On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program. The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC’s First Safe Harbor Enforcement Action.
The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data. Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard. To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains a list of all currently-certified companies.
The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current. If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers. In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC’s complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.
I have read the proposed consent orders against World Innovators and Expat Edge. I am disappointed that these two consent orders (and I assume the other four) propose no penalty against these organizations, resulted in no investigation of whether the organizations actually did respect consumer privacy and security, resulted in no investigation of whether the organizations actually caused harm to consumer privacy and security, and pose no meaningful incentive to cause these organizations and others to respect consumer privacy and security in the future.
A far more active stance than had been taken until now by the FTC, surely; as yet particularly useful in promoting good practices by organizations? .. it sadly does not seem so.