FTC Turns Enforcement Gaze toward Transpacific Data Transfers

FTC Turns Enforcement Gaze toward Transpacific Data Transfers

Blog WilmerHale Privacy and Cybersecurity Law

While transatlantic data transfers have received many privacy headlines as of late, today the FTC turned its enforcement gaze toward data transfers across the Pacific Ocean. In an action reminiscent of the its US-EU Safe Harbor enforcement efforts, the Commission announced a consent decree against a company claiming participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. VIP Vape, which manufactures and distributes hand-held vaporizers, had allegedly stated on its website privacy policy that it participated in the APEC self-regulatory system:

VIP Vape abides by the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System. The APEC CPBR [sic] system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.

The problem, according to the FTC’s allegations, was that VIP Vape is not and has never been certified to participate in the program, even though it never claimed to be so certified.

Under the terms of today’s proposed consent order, VIP Vape is prohibited from future misrepresentations regarding its participation, membership, or certification in any privacy or security self-regulatory program. This action suggests that the FTC will continue to require companies to honor their promises, express or implied, even with respect to nascent data protection frameworks.

Indeed, absent a comprehensive transatlantic data transfer program, it makes sense for the FTC to turn its attention toward the CBPR system. The framework is designed to protect consumer data transfers across the APEC region, which consists of major Pacific Rim economies. The CBPR system is based on the familiar Fair Information Privacy Practices, including preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability. The system is voluntary, and companies seeking to participate must be certified by independent accountability agents. As with the Safe Harbor, certified companies also are listed publicly on the CBPR’s website.

With today’s action, the FTC again reminds companies to check the accuracy of their privacy policies, including implied claims in them.

More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.