The Federal Trade Commission recently agreed to settle claims against two companies alleging that the companies were not abiding by the U.S.-EU Safe Harbor international privacy framework. While the U.S.-EU Safe Harbor permits companies to self-certify compliance and transfer data from the EU to the U.S. in compliance with EU law, these latest cases highlight the importance of making sure the certifications are accurate and up to date.
The FTC has stressed that these cases “send an important message that businesses must not deceive consumers about whether they hold these certifications, and by extension, the ways in which they protect consumers.”
As outlined in the Department of Commerce’s FAQ on Safe Harbor Self-Certification, in order to self-certify an entity must submit to the U.S. Department of Commerce a letter signed by a corporate officer that includes a description of the activities of the organization with respect to personal information and a description of the organization’s privacy policy. With respect to the privacy policy, the company must include its effective date, contact information, the specific statutory body that has jurisdiction to hear any claims against the organization, and an independent recourse mechanism to resolve unresolved complaints.
The Department of Commerce offers some helpful hints on self-certifying. Among them, self-certifying organizations may choose to use a private sector dispute resolution program, or they may choose to cooperate with and comply with the EU data protection authorities. The BBB EU Safe Harbor Program, TRUSTe, Direct Marketing Association, the Entertainment Software Rating Board, JAMS and the American Arbitration Association all offer programs in compliance with the Safe Harbor’s Enforcement Principle.
However, as illustrated in the latest FTC cases, an organization should pay close attention to selecting and correctly identifying its independent recourse mechanism, because a selection of one dispute resolution program in certification documents while displaying another form of dispute resolution on an organization’s website may be deceptive to consumers.
In addition, organizations that self-certify compliance must remember that certification must be renewed on an annual basis. Claiming certification in a posted privacy policy after failing to renew can also be viewed as deceptive to consumers.
A company that self-certifies should be sure it understands the Safe Harbor Privacy Principles and that its privacy policy is readily accessible and conforms to the Principles. Before submitting for certification, the company should designate a contact regarding the Safe Harbor, establish a procedure to verify compliance, and be clear and consistent as to the independent recourse mechanism the company is going to use.