Last week, the FTC announced that it had settled with a gaming company that falsely claimed to be certified under the US Safe Harbor. The Safe Harbor agreement is a self-certification arrangement under which you can transfer personal data from Europe to the US without “tripping up” on the EU data export prohibition. It is a critical plank in the platform for global companies who need to transfer personal data across borders. Think about how many companies operate globally or who use cloud-based storage solutions and you can see how important it is to be able to transfer data internationally in a legally compliant manner.
Are we seeing a new pattern of enforcement?
Only last month, the FTC announced enforcement action against 12 companies who also falsely claimed to be Safe Habor certified. So this is starting to look like a deliberate move to be more pro-active on Safe Harbor infringers. This has mostly been for failure to certify. Annual re-certification is required under the Safe Harbor for it to be valid. By the way, failing to hold a current certification doesn’t mean that you are guilty of any actual privacy law breach. So the companies had not suffered a data leak or hack and were not, necessarily, guilty of ignoring any individual rights in relation to privacy. Perhaps this is a sign of a new willingness to take enforcement action.
Why are we seeing additional privacy enforcement?
If you asked the FTC, they will tell you that enforcement of the Safe Harbor is a top priority and should send a signal to companies that they cannot pretend to be in the program when this is not the case. But there may be a political reason too. The recent Snowdon revelations are still bubbling in Europe and elsewhere and there is a real concern among European consumers that their data may be at risk if it is held in the US or by US companies. This is being stoked by the media and politicians although it is not quite clear who is more to blame. One of the longstanding criticisms of the US position is that enforcement of Safe Harbor or companies falsely claiming that they are participants has been limited. So the FTC’s latest enforcement action takes this criticism head on. It also must be one of the most efficient ways to demonstrate a willingness to ensure companies are complying with the Safe Harbor without fighting long or complex disputes with alleged offenders. Failing to self-certify is a fairly binary issue and easy to prove.
Of course, if you were going to be cynical, you would probably compare and contrast the US FTC enforcement action with equivalent action taken by supervisory authorities in Europe in relation to unlawful data exports. While the EU supervisory authorities have been hot on many other enforcement issues, enforcement in relation to data exports has been pretty fragmented. Suddenly the FTC looks like a rather more effective enforcer of privacy rights than some of the EU supervisory authorities would like to admit. We are watching the FTC’s enforcement action and enthusiasm for Safe Harbor with great interest.