An app developer, a medical waste company, a skateboard event sponsor, a stock car racing school, and a bagel purveyor. That’s either the strangest answer to a Jeopardy! question – or a partial list of companies that just settled FTC charges that they falsely claimed they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor Framework.
The Frameworks are methods for allowing companies to transfer consumer data from the European Union and Switzerland to the United States in keeping with EU and Swiss law. For companies to represent they're in compliance, they must self-certify with the Department of Commerce that they abide by the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Another key requirement: They must renew that self-certification annually.
So far, the FTC has brought more than two dozen cases alleging false claims regarding Safe Harbor compliance. Today's proposed settlements add 13 more companies to that list.
The FTC says seven companies – Golf Connect, Pinger, NAICS Association, Jubilant Clinsys, IOActive, Contract Logix, and Forensics Consulting Solutions – falsely claimed to have up-to-date certifications, but failed to renew them as the program requires.
In six other lawsuits, the FTC alleged that Dale Jarrett Racing Adventure, SteriMed Medical Waste Solutions, California Skate-Line, Just Bagels Manufacturing, One Industries Corporation, and Inbox Group claimed certification in one or both programs, but never actually applied for membership in the first place.
The proposed settlements prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting group. You can file a comment about the proposed settlements by September 16, 2015.
If you're responsible for Safe Harbor compliance at your business, here are some tips to help ensure smooth sailing.
Be a tickler stickler. Once your company has complied with the Safe Harbor Framework’s self-certification requirement, use the tickler feature on your calendar to revisit it before your certification expires. Consider if any changes at your business have affected those seven privacy principles. If you’re still compliant, honor your annual obligation to renew your certification.
For more resources, visit the FTC’s U.S.-EU Safe Harbor Framework page.