The FTC has taken its first ever safe harbor enforcement action against a US business that said it was safe harbor certified for data exports from Europe when, in fact, it was not. Could this pave the way for more safe harbor enforcement in future? Phil Lee reports.
Topic: Privacy
Who: Federal Trade Commission
When: 6 August 2009
Where: UK
Law stated as at: 1 September 2009
What happened:
Rumours have existed for some time now that the United States' Federal Trade Commission ("FTC") has been looking to flex its safe harbor enforcement muscle, and it at last seems to have found a suitable case to enforce.
The FTC and the safe harbor regime
In the United States, the FTC is the regulator charged with ensuring both consumer protection and effective market competition. Under this broad spread of responsibility, the FTC also enforces breaches of the "safe harbor" regime administered by the Department of Commerce to govern exports of personal data from the European Economic Area (the "EEA") to the US.
Broadly speaking, businesses are not permitted to export personal data outside of the EEA unless they satisfy one of a number of possible legal criteria that ensures the non-EEA data importer will afford "adequate" protection to the data it receives (principle 8 of Directive 95/46/EC, better known as the Data Protection Directive). In many instances, the data exporter and data importer will satisfy this requirement by entering a data export agreement on standard terms that have been approved by the European Commission (commonly referred to as a "model contract"). However, where the data importer is a US entity, it may alternatively choose to certify itself under the "safe harbor" regime, in which instance a model contract is not required.
The safe harbor regime was created back in 2000 pursuant to an agreement reached between the United States and the European Union. Eligible US businesses that voluntarily certify under safe harbor agree to adhere to seven safe harbor privacy principles (available here, and including principles as to notice, choice and data security) and are deemed to provide "adequate" data protection for the personal data they import from the EEA.
FTC enforcement action
The FTC took enforcement action against a Californian company, Balls of Kryptonite, and its owner Jaivin Karnani, following a suite of complaints from European consumers. Balls of Kryptonite operates the websites www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, selling electronic goods such as cameras and camcorders. The websites misled consumers into believing that they were buying from a UK business and therefore had the benefit of UK manufacturer warranties when, in fact, the goods were all sold by Balls of Kryptonite in Pasadena. Upon receiving the goods, consumers found themselves charged undisclosed import duties and left with invalid warranties. The FTC therefore chose to take enforcement action to stop the "deceptive practices" undertaken by Balls of Kryptonite.
However, as a separate issue, the FTC also charged Balls of Kryptonite with deceiving consumers that it was self-certified under the safe harbor regime. Despite claiming to have signed up to the safe harbor privacy principles and certified with the Department of Commerce, it had not. A list of entities which have certified under safe harbor can be found on the Department of Commerce's safe harbor website here – and Balls of Kryptonite is conspicuous only by its absence from this list.
Why this matters:
The Department of Commerce and FTC have long been criticised by commentators within Europe for giving nothing more than the slightest nod towards the protection of personal data exported from Europe under the safe harbor regime. To support their criticisms, commentators have often pointed to the fact that, despite purportedly providing "adequate" protection for personal data, the FTC had not (until now) ever brought any enforcement action relating to safe harbor breaches.
The FTC will hope that this enforcement action will go some way to addressing these criticisms and resolving European concerns. However, it is worth noting that this case is being brought a company that deceived consumers into thinking it was safe harbor certified when, in fact, it was not (and some will inevitably hold that view that safe harbor enforcement was merely an afterthought to the main enforcement action for deceiving consumers that Balls of Kryptonite operated in the United Kingdom). There can be little doubt that it would have been more significant had the FTC brought enforcement action against a company that had self-certified under safe harbor, but had failed to abide by the seven safe harbor privacy principles – as this would have shown the FTC's willingness to actively enforce non-compliant certified companies.
Nevertheless, this is a move in the right direction and may pave the way for future safe harbor enforcement. The FTC has filed its complaints in this case with the Californian district courts and Balls of Kryptonite is currently subject to a restraining order requiring it to halt its deceptive representations until the case is finally decided. Assuming the final decision favours the FTC (which seems likely), the FTC may well develop an appetite to search for other safe harbor breaches to enforce. Safe harbor certified US business would therefore be well advised to check the protections they afford to European data they import – or risk incurring the wrath of the FTC.