The FTC this week announced that a dozen US companies including Apperian, BitTorrent and Level 3 Communications have agreed to settle a complaint alleging that they falsely claimed to be in compliance with an international privacy regulation that allows them to transfer consumer data from the European Union to the US.
Mobile application management software vendor Apperian, BitTorrent, the peer-to-peer file-sharing protocol, DataMotion, an encrypted email and secure file transport platform provider, and Level 3 Communications were joined by eight other companies including the Super Bowl-bound Denver Broncos and two other National Football League teams.
The FTC claimed that the 12 companies "deceptively claimed" to hold valid and current certifications under the US-EU Safe Harbor framework and, in at least three of the complaints, doubled down with unsubstantiated claims that they also held certifications under the US-Swiss Safe Harbor framework.
This week's reprimand amounts to nothing more than a slap on the wrist and an admonishment to the 12 companies – and others – that the FTC is serious about preventing companies from misrepresenting their adherence to the privacy policies.
Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.
"Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority," FTC Chairwoman Edith Ramirez said in a statement. "These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program."
Both the US-EU and US-Swiss Safe Harbor frameworks are voluntary programs administered by the U.S. Department of Commerce under which companies self-certify that they're in compliance with seven privacy principles required to meet the EU's adequacy standard: notice, choice, onward transfer, security, data integrity, access and enforcement.
Typically, companies that opt to participate in the framework like to advertise their participation by way of a Safe Harbor certification on their websites.
In these instances, the 12 companies, either through statements in their privacy policies or by displaying the Safe Harbor certification mark on their websites, claimed to be in compliance with the privacy framework even though their certifications had lapsed.
FTC officials said the companies had all violated Section 5 of the FTC Act, but added that the missteps didn't necessarily mean the companies had committed any "substantive violations" of the privacy principles outlined in the Safe Harbor frameworks.