FTC Serious About Safe Harbor Framework Enforcement

February 4, 2014

Perhaps signaling increased scrutiny of Safe Harbor Framework certification, the Federal Trade Commission (FTC) announced recently that it settled 12 enforcement actions where companies had allegedly falsely asserted compliance with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks. The defendant-companies had claimed compliance with the relevant frameworks even though they had let their certifications lapse.

Under the U.S.-EU Safe Harbor program, U.S. companies operating in the EU are permitted to transfer EU customers’ data out of the EU if they declare compliance with the Safe Harbor Framework, which includes seven privacy principles similar to the 1995 EU Data Protection Directive. Under the U.S.-Swiss program, companies similarly promise to comply with Swiss data protection principles. Both programs require that companies reaffirm the “existing self-certification.”

The U.S. Department of Commerce administers the programs, including maintaining the registry of self-certified companies, but the FTC undertakes any enforcement action related to the programs.

“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program,” said FTC Chairwoman Edith Ramirez.

These enforcement actions are noteworthy for companies that conduct business in Europe because European and Swiss authorities and businesses have been increasingly skeptical of U.S. data protection measures since Edward Snowden revealed the PRISM program. EU lawmakers and individual member states have — or at the very least, intimated — skepticism about the efficacy of the Safe Harbor Framework in protecting individual data. The FTC’s action is likely intended to signal to European and Swiss counterparts that the U.S. takes its Safe Harbor Framework responsibilities seriously.