Out-Law / Your Daily Need-To-Know

US regulator warns against false 'safe harbour' claims

Out-Law News | 19 Aug 2015 | 5:25 pm | 1 min. read

The US Federal Trade Commission (FTC) has warned businesses not to make false claims about their participation in and compliance with the EU-US Safe Harbour Agreement.

The regulator said it had reached settlements with 13 US businesses that it alleged had made false claims about being certified members of the privacy scheme and/or an equivalent framework for facilitating transfers of personal data between Switzerland and the US.

The FTC alleged that seven of the companies had claimed to have held a current certification for at least one of the safe harbour programs whereas in fact they had not renewed those certifications. It alleged that six other companies claimed certification when they had "never actually applied for membership in the programs".

The companies do not have to admit liability as part of the settlement agreements, but are "prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organisation". The settlement deals are currently open to comment and have yet to be finalised.

“The US-EU and US-Swiss Safe Harbor Frameworks are important agreements, and the FTC remains strongly committed to enforcing them,” the FTC's chairwoman Edith Ramirez said in a statement. "Companies must not deceive consumers about their participation in these programs."

Under EU data protection laws, the transfer of personal data from the EU to so-called 'third' countries is governed by strict rules designed to ensure the adequate protection of EU citizens' privacy in accordance with EU data protection standards, even when that data is held outside of the trading bloc.

Only a handful of countries, including Argentina, Canada and Switzerland, but not including the US, are deemed by the European Commission to provide adequate protection for personal data.

However, the European Commission and US government previously agreed a special framework which allows US businesses signed up to the scheme to transfer personal data outside of the EU to the US in a way which meets the adequacy requirements.

More than 3,000 US businesses have self-certified their compliance with the EU-US Safe Harbour Agreement, which sets seven principles of data protection broadly equivalent to standards set under the EU Data Protection Directive.

The legality of the EU-US Safe Harbour Agreement has been challenged before the EU courts in light of revelations about US surveillance released by the whistleblower Edward Snowden. Twitter earlier this year warned about the potential costs it would incur if the framework was revoked.

A new framework to facilitate EU-US data transfers in line with EU data protection requirements is expected to be agreed soon.