The Federal Trade Commission (FTC) has announced that it is taking action against twelve businesses in the US who have been falsely claiming adherence to the framework known as Safe Harbor.
Safe Harbor allows for the free transfer of personal information for commercial purposes from companies in the EU to companies in the US that have signed up to Safe Harbor. Due to the substantial differences in privacy regimes in the EU and US without the Safe Harbor arrangement in place the transfer of personal information would be impossible.
The 12 Companies claimed they held up to date certifications under US-EU Safe Harbor Framework and in 3 of the companies’ cases they claimed certifications under the US-Swiss Safe Harbor Framework.
The FTC Chairwomen Edith Ramirez said “enforcement of the US–EU Safe Harbor Framework is a Commission priority. These 12 cases help ensure the integrity of the framework and send the signal to companies they cannot falsely claim participation in the programme.”
The companies involved have agreed to settle the charges. The consent agreement packages containing the proposed consent orders will be subject to public comment for 30 days from 21 January 2014 to 20 February 2014, after which the Commission will decide whether the proposed agreements will be final. Each violation of the final order can result in a penalty of up to $16,000.
The actions against the 12 companies come at a crucial time in terms of the future of the Safe Harbour Framework. In November 2013 the European Commission issued 13 recommendations to improve the enforcement and adequacy of Safe Harbor to rebuild trust in the US-EU data flow including recommendations that the FTC should subject a proportion of Safe Harbor companies to ex offico investigations. More recently, the Civil Liberties, Justice and Home Affairs Committee (LIBE) of the European Parliament released on 8 January 2014 its Draft Report on mass surveillance which called for the immediate suspension of data flows. The Report stated that “trust has been profoundly shaken and in order to rebuild trust in all these dimensions a comprehensive plan is urgently required.”
The Vice-President of the European Commission Viviane Reding in a press release dated 15 January 2014 noted that “as a result of the lack of transparency and enforcement on the US side, some companies do not, in practice comply with the scheme. This has a negative impact on individual’s rights and it may create an unfair competitive advantage for those companies in relation to European Countries operating in the same market.”
Due to the current anxiety surrounding the Safe Harbor Framework the action against the 12 companies may be seen as a gesture on the part of the US Government to reassure the EU that it is fully committed to privacy and upholding the terms of the agreement.
Whilst it is not the first time the FTC has taken enforcement action, such action have been limited to a total of 10 cases in the last 4 years and companies in the EU, that are relying on their US counterparts to be certified under Safe Harbor may wish to keep Ms Reding’s comments in mind.