Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The six proposed settlements follow right on the heels of the first ever Safe Harbor enforcement action taken by the FTC (as reported in Proskauer’s Privacy Blog here), against a California company, Balls of Kryptonite, which had falsely represented that it had self-certified to the Safe Harbor Program, when apparently in fact it never had.

The US/EU Safe Harbor program was negotiated between the U.S. and EU governments as a way to reconcile the fact that under the EU’s Data Protection Directive (with some exceptions) organizations may only transfer personally identifiable information from the EU to countries that the European Commission has deemed to have adequate data protection laws—and the U.S. is not one of those countries. Therefore, the EU/US Safe Harbor program was created in 2001 as a way for U.S. companies to receive personal data from the EU.

To participate in the program, a U.S. company self-certifies to the U.S. Department of Commerce (and commits in a publicly–facing policy) that it will follow the Safe Harbor Privacy Principles (the “Principles”), which mirror the core requirements of the EU Data Protection Directive.

The FTC’s enforcement action should serve as a wake-up call to U.S. companies that have been lulled, during the eight years since the Safe Harbor program was put into place, into the mindset that the FTC is not enforcing the program. Although for almost a decade U.S. companies have been able to take a “wait and see” approach as to the FTC’s enforcement appetite, that era certainly seems to have come to an end. All U.S. companies that import personally identifiable information from Europe under the Safe Harbor should review their safe harbor policies now, and re-affirm their compliance with the Principles. 

Specifically, the report found fault with the current practice of notification of data processing under the Directive. Each EU Member State has its own system of notification procedures, resulting in high costs for organizations who may need to notify several EU jurisdictions. The report did not mince words, finding that the hodge-podge of notification procedures "can have a crippling impact on the effectiveness of the [notification] obligation, as obligations which are perceived as excessive, unnecessary or ineffective are more likely to be ignored in practice."

The Report also criticized one of the most well-known features of the Directive, the international transfer obligation of data controllers. Under the Directive, an organization may only transfer personal data outside the EU if the recipient entity is located in a jurisdiction that ensures "an adequate level of protection" or if the organization adopts a transfer mechanism such as the Safe Harbor self-certification program, model (standard) contractual clauses, or Binding Corporate Rules. The Report observed that stakeholders were of the opinion that "distinguishing between countries inside and outside the EU was unnecessary and counter-productive in the modern world. For multi-national organisations operating across boundaries but applying the same high standards of data protection across all geographical divisions, this mechanism made no sense and was seen as contrary to harmonisation and global trade." The report also found that the enforcement of the various EU member states' data protection authorities was inconsistent.

While the Report outlined a number of criticisms, it was not completely negative. The Report noted that the Directive's "principles-based" framework fostered flexibility and that the legislation had served to improve awareness of privacy concerns, and that it was "technology" neutral. These positive attributes aside, the report is nonetheless a frank assessment of the Directive and should serve as an impartial catalyst for updating the Directive to make it consistent with current practices and modern expectations.