The U.S.-EU Safe Harbor Framework is a cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. To join the Safe Harbor Framework, a company must self-certify to the Department of Commerce that it complies with seven privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and related requirements that have been deemed to meet the EU’s adequacy standard.
Although the Commission alleged that the company’s conduct violated Section 5 of the FTC Act, the FTC noted that this does not necessarily mean the company committed any substantive violations of the Safe Harbor Framework’s privacy principles.
The proposed settlement agreement prohibits American Apparel from misrepresenting “in any manner, expressly or by implication, the extent to which [it] is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization”, including the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework.
In the press release accompanying the settlement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, stated that “[t]he FTC is committed to making sure that when companies claim they’re participating in the U.S.-EU Safe Harbor Framework, they’re abiding by the terms of the program.”
Read the FTC Business Center Blog’s post about recent Safe Harbor settlements.