To facilitate the transfer of data, many U.S. companies that do business internationally participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system. It’s voluntary, of course, but if companies say they participate, that representation – like other objective claims – must be truthful. That’s the lesson of three proposed settlements just announced by the FTC.
APEC’s CBPR system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. To participate, a company must undergo a review by an APEC-recognized accountability agent, which certifies that the company meets the standards.
Three companies – messaging app developer SpyChatter, cybersecurity software company Vir2us, and endpoint protection software provider Sentinel Labs – claimed on their websites that they participated in the APEC CBPR system. For example, SpyChatter said that it “abides by the APEC CBPR system, which provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.”
But according to the FTC, the companies weren’t certified to participate and never had been.
The complaint against Sentinel Labs (consumers may know them as SentinelOne) includes an additional count of interest to businesses. Referring to TRUSTe, a third-party privacy certification company, here’s what SentinelOne claimed on its website:
Under the terms of the settlements, the three companies are prohibited from misrepresenting their participation, membership, or certification in any privacy or security program sponsored by a government or by a self-regulatory or standard-setting organization. The FTC is accepting public comments about the proposed settlements until March 23, 2017.
What are the takeaway tips for other companies?
- Live up to your promises about participation in certification or self-regulatory programs. For companies that need to transfer data between countries, mechanisms like APEC’s Cross-Border Privacy Rules system can streamline compliance responsibilities and foster economic growth. Participation is voluntary, but if you say you participate, mean what you say.