12 Companies Settle FTC Charges of Falsely Asserting U.S.-EU Safe Harbor Compliance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  

Jan. 22 --Twelve companies have agreed to no-fault consent orders with the Federal Trade Commission to settle commission charges that they falsely claimed they were in compliance with the U.S.-European Union and U.S.-Switzerland Safe Harbor programs, although they had let their certifications lapse, the FTC announced Jan. 21.

The proposed consent agreements cover National Football League teams, including the Super Bowl XLVIII-bound Denver Broncos, and Level 3 Communications LLC, which the FTC says is one of the six largest Internet service providers in the world.

EU, Swiss Safe Harbors

Under the U.S.-EU Safe Harbor program, U.S. companies operating in the EU are permitted to transfer the data of EU customers out of the bloc on the basis that they declare compliance with the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC).

Under the U.S.-Swiss program, companies give similar attestations that they will comply with Swiss data protection law principles in order to transfer data to the U.S. Switzerland isn't a member of the EU, but its laws closely follow EU data protection practices.

Both programs require an annual recertification that can be achieved by “reaffirming” the “existing self-certification.”

The U.S. Department of Commerce administers the programs, including maintaining the registry of self-certified companies. But the FTC is authorized to take enforcement action related to the programs.

Failure to Recertify

In its administrative complaints against the 12 companies, the FTC charged that they violated Section 5 of the FTC Act by including statements in their privacy policies or posting certification notices on their websites that indicated their “current” compliance with the relevant Safe Harbor framework principles.

None of the complaints alleges substantive violations of the Safe Harbor principles. Rather, the FTC charged that the companies made false claims concerning their certification status under the U.S.-EU program and that three of the same companies made false claims relating to their status U.S.-Swiss program.

Commenting on the FTC action, Hogan Lovells LLP said in a Jan. 22 blog post, “companies participating in Safe Harbor--or any standard setting program for privacy or security practices, such as online behavioral targeting self-regulatory programs--would be prudent to take steps to confirm that they are living up to their commitments and formal certification requirements.”

EU Concerns

The FTC's move comes in the wake of challenges by some in the EU to the viability of the U.S.-EU Safe Harbor program due to an alleged lack of enforcement by the FTC and concerns over the U.S. National Security Agency's surveillance programs.

In considering a proposed data protection regulation to replace the EU Privacy Directive, some EU lawmakers have suggested that the program be abolished, or at least amended.



“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.”  


Edith Ramirez, Chairwoman,
Federal Trade Commission

A draft report and resolution recently introduced in the European Parliament seeks to establish a “European digital habeas corpus” that would require suspension of the U.S.-EU Safe Harbor program . The resolution represents the conclusion of an inquiry into NSA surveillance conducted by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs--the lead committee considering the proposed data protection regulation.


European Commission Reaffirms Safe Harbor and Identifies 13 Recommendations to Strengthen the Arrangement--Brian Hengesbaugh, Amy de La Lama and Michael Egan, Baker & McKenzie LLP

The European Commission, the EU's executive arm, said Nov. 27, 2013, that the U.S.-EU Safe Harbor Program should be reviewed and strengthened, suggesting ways to improve data protection but holding back from calling for its suspension (12 PVLR 2012, 12/9/13).

One of the European Commission's recommendations was for stronger enforcement of U.S. companies' self-certification under the U.S.-EU Safe Harbor program.

“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program,” FTC Chairwoman Edith Ramirez said in the Jan. 21 statement announcing the new settlements.

Covered Companies

The 12 companies entering agreements with the FTC are:

• Mobile applications company Apperian Inc.;

• The NFL's Atlanta Falcons Football Club LLC;

• Accounting firm Baker Tilly Virchow Krause LLP;

• Peer-to-peer file sharing company BitTorrent Inc.;

• Drug company Charles River Laboratories International Inc.;

• E-mail encryption services company DataMotion Inc.;

• DNA testing company DDC Laboratories Inc.;

• ISP Level 3 Communications LLC;

•  PDB Sports Ltd., d/b/a Denver Broncos Football Club;

• Foil and other consumer products maker Reynolds Consumer Products Inc.;

• Receivable Management Services Corp., an accounts receivable and third-party recovery company; and

• Tennessee Football Inc., the Tennessee Titans NFL team.


The FTC has only made public Safe Harbor certification claims a handful of times previously, including in May 2012 against social media company MySpace Inc. (11 PVLR 791, 5/14/12), in November 2011 against social media company Facebook Inc. (10 PVLR 1759, 12/5/11) and in March 2011 against Internet giant Google Inc. (10 PVLR 511, 4/4/11).

In October 2009, in an action similar to that announced Jan. 21, the commission reached settlements with six companies for failing to keep their U.S.-EU Safe Harbor program certifications current


To contact the reporter on this story: Donald G. Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Barbara Yuill at byuill@bna.com

Links to the FTC complaints, consent agreements and documents analyzing the proposed agreements to aid the public in making comments are available at http://www.ftc.gov/news-events/press-releases/2014/01/ftc-settles-twelve-companies-falsely-claiming-comply.

Request Bloomberg Law Privacy and Data Security