No doubt about it: the U.S. Federal Trade Commission (FTC) is serious about taking action against companies that misrepresent their U.S.-EU Safe Harbor certification status.  On February 11, 2014, the FTC announced that children’s online entertainment company agreed to settle charges that it deceptively represented, through statements in its online privacy policy, that it held a current certification under the U.S.-EU Safe Harbor framework.  The settlement follows on the heels of the FTC’s settlements (announced on January 21, 2014) with 12 companies that made representations about Safe Harbor compliance when in fact their certifications had lapsed. These 13 settlements, announced within in the first six weeks of 2014 and added to the 10 settlements reached for similar actions from 2009 to 2012, indicate the FTC’s commitment to ensuring that the Safe Harbor Program remains a vital and effective compliance mechanism for U.S.-based multinational companies.

The Allegations and Order

According to this recent FTC complaint, failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework.  From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status. 

In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed.  The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:

“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.” 

While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company.  The Settlement Agreement Containing Consent Order:  

  • enjoins from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
  • imposes on detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.

If violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.

Compliance Tips

Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:

  • check its certification status to ensure that it is marked “current” on the Department of Commerce website:;
  • review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
  • institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline. 
  • remove all references to the Safe Harbor program from publicly available privacy policies and statements if the company’s certification status is unclear; and
  • review substantive compliance with the Safe Harbor program and institute corrective action and controls to ensure that compliance is maintained.