Complaint to the FTC Accuses 30 U.S. Companies of Violating the EU-U.S. Safe Harbor
U.S. companies that participate in the EU-U.S. Safe Harbor should be wary of increased scrutiny over the adequacy of their Safe Harbor compliance. U.S. privacy advocates have formally asked the Federal Trade?Commission (FTC) to investigate 30 companies for allegedly failing to comply with the substantive requirements of the data transfer mechanism. The recent request for investigation illustrates that concerns over the EU-U.S. Safe Harbor Agreement are continuing to gather pace both in Europe and the U.S. in ways that could lead to increased enforcement—or even “reform”—of the Safe Harbor. So if Safe Harbor participants have not recently done so, now might be a good time to review their procedures for ensuring compliance with the substantive Safe Harbor privacy principles.
The CDD Complaint
On August 14, 2014, the Center for Digital Democracy (CDD), a nonprofit consumer privacy advocacy organization based in Washington, D.C., filed a complaint and “request for investigation” before the FTC accusing 30 U.S. companies of violating the provisions of the EU-U.S. Safe Harbor framework. The CDD's filing largely targets data marketing and profiling companies, including data brokers that have compiled sensitive information on individual consumers; data management platforms that allow corporate customers to combine their consumer information with outside data sources to produce detailed marketing insights; and mobile marketers that track devices and tie them to user profiles to identify profitable consumers for personalized advertising.
Specifically, the CDD filing asks the FTC to investigate the following 30 companies: Acxiom; Adara Media; Adobe; Adometry; Alterian; AOL; AppNexus; Bizo; BlueKai; Criteo; Datalogix; DataXu; EveryScreen Media; ExactTarget; Gigya; HasOffers; Jumptap; Lithium; Lotame; Marketo; MediaMath; Merkle; Neustar; PubMatic; Salesforce.com; SDL; SpredFast; Sprinklr; Turn; and Xaxis.
Although each of these companies differs in its approach to data collection and processing, the CDD identifies three alleged “patterns of deception” that the FTC should investigate: (1) a failure to uphold Safe Harbor commitments by misstating purposes and practices regarding data collection and use; (2) misrepresentation of important legal facts for consumers; and (3) a failure to update Safe Harbor disclosures to consumers after merging with or acquiring other firms which may have “expanded their data collection and profiling capabilities.” Specifically, the CDD complaint points to the following overarching trends in the companies' privacy practices that “underscore the fundamental weakness of the Safe Harbor in its current incarnation.” According to the CDD, the companies:
- Fail to provide adequate or complete disclosures regarding their use of consumers' data in their privacy policies or Safe Harbor declarations;
- Inaccurately classify themselves as “data processors” rather than “data controllers,” according to the CDD, to avoid certain obligations under EU law;
- Fail to provide meaningful opt-out mechanisms that EU consumers can find and use to remove themselves fully from privacy-harming data collection and processing;
- Mislead consumers by falsely asserting that consumer data is anonymized or non-personally identifiable; and
- Fail to disclose the true nature of the vast “online marketing ecosystem,” including relevant corporate affiliations and networks of data broker partners.
The effect of these practices, according to the CDD, is that these companies are “compiling, using, and sharing E.U. consumers' personal information without their awareness and meaningful consent, in violation of the Safe Harbor framework.”
What Might the FTC Do?
The FTC serves the important role of enforcing the EU-U.S. Safe Harbor framework. Its legal authority in this area is found in Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC may investigate allegations of non-compliance with the requirements of the Safe Harbor to determine whether there was a violation of Section 5. If the FTC concludes that it has reason to believe Section 5 was violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in federal district court, which, if successful, could result in a federal court order to the same effect. The FTC may obtain civil penalties for violations of an administrative cease and desist order and may pursue civil or criminal contempt for violation of a federal court order. If the FTC determines that an organization frequently fails to comply with the principles of the Safe Harbor to the point where its claim to comply is no longer credible, the organization may no longer be entitled to benefit from the Safe Harbor.
Given the current governmental focus on the Safe Harbor, companies should expect that the FTC may investigate substantive violations of the data transfer mechanism. The FTC is actively attempting to rebuild the EU's trust in trans-Atlantic data flows and ensure the EU's continued commitment to the Safe Harbor Agreement, both of which were badly shaken in the wake of the Edward Snowden disclosures last year. In March 2014, for example, the European Parliament passed a resolution calling for the immediate suspension of the Safe Harbor, alleging that it does not adequately protect European citizens. (Parliament's resolution had no immediate effect on the validity of the Safe Harbor, however, because only the European Commission may renegotiate the underlying agreements relating to the Safe Harbor.) The Commission thus far has chosen not to scrap the Safe Harbor, choosing instead to provide the U.S. a 13-point list of “recommendations” to restore the EU's trust in EU-U.S. data flows. Vigorous enforcement of the Safe Harbor by the FTC is a central theme throughout a number of the recommendations.
To assuage the EU's concerns and demonstrate the FTC's commitment to enforcing the Safe Harbor, FTC Chairwoman Ramirez repeatedly has declared that Safe Harbor enforcement is a top priority. In a recent keynote address to the Trans-Atlantic Consumer Dialogue (TACD) regarding the Transatlantic Trade and Investment Partnership (TTIP) negotiations, Chairwoman Ramirez invited “any substantive leads” alleging Safe Harbor-related violations and warned Safe Harbor participants that they “can expect to see more enforcement actions on this front.” Already this year, the FTC has settled charges alleging that 14 U.S. companies falsely represented they were in compliance with the Safe Harbor despite having let their certifications lapse. Under the terms of the settlements, each of the 14 companies is prohibited from misrepresenting its participation in any privacy or data security scheme, including Safe Harbor. In past years the FTC has brought a number of similar enforcement actions asserting violations of Safe Harbor commitments, including high-profile actions against MySpace LLC, Facebook, Inc., and Google, Inc.
Notably, the 2014 settlements involved companies that were the subject of complaints filed in 2013 by Galexia, Inc., further suggesting that the FTC takes seriously Safe Harbor complaints, such as the one filed by the CDD. Still, the FTC has yet to allege substantive violations of the Safe Harbor privacy principles against any company, as the CDD now requests. Rather, in prior enforcement actions, the FTC has alleged only that companies deceptively claimed, either through statements in their privacy policies or by displaying the Safe Harbor certification mark on their websites, that they held current certifications under the Safe Harbor framework even though their certifications had lapsed. The CDD complaint could now prompt the FTC to examine companies' compliance with the Safe Harbor privacy requirements beyond the formality of annual filings in order to demonstrate that the Safe Harbor remains a viable and safe framework for transferring EU personal information to the U.S. It is therefore important that Safe Harbor participants review their current procedures for ensuring compliance with the Safe Harbor privacy principles.