Crowell & Moring

The Federal Trade Commission (FTC) has struck again in the data privacy world, this time at 13 companies that allegedly misrepresented in their privacy statements that they were U.S.-EU or U.S.-Swiss Safe Harbor certified. This latest enforcement sweep demonstrates the FTC’s privacy focus and reinforces the need for companies to make accurate public representations.

The FTC charged the 13 companies with misleading consumers and has proposed placing them under a familiar 20-year consent order. The consent order requires the companies to refrain from  misrepresenting privacy or security program adherence and to keep strict records for the FTC’s overview. For the next 20 years, any companies that disobey the consent order will be subject to a $16,000 civil penalty per violation.

The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks (collectively, “Safe Harbor”) are the most popular of several mechanisms through which companies can legally transfer personal data from Europe to the United States. There are currently over 4,300 U.S. companies certified to the U.S.-EU Safe Harbor.

As FTC Chairwoman Edith Ramirez said this week, “The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are important agreements, and the FTC remains strongly committed to enforcing them. Companies must not deceive consumers about their participation in these programs.”

The FTC’s focus on Safe Harbor enforcement, and privacy enforcement in general, raises concerns for companies of all sizes. Indeed, the FTC has now undertaken 39 Safe Harbor-related enforcement actions against both small and large U.S. companies in the past five years. Here are five key items for companies to review based on the lessons learned from these settlements:

  1. Privacy statement promises and guarantees about data privacy and security;
  2. Privacy statement claims regarding industry/government certifications or standards;
  3. Privacy statement Safe Harbor certification claims;
  4. Safe Harbor list status (or lack thereof); and
  5. International data transfer needs and requisite legal obligations.

Companies that have doubts about compliance with their legal obligations should consult legal counsel given the risks related to violations.

The settlements coincide with impending changes to the U.S.-EU Safe Harbor Framework. The U.S. Department of Commerce, which administers Safe Harbor, is finalizing negotiations with Europe over program updates. Those changes will likely require companies to perform more privacy-related due diligence and commit to further onward transfer obligations, so keep your eye on Data Law Insights for further news and resources.


*Christopher Hoff is an associate in Crowell & Moring’s Privacy and Cybersecurity Group. Prior to joining Crowell & Moring, Christopher administered the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks for the U.S. Department of Commerce and assisted the FTC with Safe Harbor enforcement actions while seconded to the FTC in 2014.