Same time next year

Share This Page

Does your company participate in the U.S.-EU Safe Harbor Framework? It’s a voluntary international privacy program administered by the Department of Commerce that lets companies transfer data from the EU to the U.S. in compliance with EU law. Of course, data security and privacy are everyday obligations for companies, but are you honoring one particular once-a-year provision? And what about promises you make regarding how you resolve consumer disputes?

To participate in the Safe Harbor Framework, the first step is for a company to certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. But the obligation doesn’t end there. A company also has to annually reaffirm that it’s still in compliance. That’s why saying you have a valid Safe Harbor certification – but failing to self-certify once a year – is a deceptive practice, in violation of the FTC Act.

The FTC has brought 24 law enforcement actions to make sure companies honor their obligations under the Framework, and now you can add two more to that list.

Baltimore-based global parcel and freight company American International Mailing (AIM) claimed on its website to be a current participant in the Safe Harbor Framework. Yes, the company had submitted a self-certification to the Department of Commerce back in 2006, but according to the FTC, AIM let it lapse in 2010. As recently as January 2015, AIM hadn’t renewed its self-certification and is on Commerce’s “not current” list. Yet the company still claimed on its website to be a Safe Harbor Framework participant. The FTC says that means AIM’s compliance claim was false.

The FTC’s lawsuit against TES Franchising, LLC, a business coaching concern, includes similar allegations – and then some. The Company self-certified back in 2011, and since then has claimed that it “complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce.” But a key part of compliance is annual self-certification, which the FTC says it didn’t do for years.

That wasn’t TES Franchising’s only Safe Harbor misstep. Under “enforcement” – one of the seven principles of the Framework – companies have to provide a readily available and affordable independent recourse mechanism to investigate and resolve consumer complaints and disputes. In its self-certification, TES said its mechanism would be the European data protection authorities, which resolve Safe Harbor disputes at no cost to consumers and don’t require in-person hearings. But on its website, the company said that all Safe Harbor-related disputes would be settled by an “arbitration administered agency” like the American Arbitration Association; that hearings would take place in Connecticut, where TES is based; and that the costs of arbitration would be shared equally by the parties – hurdles the FTC says are likely to deter people from using the dispute resolution mechanism. The complaint alleges that the discrepancy between what TES said in its self-certification and what it told consumers on its website was false and misleading.

Furthermore, TES Franchising said on its site that because it “wants to demonstrate its commitment to your privacy,” it was a licensee of the TRUSTe Privacy Program.  But according to the FTC’s lawsuit, TES wasn’t a current TRUSTe licensee.

The proposed order with AIM prohibits misrepresentations related to government or self-regulatory privacy or security programs. The proposed TES settlement includes that provision, too, but adds a specific reference to TRUSTe compliance. In addition, the TES order bars misrepresentations related to any alternative dispute resolution process, including arbitration or mediation.

You can file an online comment about the proposed settlements by May 7, 2015.

What tips can businesses take from the two cases?

  1. If you don’t participate in the U.S.-EU Safe Harbor Framework, consider whether it’s appropriate for your company. The Department of Commerce has more information and a list of businesses that participate.
  2. If you are a participant, make sure you’re honoring your obligations, including that annual self-certification requirement. Use the “same time next year” function on your calendar as a reminder to take timely steps to re-up before your certification lapses.
  3. Most companies (we hope) think about substantiating their product representations. But what about your privacy promises, statements about dispute resolution, and other customer service claims? Those need to be backed up, too.

Bookmark the FTC’s U.S.-EU Safe Harbor Framework page for guidance materials and links to our law enforcement efforts.


Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.