FTC Settles with Six Companies with Lapsed Safe Harbor Certifications

By Mehmet Munur

On October 6, 2009, Federal Trade Commission filed six complaints against companies falsely claiming that they were self-certified to the Department of Commerce EU Safe Harbor when their certification had lapsed. This FTC action should serve as a reminder to Safe Harborites either to keep up their annual recertification or to avoid misrepresenting that they are self-certified to the Safe Harbor.

The EU Safe Harbor is one of the methods allowing US corporations to export data from the EU while complying with the Article 25 of the EU data Protection Directive, which requires that data only be transferred to countries with adequate data protections—with exceptions. The Department of Commerce, European Commission, and the Article 29 Working Party negotiated the Safe Harbor. US companies self-certify for the Safe Harbor and the DoC maintains a list of these companies on its export.gov website. However, the Federal Trade Commission and the Department of Transportation have the authority to enforce the Safe Harbor. While the Safe Harbor plays a crucial role for multinational corporations in transferring personal data from the EU without violating the EU Data Protection Directive’s adequacy requirements, now more than ever, failure to abide by the Safe Harbor requirements can result in enforcement actions by the FTC.

Six companies, World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive GaitWays LLC, each represented that they were self-certified to the Safe Harbor when in fact their certification had not been renewed for several years. At least three of the companies had failed to either recertify or remove their representations related to their certification from their websites for two to three years. For example, ExpatEdge had certified for the Safe Harbor in 2002 but had failed to recertify since 2006. Onyx Graphics had certified in 2006 but failed to recertify since 2007. Progressive GaitWays had certified in 2004 but failed to recertify since 2006. Since the FTC enforcement, the remaining three companies have recertified for the Safe Harbor.

The six companies each entered into consent agreements with the FTC related to their infringing activities. The consent agreements are similar to the previous FTC settlement on the Safe Harbor. The consent agreements prohibit any of the companies from “misrepresent[ing] in any manner, expressly or by implication, the extent to which respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy, security, or any other compliance program sponsored by the government or any other third party.” Furthermore, the companies must make all documents related to compliance with the consent agreement available for inspection for the next 5 years.

In our previous blog post, we had stated that the FTC’s enforcement was tacked onto other issues related shipment of goods. This time the FTC has squarely addressed Safe Harbor violations using its deceptive trade practices powers. According to the FTC policy statement on deception, a material representation, omission, or practice that is likely to mislead the consumer is needed for any enforcement activity. Any “act or practice is likely to affect the consumer's conduct or decision with regard to a product or service” is considered material. Additionally, any express claims are presumed material. Furthermore, the Safe Harbor Principles and FAQ 11 of the Safe Harbor clearly state FTC’s jurisdiction to bring actions against Safe Harborites for deceptive trade practices. Therefore, the companies’ express claims that they were self-certified with the Safe Harbor when their certifications had expired are clearly material misrepresentations that would mislead a reasonable consumer under the circumstances.

The recent enforcement actions in this area are certainly signs of FTC’s willingness to bring enforcement actions in this area in the future. The recent changes to the list showing organizations certified to the Safe Harbor is possibly another indication of things to come. International Trade Administration website used to host the Safe Harbor list. Recently, it has moved to the Department of Commerce’s export.gov/safeharbor/ website, which is where all other Safe Harbor related documents used to reside. The list now more readily identifies non-compliant companies.

The FTC is likely to bring more enforcement actions against companies in the Safe Harbor list that represent that they are certified but have not in fact kept up their certifications with the Department of Commerce. The FTC is also likely to expand its enforcement activities into more substantive issues related to the privacy practices of Safe Harborites in the near future. Therefore, Safe Harborites intending to leave the Safe Harbor should either promptly renew their certifications or remove any public representation that they are certified with the Safe Harbor. This should help alleviate any FTC deceptive trade practices claims. However, note that obligations undertaken by a Safe Harborite do not disappear with the organization leaving the Safe Harbor. Therefore, removing such representations only resolves part of the issues involved in joining then leaving the Safe Harbor.

Read More...

Article 29 Working Party Releases 11th Annual Report

By Mehmet Munur

On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.

While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.

The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.

The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”

The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”

The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.

The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.

The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.

In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.

Read More...