The Federal Trade Commission (FTC) last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it’s business as usual. But does it at least indicate more enforcement to follow?

The FTC’s complaints stated the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. The settlements, open to public comment until February 20, would prohibit the companies from misrepresenting their adherence to any other data security or privacy programs “by the government or any other self-regulatory or standard-setting organization,” the FTC press release states.

The companies involved in the settlements span various industries, including mobile apps, DNA testing and professional sports teams. Companies may self-certify to Safe Harbor by self-certifying to the U.S. Department of Commerce that they comply with several principles identified for EU adequacy, and they must recertify every year to maintain their status.

While this may just be the FTC doing its job, others say the settlement indicates a conscious effort at the FTC—Safe Harbor’s policeman—to carry a big stick. If the latter were true, there’d be plenty of reason for it. Namely, the European Commission. After months of grumbling by data protection authorities, politicians and other stakeholders about the U.S.’s management of Safe Harbor, the European Commission last month issued the FTC an “or else” list: 13 ways it could save Safe Harbor. The list of demands will be reviewed this summer, the commission said in its memo, at which time decisions will be made on the future of Safe Harbor.

“This kind of action was very much expected, as the ball was in the FTC's court after the developments in Europe,” said Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “It shows that the FTC is keen to emphasize that Safe Harbor is for real and is here to stay.”

However, FTC Commissioner Julie Brill said the settlements aren’t anything more than a continuation of the FTC’s ongoing enforcement efforts.

“I don’t believe the enforcement actions we announced (last) week indicate a shift in FTC enforcement priorities or efforts,” Brill said. “Nor do I believe these settlements were reached because of pressure from the European Commission or anyone else. Rather, this latest round of FTC Safe Harbor enforcement actions is simply another indication of the continued seriousness with which the Federal Trade Commission approaches Safe Harbor enforcement.” 

While Chris Connolly, a lawyer and researcher specializing in privacy at Galexia, is pleased to see the FTC taking action, he said this is only the first group of cases submitted to the FTC. It was Connolly who filed complaints with the FTC in early 2013 over false Safe Harbor claims and noncompliance—five years after his 2008 report over the same issues. The 2008 allegations resulted in six settlements between the FTC and the companies accused of misrepresenting Safe Harbor compliance. When he revisited the issue last year, he found “very high levels of false claims,” he said. There are more of his 2013 complaints being investigated, he said—a statement confirmed by Brill in a previous interview with The Privacy Advisor.

However, the latest settlements are still interesting for a couple of reasons, Connolly said.  

“If you look at the cases in detail, they are very different. One of the false claims has been going on for eight years,” he said of the settlement with National Football League Atlanta Falcons. “Three of the false claims were also verified for many years by TRUSTe (which offers Safe Harbor trust seal certification) … So there are a lot of interesting details in the individual cases.”

Hogan Lovells’ Christopher Wolf said it’s important to look at the FTC’s history in enforcing Safe Harbor. A report by the Future of Privacy Forum, which Wolf co-chairs, found Safe Harbor to be an effective data transfer mechanism. The FTC brought 10 Safe Harbor enforcement cases from 2009 to 2013, the report notes, most of them initiated not because of complaints from European data protection authorities but initiated by the FTC itself.

Given that background, “I don’t think it’s fair to say that the settlements are solely a reaction to recent criticisms coming from the EU,” Wolf said. “However, it does appear that the European Commission’s strategy memo of November 13, which called for a strengthening of Safe Harbor, may have had some role.”

However, he added, “With these settlements coming less than two months after the commission’s report, it does seem likely that the enforcement actions were motivated in part by a desire to show the FTC’s effectiveness in enforcing Safe Harbor.”

Josh Harris of the Future of Privacy Forum, who worked closely with Safe Harbor during his years at the Department of Commerce, said the settlements are indeed a continuation of the FTC’s enforcement priorities.

Chairwoman Edith Ramirez “reiterated that the FTC would continue to make Safe Harbor a top enforcement priority in October's Transatlantic Consumer Dialogue,” Harris said. “And I think these settlements evidence that."   

Wilson, Sonsini, Goodrich & Rosati’s Cédric Burton said from Brussels that European privacy professionals are certainly concerned with any developments related to Safe Harbor. However, the announcement that the FTC had settled with 12 companies is flying somewhat under the radar, he said.

“Critics against the Safe Harbor will likely continue as the Safe Harbor is an easy target, but hopefully this latest development will be seen positively in the EU,” he said, adding that the settlements are a good “first step towards restoring trust in EU-U.S. data flows and addressing the concerns raised by some European institutions and data protection authorities.”

Galexia’s Connolly said the announcement of the settlements doesn’t mean anything has been set in stone. With nearly a month left for public comment, he’s preparing his.

“Personally, I will be supporting 11 of the consent orders, with a few minor suggestions,” he said. 

He will oppose the consent order with DDC Laboratories.

“They are a DNA testing/paternity testing provider, with a large footprint in Europe,” Connolly said via e-mail. “I don't believe a light-touch consent order is an appropriate sanction for an organization collecting such sensitive information while making a false claim about Safe Harbor. I would like to see a requirement for DDC Labs to inform any European customers who may have relied on the false claim.”

Regardless of how the settlements wind up following the comment period, no one is saying the settlements signal that Safe Harbor is now on safe ground. Ustaran said there’s more to be done.

“The U.S. and the EU will now have to work on how to align their positions on global data flows,” he said.

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»