In a move clearly designed to address some of the concerns of the EU Commission over the US-EU Safe Harbor Agreement, the US Federal Trade Commission (“FTC”) announced on 21 January 2014 it reached settlements with 12 US entities that falsely claimed to comply with Safe Harbor. On 11 February 2014, a further settlement announcement was made.
As we noted in a previous post, the EU Commission officially called on US authorities in November 2013 to improve the way Safe Harbor is implemented, particularly in relation to enforcement which the EU Commission has long regarded as lacklustre. In the meantime, the EU Commissioner with responsibility for data protection, Viviane Reding, has openly suggested that Safe Harbor be suspended if changes aren’t made by summer.
It is unclear to what extent these settlements will satisfy the EU Commission. The companies involved were by no means unknown small operators. They include a large internet service provider, well known American football clubs and one of the biggest peer-to-peer services in the world. In addition, the settlements involved the signing of 20 year ‘consent orders’ which essentially give the FTC a greater ability to enforce Safe Harbor with the entities than they would under law, which may demonstrate a willingness on their part to enforce Safe Harbor to the best of their abilities.
However, other elements of the settlements may suggest to the EU Commission that this was not a serious new departure in enforcement. The settlements were made in relation to a technical breach of Safe Harbor – holding themselves out as holding safe harbour certifications when they had allowed these to lapse. There is no indication that the FTC made any greater investigation into their compliance with the requirements of Safe Harbor. Additionally, the settlements involved no upfront monetary penalties, though these are contemplated for breach of the consent orders.