By: Linda L. Goodman
Today the Federal Trade Commission (“FTC”) announced a settlement with two U.S. businesses charged with false claims that they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor, which enables U.S. companies to transfer consumer data from the European Union to the United States while remaining in compliance with EU law.
The FTC complaints against TES Franchising, LLC (“TES”) and American International Mailing, Inc. (“AIM”)allege that the companies’ websites claimed they were currently certified under the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier.
The complaint against TES also alleges that TES deceived consumers about the nature of its dispute resolution procedures. On its website, the company stated that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. According to the FTC’s complaint, the company had agreed in its Safe Harbor certification filing that it would resolve disputes through the European data protection authorities, which do not require in-person hearings and resolve disputes at no cost to the consumer. The complaint also alleges that the company’s website held the TRUSTe Privacy program seal and yet they were not a customer of TRUSTe.
To participate in the U.S.-EU Safe Harbor Framework or U.S.-Swiss Safe Harbor Frameworks, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website. Most importantly, by registering and posting the certification, the company agreed to have the Federal Trade Commission enforce the certification provision. Thus, by registering through the safe harbor program, the companies not only agreed to comply with EU law, but they also handed the FTC the power to enforce EU law. There are many ways to transfer data without registration and without handing the FTC enforcement power.
Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement with TES further prohibits the company from misrepresenting its participation in or the terms of any alternative dispute resolution process or service.
“We remain strongly committed to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks,” said FTC Chairwoman, Edith Ramirez. “These cases send an important message that businesses must not deceive consumers about whether they hold these certifications, and by extension, the ways in which they protect consumers.”
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
© 2015 TGLF, A.P.C.