With the recent data privacy breaches affecting consumers in the United States – look no further than Target’s credit card debacle leading to the resignation of the retailer’s chief executive officer – data privacy appears to be a current focal point for the U.S. Federal Trade Commission (“FTC”). The FTC’s settlement with American Apparel, Inc. (“American Apparel”) is illustrative of the risk a company faces by not paying close enough attention to data privacy.
Earlier this May, the FTC and American Apparel (a worldwide clothing manufacturer and retailer) entered in a proposed consent decree to resolve the FTC’s investigation into the company’s data privacy policies. The FTC did not investigate American Apparel for an actual data privacy breach (there is no indication that American Apparel’s data security was ever breached). Instead, the investigation focused on false and misleading representations on American Apparel’s website concerning the company’s participation in data privacy frameworks agreed upon between the U.S. and Europe, and, separately, the U.S. and Switzerland.
In 1995 the European Union enacted the European Union Directive on Data Privacy (the “Directive”) outlining requirements for data privacy and protection of its member states. Under the Directive, EU member states were required to enact legislation prohibiting the transfer of personal data out of the EU, except to those jurisdiction that the EU has determined have appropriate protections on personal data. To that end, the U.S. and EU, and separately the U.S. and Switzerland, agreed upon a U.S.-EU Safe Harbor Framework and U.S.-Switzerland Safe Harbor Framework (the “Safe Harbor Frameworks”) for the secure transfer of personal data between the parties to the Safe Harbor Frameworks.
To transfer personal data between the EU member states or Switzerland and the U.S. under the auspices of these Safe Harbor Frameworks, U.S. companies must certify to the U.S. Department of Commerce (the “Department of Commerce”) that they comply with the seven principles and requirements of the EU’s Directive: notice, choice, onward transfer, security, data integrity, access and enforcement. After an initial certification, U.S. companies must re-certify annually.
On its website, American Apparel included a privacy statement noting, among other things, that the company had certified to the Safe Harbor principles with the Department of Commerce for the transfer, collection, and storage of personal data between the U.S. and EU members states and Switzerland. According to the FTC, this statement implied that American Apparel was a current participant in the Safe Harbor Frameworks. However, American Apparel’s annual certification lapsed in June 2013 and the company did not re-certify until December 2013. During this roughly six-month period, the FTC alleged that American Apparel’s data privacy statement was false and misleading.
To resolve the FTC’s investigation into its data privacy statement, the company agreed to a proposed consent order with the agency. Under the terms of the consent order, American Apparel is prohibited from making false representations about its membership or participation in any privacy or security program sponsored by the government, regulatory agency or standard-setting organization. Furthermore, the consent order imposes strict reporting and compliance obligations on American Apparel, including a five-year retention policy for all materials relating to the company’s compliance with the consent order; a requirement to disseminate the consent order to all employees, current and future, with responsibilities related to American Apparel’s data privacy; a requirement to provide notice to the FTC of any change in American Apparel’s corporate structure that may affect its compliance with the consent order; and American Apparel must submit a report to the FTC detailing the company’s compliance with the consent order within 60 days, with an ongoing responsibility to file additional reports upon the FTC’s request. While the proposed consent order does not include any financial penalties on American Apparel, the company’s compliance with its obligations could prove costly. Further, the order places the company in the regulator’s sights as well as tarnishes the company’s reputation.
As the American Apparel investigation shows, it does not take a data breach like Target’s recent troubles to put a company under the scrutiny of the FTC. Indeed, this enforcement action, based on misleading statements occasioned by a six-month lapse in data transfer certifications without any actual known or publicized data breach, highlights the FTC’s committed focus to ensuring consumer data privacy. And it serves as a wake-up call to U.S. companies to ensure that they have sufficient and up-to-date data privacy policies, and that their data privacy-related public statements are true and accurate.
Timothy Cornell is the Head and Brian Concklin is a Member of Clifford Chance’s U.S. Antitrust Practice. Both are located in Washington, DC.