On April 7, 2015 the Federal Trade Commission (FTC) announced two new U.S.-EU Safe Harbor cases. TES Franchising, LLC and American International Mailing, Inc. have agreed to settle FTC charges that the companies falsely claimed they were abiding by the U.S.-EU Safe Harbor Framework, a voluntary but enforceable framework that enables U.S. companies to transfer personal data from the European Union to the United States in compliance with the EU data protection directive’s adequacy requirement.
According to the TES settlement, TES allegedly deceived consumers about the nature of its dispute resolution procedures by noting on its website that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. Aside from the fact that it would be nearly impossible to argue that a dispute resolution process like that is “readily available and affordable,” as the Safe Harbor Framework requires, the TES policy also allegedly failed to align with the TES Safe Harbor certification filing, which stated that TES would resolve disputes through the European data protection authorities, a process which does not require in-person hearings and which costs the consumer nothing. Finally, the FTC complaint notes the alleged misrepresentation by TES that it was a licensee of TRUSTe’s privacy compliance products when in fact TES was not a licensee of TRUSTe.
Similar to the 14 previous FTC settlements for Safe Harbor violations over the past year, both new settlements prohibit the companies from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or other self-regulatory or standard-setting organization. However, the TES settlement represents a noteworthy departure by the FTC from its focus over the past year on companies’ failures to follow the certification or annual recertification requirements of the Safe Harbor program, administered by the U.S. Department of Commerce. Although FTC settlements with Google (2011), Facebook (2012), and MySpace (2012) alleged substantive privacy violations in addition to procedural Safe Harbor claims, the TES settlement marks the first time in nearly three years that the FTC has focused on a substantive Safe Harbor violation (i.e., failing to comply with a specific Safe Harbor requirement, as opposed to a procedural certification claim violation).
The TES case is a renewed warning call from the FTC that companies’ Safe Harbor commitments are being investigated not only from a procedural Safe Harbor certification perspective but from a substantive privacy policy and consumer protection perspective. The lesson from the settlements is that companies need to ensure they are meeting the self-certification and disclosure requirements of Safe Harbor and companies also need to go beyond that to fairly and clearly represent their implementation of the substantive Safe Harbor principles.