In a way that mirrors the undertakings signed by UK data controllers, six U.S. businesses have agreed to settle Federal Trade Commission (FTC) charges that they deceived consumers by falsely claiming they were abiding by the EU/U.S. Safe Harbor framework.
According to six separate complaints filed by the FTC, the six companies deceptively claimed they held current certifications under the Safe Harbor framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles.
The FTC complaints charge World Innovators, Inc.; ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC with representing that they held current certifications to the Safe Harbor program, even though the companies had allowed their certifications to lapse.
Under the proposed settlement agreements, which are subject to public comment (unlike the UK type undertakings), the companies are prohibited from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. Each violation the final agreement may result in a civil penalty of $16,000 (there again unlike the UK undertakings).
The interesting point arising from the USA action is the link to unfair processing if this kind of claim were to made by a UK based data controller. So suppose a UK data controller made a claim that its USA business partners were in Safe Harbor with respect to any transfer of personal data, then this claim would open the UK data controller to a breach of the First Principle if the USA self-certification certificates had lapsed. In general, therefore, if you are making claims to reassure data subjects in fair processing notices about the processing of personal data (e.g. on your web-site), then make sure such claims are justified and up to date.
The agreements can be accessed from http://www.ftc.gov/opa/2009/10/safeharbor.shtm and will be finalised after a period of public consultation. If you want to make a comment, be my guest; just download http://www.ftc.gov/os/2009/10/sixcasespubliccomment.pdf. Details of Safe Harbor on http://export.gov/safeharbor).