The Federal Trade Commission (FTC) last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it’s business as usual. But does it at least indicate more enforcement to follow?

The FTC’s complaints stated the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. The settlements, open to public comment until February 20, would prohibit the companies from misrepresenting their adherence to any other data security or privacy programs “by the government or any other self-regulatory or standard-setting organization,” the FTC press release states.

The companies involved in the settlements span various industries, including mobile apps, DNA testing and professional sports teams. Companies may self-certify to Safe Harbor by self-certifying to the U.S. Department of Commerce that they comply with several principles identified for EU adequacy, and they must recertify every year to maintain their status.

While this may just be the FTC doing its job, others say the settlement indicates a conscious effort at the FTC—Safe Harbor’s policeman—to carry a big stick. If the latter were true, there’d be plenty of reason for it. Namely, the European Commission. After months of grumbling by data protection authorities, politicians and other stakeholders about the U.S.’s management of Safe Harbor, the European Commission last month issued the FTC an “or else” list: 13 ways it could save Safe Harbor. The list of demands will be reviewed this summer, the commission said in its memo, at which time decisions will be made on the future of Safe Harbor.

“This kind of action was very much expected, as the ball was in the FTC's court after the developments in Europe,” said Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “It shows that the FTC is keen to emphasize that Safe Harbor is for real and is here to stay.”

However, FTC Commissioner Julie Brill said the settlements aren’t anything more than a continuation of the FTC’s ongoing enforcement efforts.

“I don’t believe the enforcement actions we announced (last) week indicate a shift in FTC enforcement priorities or efforts,” Brill said. “Nor do I believe these settlements were reached because of pressure from the European Commission or anyone else. Rather, this latest round of FTC Safe Harbor enforcement actions is simply another indication of the continued seriousness with which the Federal Trade Commission approaches Safe Harbor enforcement.” 

While Chris Connolly, a lawyer and researcher specializing in privacy at Galexia, is pleased to see the FTC taking action, he said this is only the first group of cases submitted to the FTC. It was Connolly who filed complaints with the FTC in early 2013 over false Safe Harbor claims and noncompliance—five years after his 2008 report over the same issues. The 2008 allegations resulted in six settlements between the FTC and the companies accused of misrepresenting Safe Harbor compliance. When he revisited the issue last year, he found “very high levels of false claims,” he said. There are more of his 2013 complaints being investigated, he said—a statement confirmed by Brill in a previous interview with The Privacy Advisor.

However, the latest settlements are still interesting for a couple of reasons, Connolly said.  

“If you look at the cases in detail, they are very different. One of the false claims has been going on for eight years,” he said of the settlement with National Football League Atlanta Falcons. “Three of the false claims were also verified for many years by TRUSTe (which offers Safe Harbor trust seal certification) … So there are a lot of interesting details in the individual cases.”

Hogan Lovells’ Christopher Wolf said it’s important to look at the FTC’s history in enforcing Safe Harbor. A report by the Future of Privacy Forum, which Wolf co-chairs, found Safe Harbor to be an effective data transfer mechanism. The FTC brought 10 Safe Harbor enforcement cases from 2009 to 2013, the report notes, most of them initiated not because of complaints from European data protection authorities but initiated by the FTC itself.

Given that background, “I don’t think it’s fair to say that the settlements are solely a reaction to recent criticisms coming from the EU,” Wolf said. “However, it does appear that the European Commission’s strategy memo of November 13, which called for a strengthening of Safe Harbor, may have had some role.”

However, he added, “With these settlements coming less than two months after the commission’s report, it does seem likely that the enforcement actions were motivated in part by a desire to show the FTC’s effectiveness in enforcing Safe Harbor.”

Josh Harris of the Future of Privacy Forum, who worked closely with Safe Harbor during his years at the Department of Commerce, said the settlements are indeed a continuation of the FTC’s enforcement priorities.

Chairwoman Edith Ramirez “reiterated that the FTC would continue to make Safe Harbor a top enforcement priority in October's Transatlantic Consumer Dialogue,” Harris said. “And I think these settlements evidence that."   

Wilson, Sonsini, Goodrich & Rosati’s Cédric Burton said from Brussels that European privacy professionals are certainly concerned with any developments related to Safe Harbor. However, the announcement that the FTC had settled with 12 companies is flying somewhat under the radar, he said.

“Critics against the Safe Harbor will likely continue as the Safe Harbor is an easy target, but hopefully this latest development will be seen positively in the EU,” he said, adding that the settlements are a good “first step towards restoring trust in EU-U.S. data flows and addressing the concerns raised by some European institutions and data protection authorities.”

Galexia’s Connolly said the announcement of the settlements doesn’t mean anything has been set in stone. With nearly a month left for public comment, he’s preparing his.

“Personally, I will be supporting 11 of the consent orders, with a few minor suggestions,” he said. 

He will oppose the consent order with DDC Laboratories.

“They are a DNA testing/paternity testing provider, with a large footprint in Europe,” Connolly said via e-mail. “I don't believe a light-touch consent order is an appropriate sanction for an organization collecting such sensitive information while making a false claim about Safe Harbor. I would like to see a requirement for DDC Labs to inform any European customers who may have relied on the false claim.”

Regardless of how the settlements wind up following the comment period, no one is saying the settlements signal that Safe Harbor is now on safe ground. Ustaran said there’s more to be done.

“The U.S. and the EU will now have to work on how to align their positions on global data flows,” he said.

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»