The Federal Trade Commission (“FTC”) announced last week that it has issued a warning letter to more than a dozen unnamed companies for misrepresenting—on their websites, privacy policies, and other public statements—that they are certified participants in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor agreements. Both these frameworks, administered in the United States by the U.S. Department of Commerce, were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively. Under the Privacy Shield programs, certified American businesses are eligible to receive personal data transferred from European Union countries and Switzerland, and are considered to provide “adequate” privacy protection—one of the requirements of the EU General Data Protection Regulation (GDPR) and Swiss Federal Act on Data Protection.
The FTC also disclosed that it had reached a settlement with Florida background screening company SecurTest, Inc., related to allegations that it falsely claimed certified participation in the EU-U.S. Privacy Shield program. Under the settlement, SecurTest Inc. must comply with orders to create proper records, publish compliance reports, and submit to compliance monitoring by representatives of the FTC.
The FTC is taking note of businesses that fail to recognize that the Safe Harbor framework is no longer in force or that certification under Safe Harbor does not automatically certify businesses under the Privacy Shield programs.
On a related front, two other companies have received FTC warning letters for falsely claiming that they are certified participants in the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules system, a voluntary but enforceable framework designed to protect consumer data traveling between APEC-member countries.
The lesson for companies is clear: don’t claim compliance with these self-regulatory frameworks if you are not—the FTC is watching. Our Privacy and Cybersecurity team works with many companies in helping them to understand the EU, Swiss and APEC framework requirements. Please contact us if your business needs help certifying under any of these cross-border privacy frameworks.