@example.org
Links to the FTC complaints, consent agreements and documents analyzing the proposed agreements to aid the public in making comments are available at http://www.ftc.gov/news-events/press-releases/2014/01/ftc-settles-twelve-companies-falsely-claiming-comply.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)