There has been much debate during 2014 about the effectiveness of the US Safe Harbour regime. Many EU commentators have queried its effectiveness, pointing in particular to the lack of enforcement over the years by the Federal Trade Commission (FTC), the body which effectively is charged with dealing with complaints that companies are not in compliance with their public representations of adherence to the Safe Harbour principles.
The US Federal Trade Commission Act controls fraudulent, deceptive and unfair business practice. To declare compliance with the Safe Harbour Principles but to fail to actually comply can be actionable under this legislation. This is what gives Safe Harbour its teeth.
It is notable then that the complaint by the Federal Trade Commission into Snapchat which was initiated in May 2014 has been settled. The Decision and Order was published on 23 December 2014.
The basis of the complaint was that Snapchat misrepresented the manner in which it marketed its app. Specific areas of concern related to what Snapchat said about the extent to which messages were deleted after being viewed, whether users can, through use of Snapchat's offering, become aware of message recipients saving or capturing screenshots of sent images, security measures being used and the categories of personal information being collected.
The improvement steps which Snapchat must take are not that surprising and include appointing a designated privacy representative, staff training, internal proactive risk assessment and a privacy focussed approach to procuring third party products and services.
Additionally though, Snapchat is required to engage an independent third party initially and on a biennial basis to investigate and report on its compliance. The audits will be subject to FTC review and approval and will continue for 20 years – a vote of confidence then in the longevity of the Snapchat business model and in the usefulness of data protection audits. This is also a reminder for data controllers not to accept statements of safe harbour compliance without question.
The final FTC order can be accessed here: http://www.ftc.gov/system/files/documents/cases/141231snapchatdo.pdf