Level 3, 11 other companies settle FTC privacy complaint

Twelve U.S. companies, including Internet service provider Level 3 Communications and BitTorrent, the company behind the popular peer-to-peer file-sharing protocol, have agreed to settle U.S. Federal Trade Commission charges that they falsely claimed to abide by an international data privacy framework.

The 12 companies falsely said they complied with the so-called U.S.-E.U. Safe Harbor, which allows U.S. companies to transfer consumer data from the European Union to the U.S. in compliance with E.U. law, the FTC said in a Tuesday press release.

Other companies settling the FTC charges included DataMotion, a vendor of encrypted email and secure file transport software; Apperian, maker of mobile applications for business enterprises and security; and National Football League teams the Atlanta Falcons Football Club; PDB Sports, doing business as the Denver Broncos Football Club; and Tennessee Football, known as the Titans.

Level 3, in a statement, said it takes the data privacy of its customers, employees and vendors "very seriously."

"The agreement with the FTC concerned a technical issue of an outdated safe harbor reference in our privacy policy," the statement continued. "We've since revised the policy to address the FTC's concerns and at no point in time was the privacy of personal information compromised as a result of this issue."

Representatives of BitTorrent, DataMotion and Apperian didn't immediately respond to a request for comments.

Enforcement of the framework is an FTC "priority," FTC Chairwoman Edith Ramirez said in a statement. "These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program."

The companies deceptively claimed to hold current certifications under the U.S.-E.U. Safe Harbor framework and, in three of the complaints, certifications under the U.S.-Swiss Safe Harbor framework, the FTC said in complaints against the companies.

To participate in the E.U. framework, a company must certify annually to the U.S. Department of Commerce that it complies with seven privacy principles required to meet the EU's adequacy standard. Those principles are notice, choice, onward transfer, security, data integrity, access and enforcement.

The companies, through statements in their privacy policies or display of the safe harbor certification mark, said they held current certifications, even though the companies had allowed their certifications to lapse. The FTC alleged that the conduct violates the FTC Act prohibiting unfair or deceptive business practices, but the violations do not necessarily mean that the companies committed any substantive violations of the privacy principles, the agency said.

Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.