FTC Obtains TRO Against E-Commerce Merchant Falsely Claiming Safe Harbor Certification

By Mehmet Munur

On July 31, the Federal Trade Commission obtained a temporary restraining order against a California website for deceptively claiming to be a member of the EU Safe Harbor administered by the Department of Commerce. This is the first FTC enforcement involving the FTC’s authority to prosecute violations involving EU Safe Harbor and FTC’s authority to prosecute an American company for deception of foreign consumers.

According to the FTC complaint, the defendants posed as UK websites, did not deliver on minimal consumer protections, and lied about being in the Safe Harbor. Balls of Kryptonite, LLC, is based out of Pasadena, California. However, it operates under www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, states prices in pound sterling, and referred to UK competitors and Royal Mail. The website did not specifically state its location, though such a disclosure is required under the Distance Selling Directive. Therefore, the FTC inferred that the websites advertised and sold consumer electronics products to consumers in the UK “under the pretext of being located within the UK.”

The websites shipped products from the US to the UK. Customers also had to pay substantial customs duties and import taxes. Some of these products were incompatible with the UK power grid. The websites also stated that the products would be covered under warranty. The products were not designed for distribution in the UK and, therefore, were not covered by warranty. Further, consumers were not allowed to cancel their orders, charged 50% restocking fees, and items were not shipped for weeks.

Finally, the defendants advertised that they self-certified with the Department of Commerce for the EU Safe Harbor when they were not. However, this false statement defies all logic. It does not help the defendants establish that they are a website based in the UK. A corporation must have a US establishment that receives personal information from the EU/EEA before it can certify to the Safe Harbor. Maybe this was the company’s way of stating that it was transferring data to the US. Maybe, the website owner believed that the Safe Harbor deception would make their website more attractive to UK customers. Nonetheless, Balls of Kryptonite is likely subject to this enforcement not due to inadequate legal advice, but lack of legal advice.

Nevertheless, the temporary restraining order resulting from the enforcement action makes an interesting example due to its scope. The TRO enjoins the defendants from misrepresenting “[t]he extent to which Defendants are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.” Thus, the FTC enjoined the defendants from misrepresenting that they are members of any third-party privacy program. In effect, the FTC is recognizing that the health of the Safe Harbor Program is intricately linked to the third-party programs. The Safe Harbor Enforcement Principle requires an independent dispute resolution mechanism that TRUSTe’s EU Safe Harbor Program and BBB EU Safe Harbor offer. However, one could argue that third-party privacy seals programs should enforce their own marks and that the FTC should focus on the Safe Harbor program exclusively.

The enforcement action sets a much-needed precedent for false claims related to the Safe Harbor program. Nevertheless, the majority of the complaint was based on false statements concerning the shipment of goods. The Safe Harbor issue appears to be tacked onto the other issues. The Safe Harbor program has been in existence for nearly a decade and studies by the European Commission in 2004 and others in 2008 have argued that enforcement has been lax. One would hope that, in the future, the FTC would bring section five claims exclusively in the data protection realm in addition to mixed consumer protection claims.

Read More...

Sears Settles with FTC on Information Tracking

By Mehmet Munur

FTC entered into a settlement agreement with Sears in June related to its failure to provide adequate notice to its customers during the sign up process for an information collection software. This settlement highlights the need to create accurate highlight notices for privacy policies.

Sears invited customers visiting the Sears.com website and kmart.com websites to join the My SHC Community. Sears paid the customers $10 to sign up to participate in the community. Customers downloaded and installed a “research” software for participating in the community after being presented with the privacy policy and a license agreement.

Sears mentioned on its marketing material that the software would confidentially track online browsing. However, the FTC charged that the software allowed Sears to monitor consumer’s online sessions including shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. FTC appears to be concerned that Sears’ “Privacy Statement and User License Agreement” did not discuss the full scale of the data mining until the 75th line of the agreement. The agreement stated:

Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.

Therefore, the FTC argued, burying the scope of this information collection activity in the 75th line of legal agreement did not adequately disclose the fact that the consumer was allowing the tracking for all of his internet activity. This, the FTC concluded, was a deceptive practice under section 5 of the FTC act.

In hindsight, Sears probably did not need all of the data that it gather in the first place. The competitive advantage that Sears may gain in collecting and processing such sensitive financial and health data is likely to be outweighed by the disadvantages in maintaining the confidentiality of such sensitive information and the public relations problems that follow its disclosure. Even if Sears could in fact use this data, installation of software that practically works like a commercial key logger likely requires specific and unambiguous consent.

In light of the Sears settlement, corporations should consider building several layers of privacy policies. Article 29 Working Party and the UK ICO have proposed simplifying privacy policies to provide better notice to data subjects. Such a scheme would require that corporations build and use highlights notices that provide a summary of privacy notices that then provides links to the full privacy policy.

In fact, some corporations, such as Google and Microsoft, have started using the A29WP approach in their privacy policies. Note that the users would still be bound to the full privacy policy with such an approach. Therefore, this highlights notice makes privacy policies easy to understand for consumers while maintaining the detailed approach of a privacy policy. Possibly, Sears could have used such a privacy policy on its website and more accurately described its information collection.

Read More...

Article 29 Working Party Releases 11th Annual Report

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

Read More...

US-Swiss Safe Harbor Framework Signed

by Mehmet Munur

On December 9, 2008, the Swiss Federal Data Protection and Information Commissioner and the Department of Commerce signed “an exchange of letters” to create the “US-Swiss Safe Harbor Framework.” As a result, multinational corporations certified under the Department of Commerce Safe Harbor program are now able to transfer data from Switzerland to the US more conveniently.

The Swiss Federal Data Protection Act operates similar to the 95/46/EC Data Protection Directive. Article 6 of the Swiss Act prohibits data exports in the absence of adequate guarantees, similar to Article 25 of the Directive. Since the US, without the Safe Harbor, does not offer adequate protections for personal data, companies were forced to use exceptions under Article 6 for data transfers, such as standard contractual clauses approved by the Data Protection Commissioner of Switzerland. Companies can now self-certify for transfers of personal data from Switzerland at the Department of Commerce website in addition to other European Economic Area countries.

Read More...