U.S.-EU Safe Harbor compliance: Don’t run aground

Share This Page

An app developer, a medical waste company, a skateboard event sponsor, a stock car racing school, and a bagel purveyor. That’s either the strangest answer to a Jeopardy! question – or a partial list of companies that just settled FTC charges that they falsely claimed they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor Framework.

The Frameworks are methods for allowing companies to transfer consumer data from the European Union and Switzerland to the United States in keeping with EU and Swiss law. For companies to represent they're in compliance, they must self-certify with the Department of Commerce that they abide by the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Another key requirement: They must renew that self-certification annually.

So far, the FTC has brought more than two dozen cases alleging false claims regarding Safe Harbor compliance. Today's proposed settlements add 13 more companies to that list.

The FTC says seven companies – Golf Connect, Pinger, NAICS Association, Jubilant Clinsys, IOActive, Contract Logix, and Forensics Consulting Solutions – falsely claimed to have up-to-date certifications, but failed to renew them as the program requires.

In six other lawsuits, the FTC alleged that Dale Jarrett Racing Adventure, SteriMed Medical Waste Solutions, California Skate-Line, Just Bagels Manufacturing, One Industries Corporation, and Inbox Group claimed certification in one or both programs, but never actually applied for membership in the first place.

The proposed settlements prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting group. You can file a comment about the proposed settlements by September 16, 2015.

If you're responsible for Safe Harbor compliance at your business, here are some tips to help ensure smooth sailing.

Express or implied statements about how you handle consumer data are claims subject to the truth-in-advertising standards of the FTC Act. Don’t think you’re making any claims about privacy on your website? Reread your privacy policy and check the certification logos or marks you display on your site. You may be making representations that have to be substantiated under Section 5 of the FTC Act.

When it comes to your privacy policy, a right click may be a wrong move. Many industry groups and others offer resources to help companies craft their privacy policies, but there’s no one-size-fits-all document. If you choose to use a template as a starting point, don't just cut ‘n’ paste. Go through line by line to make sure it reflects what actually happens at your business.

Be a tickler stickler. Once your company has complied with the Safe Harbor Framework’s self-certification requirement, use the tickler feature on your calendar to revisit it before your certification expires. Consider if any changes at your business have affected those seven privacy principles. If you’re still compliant, honor your annual obligation to renew your certification.

For more resources, visit the FTC’s U.S.-EU Safe Harbor Framework page.



Why can't America respect the privacy rights of Americans?

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.