The Federal Trade Commission has flexed its muscles in relation to the Safe Harbor privacy framework, but has it done enough to placate European sceptics?
The US Federal Trade Commission (“FTC”) announced on 21 January 2014 that it has entered into settlement agreements with twelve companies that allegedly falsely represented that they were current certified members of Safe Harbor. The FTC’s actions follow growing concern in Europe about the effectiveness of the US-EU data protection framework, which has come under greater scrutiny since last year’s revelations of NSA intelligence gathering.
What is Safe Harbor?
The data protection law of each member of the European Union stems from the European Data Protection Directive (“Directive”). Under Article 25 of the Directive personal data may not be transferred outside Europe unless the data controller (the ‘owner’ of the data) assures an ‘adequate level of protection’.
The European Commission has created a ‘safe list’ of countries transfers to which automatically meet the adequacy standard set in Article 25. However, the US is a notable exception from this list. Instead, it is open to entities in the US to join the Safe Harbor scheme; and doing so would mean that the standard was met.
To join Safe Harbor, which was introduced in 2000, a US company self-certifies to the US Department of Commerce (“DoC”), which administers the programme, that it adheres to the seven Safe Harbor principles and makes a public declaration of this adherence. The company will then be added to the publicly available Safe Harbor list. Once added to the Safe Harbor list the business is deemed to have adopted an adequate level of protection for transfers of personal data to the US from EU member states and as such transfers can take place in compliance with EU law. To maintain membership of Safe Harbor, a company must resubmit its self-certification annually.
Failure to adhere to the principles would lay a member open to enforcement by the FTC bringing deceptive trade practices charges.
Criticism of Safe Harbor
Whilst it is a mature method for compliance on the data transfer issue, Safe Harbor is increasingly under the spotlight. Revelations in 2013 about the surveillance programmes of US intelligence agencies generated concern amongst European data protection authorities and has raised questions about the efficacy of the Safe Harbor regime and in particular the way it is enforced.
Criticism of Safe Harbor, particularly its reliance on self-certification, is not new. In 2010 data protection authorities in Germany published a decision requesting that European companies transferring data to Safe Harbor members check for themselves that the US company complied with the Safe Harbor principles. In addition, reports by the European Commission, as long ago as in 2002 and 2004, were critical of the programme.
In November 2013 the European Commission released a communication asserting the need to reassess Safe Harbor in light of the rapid growth of the digital economy, the ‘critical importance’ of data flows for the transatlantic economy, the growth in number of companies affiliated to Safe Harbor and revelations about US surveillance programmes.
The European Commission criticised the limited scope of the DoC’s evaluation of privacy policies. The DoC was also called upon to “adopt a more active stance in scrutinising compliance [with the Safe Harbor Principles]” and “intensify its periodic controls of companies’ websites”. In addition, the European Commission criticised as weak the way in which the Self Harbor principles are enforced by the FTC. The European Commission set out 13 recommendations for strengthening the Safe Harbor principles themselves (including a reassessment of the extent to which US authorities can access data transferred under the Self Harbor framework).
Piling on the pressure, a draft report on US and European surveillance by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) which was leaked in January 2014 asserts that Safe Harbor provides inadequate protection for EU citizens. The draft report recommends that the European Commission immediately suspends the Safe Harbor framework and suggests that the transfer of personal data from EU to US should be carried out using alternative methods.
The FTC’s recent action
In autumn 2013, in the midst of criticism, FTC promised more enforcement actions “in the coming months” and asserted that it would actively engage with companies whose membership of Safe Harbor is due to lapse to discuss the company’s options and obligations.
The FTC’s announcement on 21 January 2014 marks the first Safe Harbor settlements in almost two years (since settlement with Myspace in May 2012). The twelve companies against whom the recent enforcement action has been taken are active in a variety of industries and include a number of well-known businesses (including three American NFL football teams).
The companies represented, in their privacy policies or by displaying the Safe Harbor certification mark on their website, that they adhere to Safe Harbor Principles or had current Safe Harbor certifications despite the fact that their memberships had lapsed. Importantly, the FTC did not allege that any of the companies in question have inadequate procedures in place concerning personal data or that any individuals or entities were harmed. Since the FTC found no substantive violations of the Safe Harbor principles by any of the twelve companies, the FTC’s actions focused solely on the fact that they had not properly renewed their annual self-certification with the DoC.
It may of course simply be coincidence that the recent FTC action has arisen against the backdrop of severe European criticism; including of the FTC’s enforcement record. Whilst from a European perspective, it is encouraging to see the FTC take some action this is likely to do little to stem the criticism. What European regulators are calling for is the investigation by the FTC of Safe Harbor members that are committing substantive violations of the Safe Harbor principles rather than focussing on those who have failed to renew their self-certification – a not particularly egregious administrative oversight.
It is unlikely that FTC will have done much to allay European fears.
Alternative options for EU-US personal data transfers
It should be recalled that Safe Harbor is not the only means of ensuring that data is adequately protected when transferred abroad. Other mechanisms include:
Standard Clauses - The adequacy requirement of the Directive can be met by entering certain standard forms of contracts between the transferring entity and the receiving entity.
Binding Corporate Rules – For transfers within a corporate group (but outside of Europe) global privacy policies and procedures (so-called ‘binding corporate rules’ (“BCRs”)) can be sanctioned in advance by European regulators.
Self-Assessment – In the UK, the legal regime is more permissive than elsewhere within Europe and allows the exporting UK entity to itself assess whether or not, in the particular circumstances of a transfer, the transfer is made to a country that can ensure an adequate level of protection.
Consent and other Derogations - Consent is often discussed in this context but it is not without problems (a full discussion of which is outside the scope of this note). Whilst it is superficially attractive, consent must be given freely, be specific and informed and, where sensitive personal data is concerned, must also be ‘explicit’. It can be withdrawn at any time (and so is not suitable for “structural” transfers). A transfer can also take place without a need to worry about one of the methods just discussed if, for example, the transfer is necessary for the performance of certain contracts, or if there are important public interest grounds, or a need to establish, exercise or defend legal claims.
Further details on these methods (and Safer Harbor), in the context of sharing data through a group, can be found in our white paper available through this link.
Despite the EU criticism, it is hard to imagine Safe Harbor not being available. To many of the largest providers of technology services (such as Microsoft, Google and Salesforce) are all members and many of their customers rely on that membership to fulfil their EU privacy compliance responsibilities. The EU are unlikely to jeopardise this delicate framework.
Having said that, it is hard to see how the EU will be placated by the limited nature of the recent FTC and cross-Atlantic lobbying at greater enforcement can be expected.
It should be recalled that the European Commission proposed in January 2012 an overhaul of the EU law relating to data protection including a new regulation to replace the current Data Protection Directive. The new regime is currently under consideration and a recently announced timetable might see resolution of the political wrangling during the latter part of 2014 (with implementation of new laws within a further two years). The discussions on the proposal seem to have left Safe Harbor untouched.
The key point from the FTC action is that all U.S. entities who participate in Safe Harbor must have effective compliance procedures to ensure that they remain current with their self-certification on an annual basis.