Safe Harbor in a Storm

by Dechert LLP
Contact

The Federal Trade Commission has flexed its muscles in relation to the Safe Harbor privacy framework, but has it done enough to placate European sceptics?
The US Federal Trade Commission (“FTC”) announced on 21 January 2014 that it has entered into settlement agreements with twelve companies that allegedly falsely represented that they were current certified members of Safe Harbor. The FTC’s actions follow growing concern in Europe about the effectiveness of the US-EU data protection framework, which has come under greater scrutiny since last year’s revelations of NSA intelligence gathering.

What is Safe Harbor?

The data protection law of each member of the European Union stems from the European Data Protection Directive (“Directive”). Under Article 25 of the Directive personal data may not be transferred outside Europe unless the data controller (the ‘owner’ of the data) assures an ‘adequate level of protection’.

The European Commission has created a ‘safe list’ of countries transfers to which automatically meet the adequacy standard set in Article 25. However, the US is a notable exception from this list. Instead, it is open to entities in the US to join the Safe Harbor scheme; and doing so would mean that the standard was met.

To join Safe Harbor, which was introduced in 2000, a US company self-certifies to the US Department of Commerce (“DoC”), which administers the programme, that it adheres to the seven Safe Harbor principles and makes a public declaration of this adherence. The company will then be added to the publicly available Safe Harbor list. Once added to the Safe Harbor list the business is deemed to have adopted an adequate level of protection for transfers of personal data to the US from EU member states and as such transfers can take place in compliance with EU law. To maintain membership of Safe Harbor, a company must resubmit its self-certification annually.

Failure to adhere to the principles would lay a member open to enforcement by the FTC bringing deceptive trade practices charges.

Criticism of Safe Harbor

Whilst it is a mature method for compliance on the data transfer issue, Safe Harbor is increasingly under the spotlight. Revelations in 2013 about the surveillance programmes of US intelligence agencies generated concern amongst European data protection authorities and has raised questions about the efficacy of the Safe Harbor regime and in particular the way it is enforced.

Criticism of Safe Harbor, particularly its reliance on self-certification, is not new. In 2010 data protection authorities in Germany published a decision requesting that European companies transferring data to Safe Harbor members check for themselves that the US company complied with the Safe Harbor principles. In addition, reports by the European Commission, as long ago as in 2002 and 2004, were critical of the programme.

In November 2013 the European Commission released a communication asserting the need to reassess Safe Harbor in light of the rapid growth of the digital economy, the ‘critical importance’ of data flows for the transatlantic economy, the growth in number of companies affiliated to Safe Harbor and revelations about US surveillance programmes.

The European Commission criticised the limited scope of the DoC’s evaluation of privacy policies. The DoC was also called upon to “adopt a more active stance in scrutinising compliance [with the Safe Harbor Principles]” and “intensify its periodic controls of companies’ websites”. In addition, the European Commission criticised as weak the way in which the Self Harbor principles are enforced by the FTC. The European Commission set out 13 recommendations for strengthening the Safe Harbor principles themselves (including a reassessment of the extent to which US authorities can access data transferred under the Self Harbor framework).

Piling on the pressure, a draft report on US and European surveillance by the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) which was leaked in January 2014 asserts that Safe Harbor provides inadequate protection for EU citizens. The draft report recommends that the European Commission immediately suspends the Safe Harbor framework and suggests that the transfer of personal data from EU to US should be carried out using alternative methods.

The FTC’s recent action

In autumn 2013, in the midst of criticism, FTC promised more enforcement actions “in the coming months” and asserted that it would actively engage with companies whose membership of Safe Harbor is due to lapse to discuss the company’s options and obligations.

The FTC’s announcement on 21 January 2014 marks the first Safe Harbor settlements in almost two years (since settlement with Myspace in May 2012). The twelve companies against whom the recent enforcement action has been taken are active in a variety of industries and include a number of well-known businesses (including three American NFL football teams).

The companies represented, in their privacy policies or by displaying the Safe Harbor certification mark on their website, that they adhere to Safe Harbor Principles or had current Safe Harbor certifications despite the fact that their memberships had lapsed. Importantly, the FTC did not allege that any of the companies in question have inadequate procedures in place concerning personal data or that any individuals or entities were harmed. Since the FTC found no substantive violations of the Safe Harbor principles by any of the twelve companies, the FTC’s actions focused solely on the fact that they had not properly renewed their annual self-certification with the DoC.

It may of course simply be coincidence that the recent FTC action has arisen against the backdrop of severe European criticism; including of the FTC’s enforcement record. Whilst from a European perspective, it is encouraging to see the FTC take some action this is likely to do little to stem the criticism. What European regulators are calling for is the investigation by the FTC of Safe Harbor members that are committing substantive violations of the Safe Harbor principles rather than focussing on those who have failed to renew their self-certification – a not particularly egregious administrative oversight.

It is unlikely that FTC will have done much to allay European fears.

Alternative options for EU-US personal data transfers

It should be recalled that Safe Harbor is not the only means of ensuring that data is adequately protected when transferred abroad. Other mechanisms include:

  • Standard Clauses - The adequacy requirement of the Directive can be met by entering certain standard forms of contracts between the transferring entity and the receiving entity. 
  • Binding Corporate Rules – For transfers within a corporate group (but outside of Europe) global privacy policies and procedures (so-called ‘binding corporate rules’ (“BCRs”)) can be sanctioned in advance by European regulators.
  • Self-Assessment – In the UK, the legal regime is more permissive than elsewhere within Europe and allows the exporting UK entity to itself assess whether or not, in the particular circumstances of a transfer, the transfer is made to a country that can ensure an adequate level of protection.
  • Consent and other Derogations - Consent is often discussed in this context but it is not without problems (a full discussion of which is outside the scope of this note). Whilst it is superficially attractive, consent must be given freely, be specific and informed and, where sensitive personal data is concerned, must also be ‘explicit’. It can be withdrawn at any time (and so is not suitable for “structural” transfers). A transfer can also take place without a need to worry about one of the methods just discussed if, for example, the transfer is necessary for the performance of certain contracts, or if there are important public interest grounds, or a need to establish, exercise or defend legal claims.

Further details on these methods (and Safer Harbor), in the context of sharing data through a group, can be found in our white paper available through this link.

Comment

Despite the EU criticism, it is hard to imagine Safe Harbor not being available. To many of the largest providers of technology services (such as Microsoft, Google and Salesforce) are all members and many of their customers rely on that membership to fulfil their EU privacy compliance responsibilities. The EU are unlikely to jeopardise this delicate framework.

Having said that, it is hard to see how the EU will be placated by the limited nature of the recent FTC and cross-Atlantic lobbying at greater enforcement can be expected.

It should be recalled that the European Commission proposed in January 2012 an overhaul of the EU law relating to data protection including a new regulation to replace the current Data Protection Directive. The new regime is currently under consideration and a recently announced timetable might see resolution of the political wrangling during the latter part of 2014 (with implementation of new laws within a further two years). The discussions on the proposal seem to have left Safe Harbor untouched.

The key point from the FTC action is that all U.S. entities who participate in Safe Harbor must have effective compliance procedures to ensure that they remain current with their self-certification on an annual basis.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Contact
more
less

Dechert LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.