'Safe Harbour' enforcement a priority, says US regulator

Out-Law News | 27 Jan 2014 | 5:25 pm | 2 min. read

A US regulator has confirmed that it is "a priority" for it to make sure that companies which claim to be compliant with an EU-US data protection regime actually are. 

The EU-US 'safe harbour' agreement is a framework that facilitates the transfer of personal data between the EU and US.

The Federal Trade Commission (FTC) announced that it had reached agreement with 12 US-based companies to settle claims that the businesses had "falsely claimed" that they complied with the safe harbour framework. The agreements have yet to be finalised and are currently subject to public comment.

The safe harbour framework sets seven principles of data protection broadly equivalent to standards set under the EU Data Protection Directive and allows US companies that adhere to those principles and self-certify compliance with the principles to transfer personal data from the EU to US.

EU data protection laws prevent companies from sending personal data outside of the European Economic Area (EEA) unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection.

The US has not been designated as providing adequate data protection, but the European Commission and US Department of Commerce negotiated the Safe Harbour scheme to facilitate personal data transfers between organisations in the EU and US.

The FTC had charged the 12 companies it has agreed draft settlements with of claiming to comply with the Safe Harbour regime when in fact their certifications had lapsed. US businesses must self certify compliance annually to the US Department of Commerce.

"Under the proposed settlement agreements, which are subject to public comment, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organisation," a statement by the FTC said.

"Enforcement of the US-EU Safe Harbour Framework is a Commission priority," FTC chairwoman Edith Ramirez added. "These twelve cases help ensure the integrity of the Safe Harbour Framework and send the signal to companies that they cannot falsely claim participation in the program."

The FTC said that, despite bringing the cases against the companies, it was not necessarily the case that the 12 businesses "committed any substantive violations of the privacy principles" set out under the Safe Harbour regime.

More than 3,000 US businesses are currently signed up to the Safe Harbour scheme. In November last year the European Commission published a report which cited "deficiencies in transparency and enforcement" in how the framework works. The report followed a review the European Commission undertook into the framework following news leaked earlier this summer about the alleged surveillance activities of the US' National Security Agency (NSA).

In its report the Commission made 13 recommendations on how to address concerns about the Safe Harbour framework. Among its recommendations, it said the US businesses subject to the agreement should "publish privacy conditions of any contracts they conclude with subcontractors" and facilitate "readily available and affordable" access to alternative dispute resolution for EU citizens so that they can raise and settle complaints they have on privacy issues.

The Commission also said that there should a procedure for testing some Safe Harbour scheme members' privacy policies to ensure "effective compliance".