On February 11, 2014, the Federal Trade Commission (“FTC”) announced that the agency agreed to settle charges with Fantage.com, a children’s online gaming company, which asserted that the company falsely claimed compliance with the U.S. – E.U. Safe Harbor Framework. (See FTC (Feb. 11, 2014): FTC Settles with Children’s Gaming Company For Falsely Claiming To Comply With International Safe Harbor Privacy Framework). The FTC’s settlement with the Fantage.com marks the thirteenth settlement this year with a company for falsely claiming to abide with an international privacy framework. (See FTC (Jan. 21, 2014): FTC Settles with Twelve Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework). This Advisory will summarize the FTC’s settlement with Fantage.com, and discuss the potential consequences for a company’s misrepresentation that they abided by a privacy framework.
According to the FTC’s complaint against Fantage.com, the company deceptively claimed in its privacy policy statement that its U.S. – E.U. Safe Harbor Framework certifications were current between June 2011 and November 2013. (See In the Matter of Fantage.com, Complaint). However, Fantage.com did not update its certification with the privacy program after June 2011 although the safe harbor’s guidelines require companies to update their certification on an annual basis. FTC further stated that Fantage.com violated Section 5 of the FTC Act by allowing its Safe Harbor certification to lapse.
In the proposed settlement agreement, which is subject to public comment before finalization, the company is prohibited from any further misrepresentation of compliance with the U.S. – E.U. Safe Harbor Framework or any other privacy framework. (See In the Matter of Fantage.com, Inc., Agreement Containing Consent Order). Furthermore, Fantage.com is required by the agreement to retain documents relating to such compliance for a five-year period, and to periodically report on their compliance efforts with the FTC.
The U.S. – E.U. Safe Harbor Framework is a voluntary program, which permits American companies to transfer consumer data from the European Union to the United States in compliance with E.U. law. The program is administered by the U.S. Department of Commerce in cooperation with the European Commission.
To participate in the program, a company must self-certify with the Department of Commerce on an annual basis that it complies with the E.U.’s seven privacy principles: (1) notice; (2) choice; (3) onward transfer; (4) security; (5) data integrity; (6) access; and (7) enforcement. The Department of Commerce maintains a public record of companies that are in current compliance with the safe harbor framework at https://export.gov/safeharbor.
The FTC – Fantage.com settlement demonstrates the need for companies to be honest about compliance with privacy frameworks. Although the FTC cannot initially impose civil penalties upon companies that fraudulently represent their compliance with privacy programs, the agency may impose civil penalties of up to $16,000.00 on companies that violate such consent agreements. Furthermore, once companies are subject to such agreements, they are subject to potentially onerous reporting and document retention requirements regarding their compliance with privacy programs. Thus, it is in the best interest of companies to be honest about their outward representations regarding privacy framework compliance in order to avoid the FTC’s scrutiny.
However, it is worth noting that the future of the U.S. – E.U. Safe Harbor framework may be in serious jeopardy. Recently, Chancellor Angela Merkel of Germany backed the idea of creating separate, European data networks that are out of reach of American surveillance. Merkel said that she will discuss the matter soon with President François Hollande of France, and promised that “[w]e will, above all discuss which European providers we have who offer security for our citizens . . . [s]o that you don’t have to go across the Atlantic with emails and other things, but can build up communications networks also within Europe.” (See The New York Times (Feb. 16, 2014): Merkel Backs Plan to Keep European Data in Europe). Moreover, the European Parliament announced on February 12th that a vote on the proposed suspension of the U.S. – E.U. Privacy Safe Harbor framework would occur next month. (See European Parliament Draft Report on the US NSA surveillance programme).
Our firm will continue to monitor developments at the FTC regarding consent agreements with companies who falsely claim to be complaint with privacy frameworks, and other developments in privacy law such as the future of the U.S. – E.U. Safe Harbor. For more information about the firm’s privacy practice, please visit our website or contact Linda McReynolds, Certified Information Privacy Professional (CIPP/US), at lgm@commlawgroup.com.