Organizations in the United States that certify to the U.S.-EU Safe Harbor Framework to transfer and receive personal data about residents of the European Union must annually reaffirm to the U.S. Department of Commerce that they are still in compliance with the framework's requirements. The Federal Trade Commission (FTC) is targeting organizations that fail to do this, alleging that these organizations are making false and misleading statements in their privacy policies when they state that they are in compliance with the Safe Harbor Framework but have allowed their certification to lapse. An FTC enforcement action often results in a 20-year settlement with ongoing compliance obligations and the potential for monetary penalties for any future Safe Harbor noncompliance issues.

An organization's Safe Harbor certification status can easily be checked by visiting the Department of Commerce's Safe Harbor website at https://safeharbor.export.gov/list.aspx. The FTC can use this website to identify organizations with lapsed certifications, and, as such, the FTC has a readily available source for detecting possible noncompliance. Organizations that have certified to the Safe Harbor Framework should ensure that they have a current certification, and that the information on file is accurate. If an organization's certification is not current or accurate, it should quickly move to recertify and/or correct any inaccurate information.

The FTC has brought over a dozen enforcement actions against organizations that publicly state that they are in compliance with the U.S.-EU Safe Harbor Framework but fail to live up to their statements. Last summer, the FTC settled with fourteen organizations that let their Safe Harbor certifications expire.¹ Just last month, the FTC brought two more enforcement actions involving certification lapses;² additional enforcement is likely. Implementing privacy and data security programs can take substantial effort. But implementation is just the beginning of an ongoing compliance cycle. Regular maintenance is necessary to ensure that programs meet the needs of current operations by adapting to changing operational environments. Similarly, it is essential to make sure that the organization continues to meet its existing and new privacy-related compliance obligations.