Since early 2014, the Federal Trade Commission has charged at least fourteen U.S. businesses in varying industries, from fashion to telecommunications, for falsely claiming to participate in the US – EU Safe Harbor privacy. Three of the companies were also charged with similar violations of the US – Swiss Safe Harbor. The Safe Harbor provisions were designed to provide U.S. and European organizations a legal, cost-effective means for transmitting consumer data outside of European countries, which maintain strict data privacy laws. On June 25, 2014, the FTC reported approval of final orders settling charges of US – EU Safe Harbor violations against the fourteen entities.
Given this uptick in enforcement activity by the FTC, it is likely that the FTC is trying to show that it is serious about protecting consumer data and that enforcement of Safe Harbor violations will continue. Any organization found to be in violation could be liable for up to $16,000 per violation, or up to $16,000 per day in the case of continuing violations, as provided by Section 5(1) of the FTC Act (copies of some complaints are attached below).
All companies engaging in data sharing should make sure that it is in compliance with the FTC regulations by taking the following steps:
- If your company is participating in the US – EU and/or US – Swiss Safe Harbor and expressing or implying that it is Safe-Harbor certified, find out when your certification is set to expire, and set up a precautionary system to make sure that the certification does not lapse. Please understand that certified companies must recertify every year, and care should be taken to ensure that certification takes place on a timely basis.
- Safe-Harbor certified companies also must maintain compliance with the seven privacy principles set forth by the FTC when transmitting data outside of the EU: Notice, Choice, Onward Transfer, Security, Data Integrity, and Access to Enforcement.
Taken directly from the FTC website, the seven privacy principles are described as follows:
Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or later authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
Onward Transfer (Transfer to Third Parties)
To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
Individuals must have access to personal information about themselves that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
To ensure compliance with the Safe Harbor principles, there must be: (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the Safe Harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and Safe Harbor benefits will no longer be assured.
While the recent crackdown has revolved around companies who falsely claim or imply compliance, it is believed that the seven privacy principles, including the notice, choice (opt-out), and onward transfer principles will be the FTC’s next focus in its attempt to enforce international Safe Harbor compliance.
The FTC approval of these fourteen final orders is a strong reminder that companies that are not participating need to ensure that website content does not falsely claim compliance, either expressly or impliedly, and, where companies have certified participation in the US – EU or US – Swiss Safe Harbor, they need to ensure that their certifications are current and adhere to the seven privacy principles.