In December 2008, an international report on the U.S. Safe Harbor Agreement (“Safe Harbor”) was released. The report was part of a study examining the agreement between European Data Commissioners and the U.S. Department of Commerce, which was signed in 1998. Under the European Union Data Protection Directive (“European Data Directive”), a member state must implement laws that only permit transfers of data from member states to third party countries that provide adequate levels of data protection. The European Union has yet to find that the United States provides an adequate level of data protection. The Safe Harbor therefore allows U.S. businesses to transfer data from Europe to the United States without complying with the European Union member states’ requirements governing data transfers. By utilizing the Safe Harbor, a U.S. business can self-certify through the Department of Commerce that it provides an adequate level of privacy protection thereby satisfying the European Data Directive requirement.
By making false or misleading statements regarding membership or compliance with the Safe Harbor program, a business may open itself up to an enforcement proceeding by the Federal Trade Commission (“FTC”), which deems false claims as unfair or deceptive acts or practices that are actionable under Section 5 of the FTC Act. Below is a list of common compliance issues related to privacy policies that a business thus ought to consider if it participates in the Safe Harbor:
- Avoid making false claims regarding the nature of your Safe Harbor certification. For instance, because the Safe Harbor is a self-certification program, refrain from making statements that your company has been certified by the Department of Commerce or the European Union.
- Post only the official Safe Harbor Certification Mark provide by the US Department of Commerce on your site rather than using unauthorized logos or marks.
- Immediately preceding the top edge of the mark, provide the following “We self-certify compliance with.”
- Select with care an independent dispute resolution provider, as required by Safe Harbor Principle 7. Ensure that your membership with such a dispute resolution provider remains current.
- Confirm that your company annually renews its selfcertification. The report found that numerous companies claimed compliance, but had not renewed their certification.