Citing the increasing frequency with which consumer information crosses international borders and the need for coordinated monitoring and enforcement strategies related to consumer privacy, the U.S. Federal Trade Commission entered into a Memorandum of Understanding (MOU) with its U.K. counterpart, the Information Commissioner's Office. The FTC serves as the primary U.S. agency for consumer privacy issues. The ICO is charged with enforcing the U.K.'s Data Protection Act as well as the European Commission's directives on privacy and electronic communications. Although the MOU doesn't create any legally binding rights or obligations, it establishes a formal framework for the two agencies to work together and protocols by which they can request and share information.
The MOU comes in the wake of the recent announcement by the FTC that 12 U.S. companies have settled allegations that they falsely claimed compliance with the U.S.-EU Safe Harbor Framework, a voluntary compliance framework for U.S. companies to transfer personal data from the European Union to the United States that is consistent with the requirements of the European Union Data Protection Directive. To participate, companies must self-certify annually to the U.S. Department of Commerce that they comply with the seven privacy principles required to meet the EU's adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement.
The FTC complaints charged the companies with representing, through statements in their privacy policies or display of the Safe Harbor certification mark, that they held current Safe Harbor certifications, even though the companies had allowed their certifications to lapse. The settlements include numerous compliance obligations, including providing a written report to the FTC within 60 days describing compliance with the settlement order and making available for a period of five years all documents relating to the settlement order such as advertisements, promotional materials, any representations about compliance with the Safe Harbor Framework, and any document, whether prepared by or on behalf of the company, that calls into question the company's compliance with the order. The companies are also prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.