Thirteen Companies Violated Safe Harbor Laws, Settle FTC Complaint
Thirteen companies have agreed to settle Federal Trade Commission (FTC) charges that they continued to advertise that they had Safe Harbor certification when in actuality those certifications had already lapsed or were never in place at all.
The U.S. -EU and U.S. -Swiss Safe Harbor Frameworks are policy agreements that regulate the way that U.S. companies export and handle the personal information of European citizens. Since E.U. and Swiss privacy laws differ from those in the U.S. , this agreement was created so that U.S. companies can comply with E.U. and Swiss law.
Of the 13, seven companies falsely claimed to have current certification in one or both safe harbor programs when their certifications had not been renewed. The remaining six claimed that they had certification in one or both safe harbor programs when they never actually applied for membership.
To participate in the U.S. -EU or U.S. -Swiss Safe Harbor Frameworks, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU's adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website.
Under the proposed settlement agreements the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
For more information on the companies implicated in the complaint, visit the FTC website. For more information on Safe Harbor laws, including a list of companies that have current memberships, click here.