Picture this: Honoring the certification requirements of the US-EU Safe Harbor Framework

Share This Page

Business may seem borderless these days, but it’s important that companies honor applicable legal principles.  That’s especially true when it comes to privacy.  The good news for U.S. businesses is that federal regulators and their EU and Swiss counterparts have international frameworks in place to honor EU privacy standards and streamline compliance responsibilities when transferring data from the European Union and Switzerland to the United States.  When companies participate, it’s a win-win for consumers and business.  But according to a dozen law enforcement settlements filed by the FTC, some household names claimed to hold current Safe Harbor certifications, but had allowed their certifications to lapse.

First, a few words about the frameworks.  They’re voluntary programs administered by the Department of Commerce in consultation with the European Commission and Switzerland. To participate, a company must self-certify annually to the Department of Commerce that it complies with the seven principles required to meet the EU’s adequacy standard:  notice, choice, onward transfer, security, data integrity, access, and enforcement.  A participating company can highlight its compliance with the program by displaying the Safe Harbor mark on its website, mentioning its certification in its privacy policy, or conveying that information to consumers in other ways.

How is the FTC involved?  On this side of the Atlantic, the program is run by the Department of Commerce, but what a company says about its participation is a claim, subject to the FTC Act’s ban on deceptive representations.  When companies say they're participants – either through express or implied statements or through visuals like the Safe Harbor mark – but have let their certification lapse, that means their representation is false, in violation of the FTC Act.  And that’s what the FTC says happened in these cases.

The businesses reflect a cross-section of the economy and handle a broad range of sensitive information about employees, health, etc.  Named in the settlements are:

  • Apperian – a company specializing in apps for business enterprises and security;
  • Atlanta Falcons Football Club – yes, those Atlanta Falcons
  • Baker Tilly Virchow Krause – an accounting firm
  • BitTorrent – a P2P file sharing protocol provider
  • Charles River Laboratories International – a company involved in pharmaceutical research
  • DataMotion – a platform provider for encrypted email and secure file transport
  • DDC Laboratories – the world’s largest paternity testing company
  • Level 3 Communications – one of the world’s largest ISPs
  • PDB Sports – you know them as the Denver Broncos
  • Reynolds Consumer Products – the foil people and makers of other consumer products
  • Receivable Management Service Corporation  – a global provider of accounts receivable, third-party recovery, and other business services
  • Tennessee Football – more commonly known as the Tennessee Titans

Bear in mind that the FTC lawsuits focused only on the companies’ allegedly deceptive claims that they were current program participants.  This doesn’t necessarily mean the companies committed any substantive violations of the Safe Harbor framework’s privacy principles.  You can file comments about the the proposed settlements by the February 20, 2014, deadline.

The message for business?  If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must “re-up” every year.  The Department of Commerce has information for businesses interested in learning more about the Safe Harbor program.  Bookmark the Business Center’s U.S.-EU Safe Harbor Framework page for details about FTC law enforcement.



When the Safe Harbor certification mark was introduced several years ago, FTC vigorously opposed its introduction and said it would not enforce its use. Your comment above seems to indicated otherwise. As for the misrepresentations made by those companies either through inaction or deliberate inattention to their commitments to the SH framework, FTC's action seems limited to those misrepresentations under Section 5 under the FTC Act. There does not seem to be any evidence of material harm to any of the EU citizens that may have their personal data held by any of these entities. Possibly, the only way to learn if any harm has been attached to the misrepresentations is to conduct an audit, the costs of which could be substantial.
What is more important in this debate, in my opinion, is the fact that around sixty procent of companies that have signed up to the Safe Harbour Framework have not implemented it in practice and sometimes do not even know what it is. Voluntary programs for businesses do not make sense. If from tomorrow businesses did not need to care about privacy of their customers that is what would happen. No obligations, no compliance.
Good read about US-EU safe harbor framework. Thank you
The question is if companies implementing the Safe Harbour Framework in real terms. Signing up and implementing are two different things.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.