While transatlantic data transfers have received many privacy headlines as of late, today the FTC turned its enforcement gaze toward data transfers across the Pacific Ocean. In an action reminiscent of the its US-EU Safe Harbor enforcement efforts, the Commission announced a consent decree against a company claiming participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. VIP Vape, which manufactures and distributes hand-held vaporizers, had allegedly stated on its website privacy policy that it participated in the APEC self-regulatory system:
VIP Vape abides by the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System. The APEC CPBR [sic] system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.
The problem, according to the FTC’s allegations, was that VIP Vape is not and has never been certified to participate in the program, even though it never claimed to be so certified.
Under the terms of today’s proposed consent order, VIP Vape is prohibited from future misrepresentations regarding its participation, membership, or certification in any privacy or security self-regulatory program. This action suggests that the FTC will continue to require companies to honor their promises, express or implied, even with respect to nascent data protection frameworks.
Indeed, absent a comprehensive transatlantic data transfer program, it makes sense for the FTC to turn its attention toward the CBPR system. The framework is designed to protect consumer data transfers across the APEC region, which consists of major Pacific Rim economies. The CBPR system is based on the familiar Fair Information Privacy Practices, including preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability. The system is voluntary, and companies seeking to participate must be certified by independent accountability agents. As with the Safe Harbor, certified companies also are listed publicly on the CBPR’s website.
With today’s action, the FTC again reminds companies to check the accuracy of their privacy policies, including implied claims in them.