The Federal Trade Commission recently announced it has settled claims against 12 companies relating to charges the companies falsely claimed they were abiding by the U.S. – EU Safe Harbor program that enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law. The businesses represent a number of industries, including retail, professional sports, laboratory science, data broker, debt collection, and information security.

According to the complaints filed by the FTC, the companies deceptively claimed they held current certifications under the U.S. – EU Safe Harbor program framework. To participate in the U.S. – EU Safe Harbor program, a company must self-certify annually to the U.S. Department of Commerce that it complies with the seven safe harbor privacy principles relating to notice, choice, onward transfer, security, data integrity, access, and enforcement. A participant in the U.S. – EU Safe Harbor program may demonstrate its participation in the program by displaying the official safe harbor certification mark on its Web site. The FTC charged each company with representing, through statements in their privacy policies or display of the safe harbor certification mark, that they held current safe harbor certifications, even though they had allowed their certifications to lapse.

Companies in the European Union may not lawfully transfer consumer data to companies in the United States unless the transfer complies with applicable EU data privacy laws. One way to accomplish this compliance is for the U.S. company to self-certify compliance with the U.S. – EU Safe Harbor program through the safe harbor certification application process.

Companies should consider the following in order to avoid claims from the FTC similar to those described above.

  1. A business should not claim safe harbor certification (e.g., through privacy policies or use of the safe harbor certification seal) unless the company has affirmatively received confirmation of safe harbor status from the U.S. Department of Commerce.
  2. Once a company obtains safe harbor certification, it must annually reaffirm its compliance with the safe harbor principles to obtain recertification.
  3. A business seeking to obtain safe harbor certification and at the time of each annual recertification should confirm its compliance with the safe harbor principles through an assessment process verifying the following:
    • The company notifies individuals (customers, employees, suppliers, and so forth) about the types of personal information (PI) it collects, the reasons for collection, and how PI is shared.
    • The company notifies individuals regarding the reasons why PI is collected.
    • The company notifies individuals regarding the third parties with whom the PI is shared.
    • The company notifies individuals of the choices and methods for limiting use and disclosure of PI.
    • The company notifies individuals and gives them an opportunity to choose (opt out) of whether their PI will be disclosed to a third party (other than service providers performing functions for the company under instructions from the company). For example, the company is required to provide notice and choice before transferring PI to a third party for that party's own direct marketing purposes.
    • The company gives individuals the opportunity to choose (opt out) whether their PI may be for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
    • For sensitive information, including religious beliefs, political opinions, health, sexual orientation, race, and membership of past organizations, the company obtains affirmative or explicit opt in if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
    • When the company transfers PI to a third-party service provider or agent performing under instructions from the company, the company makes sure the third party (a) is safe harbor certified, (b) is subject to the EU Data Privacy Directive, or (c) enters into a written agreement with the company requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
    • The company gives individuals access to PI about themselves that the company holds.
    • The company gives individuals the ability to correct, amend, or delete that information where it is inaccurate (except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated).
    • The company has implemented reasonable precautions and safeguards to protect PI from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
    • Personal information held by the company is relevant (needed) for the purposes for which it is to be used.
    • The company has implemented reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
    • The company provides readily available and affordable independent recourse mechanism so that each individual's complaints and disputes can be investigated and resolved, and damages awarded where the applicable law or private sector initiatives so provide.
    • The company has implemented procedures for verifying that the commitments it makes to adhere to the safe harbor principles have been implemented.
    • The company adequately remedies problems arising out of a failure to comply with the principles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.