FTC Bolsters Enforcement of EU-U.S. Safe Harbor Framework

The Federal Trade Commission is cracking down on companies that falsely certify compliance with the United States and EU safe harbor framework on data protection. Expect that scrutiny to only intensify in the coming year.

Developed in 2000 by the U.S. Department of Commerce and the European Commission, the U.S.-EU Safe Harbor Framework establishes a set of guidelines that provide a streamlined means for U.S.-based companies to legally transfer personal data from Europe into the United States. To participate, a company must self-certify to the Department of Commerce that it meets the EU's stringent standard for data protection, and further must reaffirm its certification annually thereafter.

Companies that violate the safe harbor principles could face enforcement action by the FTC. Even though the safe harbor has been around for more than a decade, the FTC has only just begun to aggressively pursue companies—and now it would appear no industry is out of its reach. According to FTC Chairman Edith Ramirez, “Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority.”

In the first six weeks of 2014, the FTC entered into 13 settlements to resolve violations where companies falsely claimed compliance with the safe harbor, either in privacy policy statements or by displaying the safe harbor certification mark on its Website. In comparison, the FTC reached only 10 EU data protection safe harbor-related settlements in all of 2009 through 2012, and none last year.

The sudden surge in FTC enforcement actions follows deep-seated and growing criticism by the European Commission in what it views as lax enforcement of the safe harbor principles by U.S. authorities. Such criticism has only intensified since the fallout from the Edward Snowden leaks about U.S. government surveillance of European citizens.

“The safe harbor has met its strongest challenges in the past year than it has throughout its history,” says Amy Worlton, a partner with law firm Wiley Rein. “The FTC responded by moving the review of safe harbor compliance up its priority list.”

Case Details

On Feb. 11, children's online entertainment company Fantage.com became the latest company to be hit with an enforcement action. According to the settlement charges, Fantage.com falsely asserted through statements in its online privacy policy that it adhered to the safe harbor principles, even though its certification had expired.

Under the settlement, Fantage.com must no longer misrepresent its compliance with any standard-setting body's data privacy program. The settlement further requires Fantage.com to keep detailed records for a period of five years, including all advertisements or other statements containing representations of its participation in such privacy programs.

A dozen other organizations entered into similar agreements with the FTC in January, also for deceptively claiming current certification with the safe harbor. The organizations involved represented a cross-section of industries including retail, technology, accounting firms, and the National Football League.

“The safe harbor has met its strongest challenges in the past year than it has throughout its history. The FTC responded by moving the review of safe harbor compliance up its priority list.”

—Amy Worlton,

Partner,

Wiley Rein

The recent increase in safe harbor enforcement actions may not be enough to satisfy the EU, however. Most of the penalties came for not re-certifying compliance, not for any substantive violations of the data privacy or security rules. “Even though the FTC certainly has been responsive to the European Commission,” Worlton says, “it hasn't conducted any deep and intensive review on how those companies use, collect, and share the personal data of EU citizens.” Anybody can go on the Commerce Department Website to check whether a company is current with safe-harbor certification, she says.

It's that sort of lax enforcement that caused push back from privacy watchdog groups like the Electronic Privacy Information Center. “The minimal sanctions that currently result do not provide sufficient assurance of compliance,” EPIC stated in a comment letter to the FTC in response to the settlements. As one solution, EPIC urged the FTC to require that these companies implement the Consumer Privacy Bill of Rights.

On a more concerning level, Worlton says, EU companies seem be growing increasingly distrustful of the safe-harbor framework, which is worrisome for any U.S. company that does business with the European Union. “That's a real way to make the safe harbor weaker,” she says.

FTC enforcement is essential for ensuring that the privacy principles remain in place as an effective compliance mechanism for U.S. companies, says Ann Killilea, counsel in the law firm McDermott, Will & Emery. Having the ability to self-certify compliance with the safe harbor encourages companies “to develop, sometimes for the first time, an enterprise-wide data protection program,” she says.

Proactive Measures

Prior to self-certifying compliance with the safe harbor, Killilea advises companies to take the following steps:

Form a cross-functional privacy and data protection team;

Develop a global privacy policy that reflects compliance with the safe harbor principles;

Ensure employees are trained on that global privacy policy;

Provide an independent recourse for privacy complaints;

Establish an identifiable privacy contact resource, such as a chief privacy officer role; and

Represent that it's properly certified on the Commerce Department Website.

Self-certifying compliance with the safe harbor principles is “not something companies should just do off-the-cuff,” says Chanley Howell, a partner with law firm Foley & Lardner. They should first conduct an internal investigation and be able to confirm, by going through a checklist, compliance with each principle, he says.

SAFE HARBOR PRIVACY PRINCIPLES

Below are the seven U.S.-EU Safe Harbor Privacy Principles:

Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

Choice: An organization must offer individuals the opportunity to choose whether their personal information is to be disclosed to a third party, or to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual.

Onward Transfer: To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it first either ascertains that the third party subscribes to the principles or is subject to the directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity: Personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed.

Source: U.S. Department of Commerce.

“If gaps exist between what the principles require and what the company is currently doing,” Howell adds, “it needs to remediate those gaps before they file for certification or a renewal.”

As it stands right now, many companies are still at risk of an enforcement action. Of the 4,428 companies that currently adhere to the safe harbor principles, 987 show a certification status that is “not current.”

According to the Commerce Department, the most common reason an organization is designated as “not current” is if it fails to annually reaffirm adherence to the safe harbor. For this reason, data privacy experts advise that any company that self-certifies under the safe harbor framework should immediately check its certification status to ensure that it's marked “current” on the Commerce Department Website.

Killilea recommends that companies take it one step further and “institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline.” If certification has lapsed, the company must immediately remove all references to the safe harbor program from privacy policies and publicly available statements.

The second most common reason for non-compliance with the safe harbor framework is failing to comply with at least one of the privacy principles. Aside from ensuring the right controls are in place to maintain compliance, the company should further “be able to support its assertion if an audit is conducted,” says Lisa Sotto, a partner in the law firm Hunton & Williams.

Safe Harbor in Jeopardy

Even amid greater scrutiny by the FTC, the future of the safe harbor famework remains in limbo. In November 2013, the European Commission issued a report calling on the Commerce Department to “adopt a more active stance in scrutinizing compliance.”

The report further lays out 13 recommendations for strengthening the safe harbor principles, including that self-certifying companies be subject to investigations of compliance with their privacy policies.

The pressure keeps on mounting. In December 2013, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) announced in a draft report that it will call on the European Commission to suspend the safe harbor principles, and renegotiate new, appropriate data protection standards.

“My prediction is that safe harbor will not go away,” says Sotto. Still, she says, “there needs to be agreement on how to proceed with the safe harbor intact.”