Recent US-EU Safe Harbor Enforcement Actions and International Data Security Programs Signal Increased Focus on Cross-Border Data TransfersMarch 12th, 2014 by Matthew Fischer
On March 6, the U.S. Federal Trade Commission (FTC) signed a memorandum of understanding (MOU) with the UK Information Commissioner’s Office (ICO), Great Britain’s data protection authority, to promote increased cooperation and the sharing of information between the two agencies to bolster their data protection efforts. This objective would be achieved through the following means: (1) sharing information, including complaints; (2) providing investigative assistance where appropriate, such as obtaining evidence in the local jurisdiction on behalf of the other agency; (3) joint training and exchanging staff, and; (4) coordinating enforcement actions for privacy violations that constitute breaches in both countries. The FTC and the ICO have coordinated privacy and investigations and promoted joint anti-spam initiatives over the last several years.
The MOU comes in the wake of increased criticism regarding the US-EU Safe Harbor program (Safe Harbor) by European Union (EU) countries. The EU Data Protection Directive (95/46/EC) bars the transfer of personal data from within the European Economic Area to third countries unless they have established acceptable levels of protection. The Safe Harbor provides a self-certification program that requires U.S. companies to protect data containing personal information received from EU countries pursuant to an agreed upon set of seven privacy principles that are enforceable under U.S. law.
On July 19, 2013, the EU Commissioner responsible for data protection, Viviane Reding, stated that the European Commission (EC) would be reviewing its Safe Harbor Agreement with the U.S., in part due to the scandal surrounding Edward Snowden’s leak of top secret data collected under the U.S. National Security Agency’s (NSA) Internet surveillance program called PRISM. Commissioner Reding cited the PRISM controversy as a “wake-up call” which necessitated “data protection reform” from the EC. The EC also expressed concerns over the self-certification nature of the Safe Harbor program, which it viewed as susceptible to lapses in compliance by participants. Shortly thereafter, on July 24, German data protection authorities announced they would not issue new permissions for data transfers to countries outside the EU and were considering whether data transfers conducted on the basis of the Safe Harbor should be suspended altogether. The German authorities also cited concerns over reports of the NSA’s PRISM program.
On November 27, 2013, the EC published the results of its Safe Harbor review and reported that it had identified “a number of weaknesses” which caused it to opine that “the current implementation of Safe Harbor cannot be maintained.” The EC listed 13 recommendations for the U.S. to consider and implement by summer 2014. The recommendations included greater transparency on the part of participating companies, ensuring a right of redress for data subjects, increased investigations and reporting of non-compliance by the U.S. Department of Commerce to applicable EU data protection authorities and restriction of the national security exception to only those circumstances where it is definitely necessary or proportionate.
FTC Commissioner Julie Brill responded on December 11 that the Safe Harbor program is “a very effective tool for protecting the privacy of EU consumers” and asserted, not surprisingly, that it should be neither suspended nor renegotiated. In addressing the EC’s criticism of the Safe Harbor framework, Commissioner Brill argued that the U.S. had undertaken numerous Safe Harbor compliance investigations, which have resulted in 10 enforcement actions since 2009.
The FTC flexed its enforcement muscles further when it announced on January 21, 2014 that it had settled claims against 12 different companies that allegedly falsely claimed to have been in compliance with the Safe Harbor program. The FTC complaints charged that the companies had represented in their privacy policies or through the display of the Safe Harbor certification mark, that they held current Safe Harbor certifications, despite having allowed their certifications to lapse. That same month, the Department of Commerce’s International Trade Administration (ITA) posted a document entitled “Key Points Concerning the Benefits, Oversight, and Enforcement of Safe Harbor.” The Key Points document defends the Safe Harbor program by denoting the following advantages of the program:
• The program provides important economic benefits to the EU and Swiss economies, as well as to the U.S. economy;
• Claims of Safe Harbor participation and certification status can be readily verified via the official Safe Harbor List(s) that are accessible online;
• The ITA plays an important oversight role that balances the self-certification aspect of the program;
• Safe Harbor requires that there be “readily available and affordable” dispute resolution for data subjects, and;
• The FTC had brought 10 enforcement actions in recent years, resulting in consent decrees (and that number has since skyrocketed to 22 enforcement actions after the FTC’s January 21 announcement).
More recently, officials with the FTC, EU and Asia-Pacific Economic Cooperation (APEC) economies announced the execution of a joint agreement designed to facilitate companies’ compliance efforts for cross-border data transfers. The agreement – called a “referential” – is intended to serve as an “informal pragmatic checklist for organizations” that seek double certification under the EC’s binding corporate rules and APEC’s cross-border privacy rules. Companies involved in cross-border transfer can use the referential to design and adopt data protection policies that comply with both systems.
As large scale data breaches continue to grab headlines in the U.S and concerns over NSA spying remain among EU countries, companies involved in cross-border data transfers can expect increased enforcement measures from data protection authorities on both sides of the Atlantic Ocean.