The U.S.-EU Safe Harbor Framework is a cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. To join the Safe Harbor Framework, a company must self-certify to the Department of Commerce that it complies with seven privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and related requirements that have been deemed to meet the EU’s adequacy standard.
According to the complaint filed by the FTC, Fantage.com, which makes an online role-playing game directed at children, deceptively claimed that it held a current U.S.-EU Safe Harbor certification, when in fact the company had allowed its certification to expire in June 2012. The complaint alleges that this conduct violates Section 5 of the FTC Act, however, the FTC does not allege any substantive violations of the Safe Harbor privacy principles or of the Children’s Online Privacy Protection Act.
The proposed settlement agreement prohibits the company from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
In January 2014, the FTC announced settlements with twelve companies stemming from similar charges of falsely claiming compliance with the U.S.-EU Safe Harbor Framework.