Can’t Just Phone In U.S.-E.U. Safe Harbor Compliance

Recent civil actions this month brought by the Federal Trade Commission (FTC) against two companies that allowed their certification under the U.S.-E.U. Safe Harbor Framework to lapse while still claiming to be compliant is a timely reminder that the Framework requires annual re-certification. The FTC cited this lapse as a deceptive trade practice by each of TES Franchising, LLC and American International Mailing, Inc. 

By way of background, shortly after the European Union’s Data Privacy Directive (the Privacy Directive) became effective in 1998, the U.S. Department of Commerce worked with European Union data protection authorities to develop the U.S.-E.U. Safe Harbor Framework. This Framework allows U.S. businesses to self-certify their compliance with certain privacy norms that are consistent with the requirements of the Directive.  By doing so, the businesses may engage in the handling, processing, and transmission of personal data of E.U. residents without adhering to the more stringent requirements applicable to “data processors” under the Privacy Directive.  As a result, the Framework has proven quite popular over the years and many businesses routinely seek the benefits of the Safe Harbor Framework program.

The FTC has brought a total of 26 actions to date dealing with non-compliance with the Safe Harbor Framework, with more than half of those actions being pursued since the beginning of 2014.  These cases have snared companies large and small, including American Apparel, Reynolds Products, the Atlanta Falcons and Level 3 Communications.  It’s very likely that in most of these instances the non-compliance condition was due to inadvertence in paying attention to the annual self-certification obligation. The FTC’s actions also coincide with activity over the past year between U.S. and E.U. authorities to revamp and strengthen the Safe Harbor Framework program, which E.U. regulators generally view as being too lax.

For more information on Safe Harbor Compliance, contact your Cybersecurity and Data Privacy Counsel at Smith, Gambrell & Russell.

Leave a Reply

Share via
Copy link
Powered by Social Snap