The Federal Trade Commission (FTC) last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it’s business as usual. But does it at least indicate more enforcement to follow?
The FTC’s complaints stated the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. The settlements, open to public comment until February 20, would prohibit the companies from misrepresenting their adherence to any other data security or privacy programs “by the government or any other self-regulatory or standard-setting organization,” the FTC press release states.
The companies involved in the settlements span various industries, including mobile apps, DNA testing and professional sports teams. Companies may self-certify to Safe Harbor by self-certifying to the U.S. Department of Commerce that they comply with several principles identified for EU adequacy, and they must recertify every year to maintain their status.
While this may just be the FTC doing its job, others say the settlement indicates a conscious effort at the FTC—Safe Harbor’s policeman—to carry a big stick. If the latter were true, there’d be plenty of reason for it. Namely, the European Commission. After months of grumbling by data protection authorities, politicians and other stakeholders about the U.S.’s management of Safe Harbor, the European Commission last month issued the FTC an “or else” list: 13 ways it could save Safe Harbor. The list of demands will be reviewed this summer, the commission said in its memo, at which time decisions will be made on the future of Safe Harbor.
“This kind of action was very much expected, as the ball was in the FTC's court after the developments in Europe,” said Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “It shows that the FTC is keen to emphasize that Safe Harbor is for real and is here to stay.”
However, FTC Commissioner Julie Brill said the settlements aren’t anything more than a continuation of the FTC’s ongoing enforcement efforts.
“I don’t believe the enforcement actions we announced (last) week indicate a shift in FTC enforcement priorities or efforts,” Brill said. “Nor do I believe these settlements were reached because of pressure from the European Commission or anyone else. Rather, this latest round of FTC Safe Harbor enforcement actions is simply another indication of the continued seriousness with which the Federal Trade Commission approaches Safe Harbor enforcement.”
While Chris Connolly, a lawyer and researcher specializing in privacy at Galexia, is pleased to see the FTC taking action, he said this is only the first group of cases submitted to the FTC. It was Connolly who filed complaints with the FTC in early 2013 over false Safe Harbor claims and noncompliance—five years after his 2008 report over the same issues. The 2008 allegations resulted in six settlements between the FTC and the companies accused of misrepresenting Safe Harbor compliance. When he revisited the issue last year, he found “very high levels of false claims,” he said. There are more of his 2013 complaints being investigated, he said—a statement confirmed by Brill in a previous interview with The Privacy Advisor.
However, the latest settlements are still interesting for a couple of reasons, Connolly said.
“If you look at the cases in detail, they are very different. One of the false claims has been going on for eight years,” he said of the settlement with National Football League Atlanta Falcons. “Three of the false claims were also verified for many years by TRUSTe (which offers Safe Harbor trust seal certification) … So there are a lot of interesting details in the individual cases.”
Hogan Lovells’ Christopher Wolf said it’s important to look at the FTC’s history in enforcing Safe Harbor. A report by the Future of Privacy Forum, which Wolf co-chairs, found Safe Harbor to be an effective data transfer mechanism. The FTC brought 10 Safe Harbor enforcement cases from 2009 to 2013, the report notes, most of them initiated not because of complaints from European data protection authorities but initiated by the FTC itself.
Given that background, “I don’t think it’s fair to say that the settlements are solely a reaction to recent criticisms coming from the EU,” Wolf said. “However, it does appear that the European Commission’s strategy memo of November 13, which called for a strengthening of Safe Harbor, may have had some role.”
However, he added, “With these settlements coming less than two months after the commission’s report, it does seem likely that the enforcement actions were motivated in part by a desire to show the FTC’s effectiveness in enforcing Safe Harbor.”
Josh Harris of the Future of Privacy Forum, who worked closely with Safe Harbor during his years at the Department of Commerce, said the settlements are indeed a continuation of the FTC’s enforcement priorities.
Chairwoman Edith Ramirez “reiterated that the FTC would continue to make Safe Harbor a top enforcement priority in October's Transatlantic Consumer Dialogue,” Harris said. “And I think these settlements evidence that."
Wilson, Sonsini, Goodrich & Rosati’s Cédric Burton said from Brussels that European privacy professionals are certainly concerned with any developments related to Safe Harbor. However, the announcement that the FTC had settled with 12 companies is flying somewhat under the radar, he said.
“Critics against the Safe Harbor will likely continue as the Safe Harbor is an easy target, but hopefully this latest development will be seen positively in the EU,” he said, adding that the settlements are a good “first step towards restoring trust in EU-U.S. data flows and addressing the concerns raised by some European institutions and data protection authorities.”
Galexia’s Connolly said the announcement of the settlements doesn’t mean anything has been set in stone. With nearly a month left for public comment, he’s preparing his.
“Personally, I will be supporting 11 of the consent orders, with a few minor suggestions,” he said.
He will oppose the consent order with DDC Laboratories.
“They are a DNA testing/paternity testing provider, with a large footprint in Europe,” Connolly said via e-mail. “I don't believe a light-touch consent order is an appropriate sanction for an organization collecting such sensitive information while making a false claim about Safe Harbor. I would like to see a requirement for DDC Labs to inform any European customers who may have relied on the false claim.”
Regardless of how the settlements wind up following the comment period, no one is saying the settlements signal that Safe Harbor is now on safe ground. Ustaran said there’s more to be done.
“The U.S. and the EU will now have to work on how to align their positions on global data flows,” he said.