The Federal Trade Commission (“FTC”) has recently increased its examination of company privacy policies that claim to be U.S.-EU Safe Harbor certified. For those companies that are not currently certified, whether by mistakenly letting the certification lapse or other cause, the FTC is issuing draft complaints alleging deceptive acts or practices and demanding companies enter into a consent decree.
The FTC has sent numerous companies a “proposed” consent decree, which imposes a number of potentially onerous burdens on companies relating to future compliance and filing reports with the FTC, including a provision that spans a 20-year period. To avoid the legal fees and hassle of an FTC action, it would be prudent to check immediately the status of your company’s safe harbor certification and ensure that any claims made in that regard on your website are consistent.
U.S.-EU Safe Harbor Framework
The U.S.-EU Safe Harbor Framework provides a method for companies in the United States to transfer personal data outside the EU in a manner that is consistent with the EU Data Protection Directive, to address European privacy concerns. For a company to join the Safe Harbor, it must self-certify to the U.S. Department of Commerce that it complies with EU standards.
The Safe Harbor Framework has seven principles for compliance:
choice for individuals
onward transfer of user information to a third-party agent only if the third party meets certain standards
user access to their information
security for user information
data integrity and
enforcement of these standards via an appropriate recourse mechanism.
What To Do
If there is any doubt, the company should immediately remove all reference to the U.S.-EU Safe Harbor until the company becomes fully compliant and is certified.
IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.