Skip to main content

When the "Safe Harbor" is Not So Safe

If your company transfers personal data cross-border and you participate in the Safe Harbor program, it’s time to check the status of your certification. For the second time in a month, the Federal Trade Commission has announced enforcement actions against companies under Safe Harbor, the international privacy framework that provides a means for U.S. companies to transfer data from the European Union to the United States in keeping with EU and U.S. law.

In September, the first ever Safe Harbor enforcement action was announced against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor program, when apparently it never had. Yesterday, the FTC continued the trend by announcing six separate enforcement actions in one fell swoop.

According to the six separate complaints, the companies deceptively claimed they held current certifications under the Safe Harbor framework, when in fact the companies had allowed those certifications to expire. Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. To participate in Safe Harbor, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The proposed settlements do not include any monetary penalties nor any admission of guilt, but would require compliance monitoring for 20 years.

If you have put Safe Harbor (either compliance or certification) on the “back burner” because it appeared that the FTC was not enforcing the program, the time for change has come. You should check what representations are being made on public-facing websites and privacy policies regarding Safe Harbor certification and ensure that these representations are accurate and up-to-date. In the cases announced yesterday, the defendant companies had been certified, but had let those certifications lapse. The exhibits to the FTC’s complaints included pages from their websites (see links below), and their own words were used against them.

For more information:
To file a public comment in the FTC proceeding - http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf and follow the instructions at that site.

FTC Complaints:
In the Matter of World Innovators, Inc.
In the Matter of ExpatEdge Partners, LLC
In the Matter of Onyx Graphics, Inc.
In the Matter of Directors Desk LLC
In the Matter of Progressive Gaitways LLC
In the Matter of Collectify LLC

Safe Harbor List
To check the status of your company’s Safe Harbor certification - Safe Harbor List

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.