Business may seem borderless these days, but it’s important that companies honor applicable legal principles. That’s especially true when it comes to privacy. The good news for U.S. businesses is that federal regulators and their EU and Swiss counterparts have international frameworks in place to honor EU privacy standards and streamline compliance responsibilities when transferring data from the European Union and Switzerland to the United States. When companies participate, it’s a win-win for consumers and business. But according to a dozen law enforcement settlements filed by the FTC, some household names claimed to hold current Safe Harbor certifications, but had allowed their certifications to lapse.
How is the FTC involved? On this side of the Atlantic, the program is run by the Department of Commerce, but what a company says about its participation is a claim, subject to the FTC Act’s ban on deceptive representations. When companies say they're participants – either through express or implied statements or through visuals like the Safe Harbor mark – but have let their certification lapse, that means their representation is false, in violation of the FTC Act. And that’s what the FTC says happened in these cases.
The businesses reflect a cross-section of the economy and handle a broad range of sensitive information about employees, health, etc. Named in the settlements are:
- Apperian – a company specializing in apps for business enterprises and security;
- Atlanta Falcons Football Club – yes, those Atlanta Falcons
- Baker Tilly Virchow Krause – an accounting firm
- BitTorrent – a P2P file sharing protocol provider
- Charles River Laboratories International – a company involved in pharmaceutical research
- DataMotion – a platform provider for encrypted email and secure file transport
- DDC Laboratories – the world’s largest paternity testing company
- Level 3 Communications – one of the world’s largest ISPs
- PDB Sports – you know them as the Denver Broncos
- Reynolds Consumer Products – the foil people and makers of other consumer products
- Receivable Management Service Corporation – a global provider of accounts receivable, third-party recovery, and other business services
- Tennessee Football – more commonly known as the Tennessee Titans
Bear in mind that the FTC lawsuits focused only on the companies’ allegedly deceptive claims that they were current program participants. This doesn’t necessarily mean the companies committed any substantive violations of the Safe Harbor framework’s privacy principles. You can file comments about the the proposed settlements by the February 20, 2014, deadline.
The message for business? If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must “re-up” every year. The Department of Commerce has information for businesses interested in learning more about the Safe Harbor program. Bookmark the Business Center’s U.S.-EU Safe Harbor Framework page for details about FTC law enforcement.