In early August, the Federal Trade Commission (“FTC”) announced the first enforcement action against a U.S. company for violation of the US/EU Safe Harbor Program. This enforcement action should serve as a call-to-action for all Safe Harbor program participants to review their safe harbor programs now, and re-affirm their compliance.
The US/EU Safe Harbor program was negotiated between the U.S. and EU governments as a way to reconcile the fact that under the EU’s Data Protection Directive (with some exceptions) organizations may only transfer personally identifiable information from the EU to countries that the European Commission has deemed to have adequate data protection laws—and the U.S. is not one of those countries. Therefore, the EU/US Safe Harbor program was created in 2001 as a way for U.S. companies to receive personal data from the EU.
To participate in the program, a U.S. company self-certifies to the U.S. Department of Commerce (and commits in a publicly–facing policy) that it will follow the Safe Harbor Privacy Principles (the “Principles”), which mirror the core requirements of the EU Data Protection Directive.
Companies that fail to adhere to the Principles may be subject to liability under Section 5 of the Federal Trade Commission Act, which governs deceptive and unfair business practices. Until now, no company (at least publically) had been prosecuted under that statute for violating safe harbor. Just recently, however, the FTC brought suit in the Central District of California against a California-based company, Balls of Kryptonite. According to the FTC, the company marketed itself to consumers in the UK and used “.co.uk” domain names to mislead UK consumers into believing that the company was based in the EU. Many customers complained to UK regulatory agencies when they were forced to pay high duties to import the goods they bought on the website and when they were subject to onerous return policies when the goods they received did not match what they had purchased.
Among other things, the FTC brought suit against the company because it had falsely claimed in its privacy policy that it was certified under the Safe Harbor program when it fact it had not. Oddly then, the first safe harbor enforcement action was not against a Safe Harbor certified company that had violated the Principles per se, but against a company that was never safe-harbor certified in the first place but falsely purported to be.
The FTC’s enforcement action should serve as a wake-up call to U.S. companies that have been lulled, during the eight years since the Safe Harbor program was put into place, into the mindset that the FTC is not enforcing the program. Although for almost a decade U.S. companies have been able to take a “wait and see” approach as to the FTC’s enforcement appetite, that era may be coming to an end. All U.S. companies that import personally identifiable information from Europe under the Safe Harbor should review their safe harbor policies now, and re-affirm their compliance with the Principles.