The transfer of data between U.S. companies and EU citizens has been a hot topic for years. And the U.S.-EU Safe Harbor Framework was designed to help facilitate that data transfer by providing principles for U.S. companies to follow and reduce complexities of otherwise complying with the EU laws following the EU data regulation in 1995. Administered by the Department of Commerce, the Safe Harbor Framework is a voluntary privacy program that allows companies to transfer data from the EU to the U.S. in compliance with EU law. But whether companies that participate in the Safe Harbor are actually honoring their obligations under the Safe Harbor isn’t always clear.
For a company to participate in Safe Harbor, it must certify that it abides by seven principles—notice, choice, onward transfer, security, data integrity, access and enforcement—and reaffirm each year that it’s still in compliance. The latter portion of the Safe Harbor has landed several companies in hot water with the Federal Trade Commission (FTC). While some companies claim they are Safe Harbor participants, failing to make that annual affirmation results in noncompliance with the Safe Harbor.
Since 2010, in fact, the FTC has brought 26 law enforcement actions against U.S. companies that claim to participate in the Safe Harbor Framework in an effort to ensure they are following through with their obligations. The most recent targets of the FTC were American International Mailing (AIM) and TES Franchising.
The FTC strongly encourages companies who claim to be Safe Harbor participants to ensure they are compliant with the rule, to avoid ending up like AIM, TES or the other 24 companies who have faced FTC action. You can check your status on the export.gov website in seconds and it may be time well spent.