FROM: U.S. FEDERAL TRADE COMMISSION
FTC Settles with Two Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework
Two U.S. businesses have agreed to settle Federal Trade Commission charges they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor, which enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law.
FTC complaints against TES Franchising, LLC, and American International Mailing, Inc. allege that the companies’ websites indicated they were currently certified under the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier.
“We remain strongly committed to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks,” said FTC Chairwoman Edith Ramirez. “These cases send an important message that businesses must not deceive consumers about whether they hold these certifications, and by extension, the ways in which they protect consumers.”
The complaint against TES also alleges that TES deceived consumers about the nature of its dispute resolution procedures. On its website, the company stated that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. According to the FTC’s complaint, the company had agreed in its Safe Harbor certification filing that it would resolve disputes through the European data protection authorities, which do not require in-person hearings and resolve disputes at no cost to the consumer. The complaint also alleges that the company deceptively claimed to be a licensee of the TRUSTe Privacy program.
To participate in the U.S.-EU Safe Harbor Framework or U.S.-Swiss Safe Harbor Frameworks, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website.
Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement with TES further prohibits the company from misrepresenting its participation in or the terms of any alternative dispute resolution process or service.
These cases are being brought with the valuable assistance of the U.S. Department of Commerce.
The Commission votes to issue the administrative complaints and accept the proposed consent agreements were 5-0.