FTC enforces US/EU Safe Harbor Program for first time

From Proskauer Rose:

In early August, the Federal Trade Commission (“FTC”) announced the first enforcement action against a U.S. company for violation of the US/EU Safe Harbor Program. This enforcement action should serve as a call-to-action for all Safe Harbor program participants to review their safe harbor programs now, and re-affirm their compliance.

The US/EU Safe Harbor program was negotiated between the U.S. and EU governments as a way to reconcile the fact that under the EU’s Data Protection Directive (with some exceptions) organizations may only transfer personally identifiable information from the EU to countries that the European Commission has deemed to have adequate data protection laws—and the U.S. is not one of those countries. Therefore, the EU/US Safe Harbor program was created in 2001 as a way for U.S. companies to receive personal data from the EU.

To participate in the program, a U.S. company self-certifies to the U.S. Department of Commerce (and commits in a publicly–facing policy) that it will follow the Safe Harbor Privacy Principles (the “Principles”), which mirror the core requirements of the EU Data Protection Directive.

Companies that fail to adhere to the Principles may be subject to liability under Section 5 of the Federal Trade Commission Act, which governs deceptive and unfair business practices. Until now, no company (at least publically) had been prosecuted under that statute for violating safe harbor. Just recently, however, the FTC brought suit in the Central District of California against a California-based company, Balls of Kryptonite. According to the FTC, the company marketed itself to consumers in the UK and used “.co.uk” domain names to mislead UK consumers into believing that the company was based in the EU.

[…]

Among other things, the FTC brought suit against the company because it had falsely claimed in its privacy policy that it was certified under the Safe Harbor program when it fact it had not.