Nothing “Safe” About It: Companies That Falsely Certify Compliance with the U.S.- E.U Safe-Harbor Framework May Receive Years of Regulatory Oversight
In 2000, the European Commission and U.S. Department of Commerce developed the so-called “U.S.-E.U. Safe-Harbor Framework” as a way to foster data transfer between the United States and E.U. countries notwithstanding concerns that U.S. privacy laws do not offer the same level of protection as E.U. laws with respect to personally identifiable information. As part of the safe-harbor framework, companies that choose to enter the program must publicly declare compliance with the safe-harbor requirements, which include adherence to seven privacy principles touching on the areas of notice, access, data integrity, individual choice (opt in/out rules), security, third-party transfer, and enforcement. The principle of “enforcement” includes making sure that procedures are in place to verify a company’s adherence to the rules and a sanctions regime sufficient to ensure compliance.
In late November 2013, and in response to some of the Edward Snowden leaks concerning U.S. surveillance in Europe, the European Commission issued a report that recommended, among other things, increased U.S. government oversight and enforcement with respect to private companies that self-certified compliance with the safe-harbor framework. As predicted, the report sparked the Federal Trade Commission, which is one agency responsible for government enforcement of the framework, to increase their scrutiny of company compliance, ultimately accusing more than a dozen companies of falling short of the framework’s requirements.
The latest company in the FTC’s cross-hairs was Fantage.com Inc. — a New Jersey-based online entertainment company that runs multi-player role-playing games. The FTC alleged in its administrative complaint that Fantage misrepresented in its privacy policies that it adhered to the safe-harbor framework. Specifically, in 2011, Fantage submitted, to the U.S. Department of Commerce, a self-certification of compliance. The Department of Commerce maintains a public website that posts the names of companies that have self-certified, and indicates whether a company’s self-certification is “current” or “not current.” Fantage failed annually to renew that self-certification in 2012 and 2013 (it did renew in 2014), and therefore DOC listed it as “not current” for those two years. Despite this “not current” status, Fantage’s privacy policies continued to state in 2012 and 2013 that it complied with the safe-harbor framework and principles. That assertion, the FTC found, was either “expressly or by implication” a representation that Fantage in fact had maintained its “current” status with the Department of Commerce for those years. Thus, the FTC alleged that Fantage was in violation of Section 5 of the FTC Act, which prohibits deceptive trade practices.
It is worth stressing that Fantage may have been fully compliant with the substance of the safe-harbor framework throughout 2012 and 2013. But that did not matter. The failure annualy to self-certify such compliance itself created the alleged FTC Act violation.
On February 11, 2014, Fantage reached a proposed consent agreement with the FTC that would prohibit it from any further “misrepresentations” concerning the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. Importantly, the company also agreed to “maintain and upon request make available to the Federal Trade Commission for inspection and copying” — for a period of five (5) years from the date or preparation or dissemination (whichever is later) — “all advertisements, promotional materials, and any other statements” containing any representations covered by the consent order. In addition, the order would last for twenty (20) years from the date of issuance. That certainly is a heavy regulatory burden for failing to self-certify compliance with a privacy framework that the company may very well have been following all along. It is also a reminder that companies must take their data privacy programs seriously if they implement them in the first place, because the failure to keep privacy policies or company practices current and in-line with the rules may result not only in large monetary penalties, but also years of unwelcome regulatory oversight.