Anita Ramasastry

The EU-US Safe Harbor Does Not Protect US Companies with Unsafe Privacy Practices

By ANITA RAMASASTRY
Tuesday, November 17, 2009

Recently, the Federal Trade Commission (FTC) has gotten tough with US companies that have not lived up to their own privacy promises to European consumers. In particular, it has filed complaints against seven US companies that claimed that they were adhering to the European Union's Safe Harbor Program, but allegedly were not. (The FTC issues or files a complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaints themselves are not a finding or ruling that the named parties have violated the law.)

By taking action, the FTC has shown that the Safe Harbor program, as applied to US companies, is not a set of empty promises. Rather, the FTC is keeping watch over businesses and will sanction those that misrepresent their own policies.

In this column, I will explain how the Safe Harbor program works, and also discuss the recent FTC enforcement actions.

The Genesis of the EU/US Safe Harbor Program

The European Union (EU) Data Protection Directive requires EU member countries to put in place legislation that prohibits the transfer of personal data outside the EU, unless the EU has made a determination that the laws of the other country provide "adequate" protection for personal data. In the late 1990s, the EU determined that the laws of the United States did not meet its adequacy standard.

This was no great surprise. The EU has long had a privacy framework for the collection of consumer information that is different – and, some say, more restrictive -- than privacy practices in the US. In the US, for example, we rely more heavily on industry self-regulation to govern the manner in which e-commerce companies collect our data when we purchase something online. American e-commerce retailers and other sites often have privacy policies that explain how and why a company will use our data once they have collected it. (Thus, when Facebook recently got into hot water for trying to amend its privacy policy and Terms of Use – a controversy I covered in an earlier column -- that was a matter between the company and its users, not between the company and the government.)

As e-commerce began to grow, the EU and the US engaged in protracted negotiations over when and how US companies could collect personal data about EU consumers, such as may occur during e-commerce transactions. As a result, the US Department of Commerce and the EU together rolled out the Safe Harbor Program, which went into effect in November 2000.

The Safe Harbor Program allows US organizations that are under the jurisdiction of the FTC or the US Department of Transportation to transfer consumers' personal data lawfully from the EU if they enroll in the program. In effect, a business receives a legal safe harbor from prosecution or enforcement, as long as it remains registered and self-certifies to the US Department of Commerce that it complies with a set of seven data-privacy principles. Then, to maintain its certification to the Safe Harbor program, a company must re-certify its compliance annually. The Department of Commerce posts and maintains a list of all currently-certified companies.

One of the seven principles covers notice: Organizations must notify individuals about the purposes for which their personal information is collected and used, and tell them how to contact the business with questions or complaints.

Another principle concerns choice: Individuals must be given an opportunity to opt out of sharing their personal information with a third party, and to opt out before the information is used for a purpose different from the original purpose for which the information was collected. For sensitive information (e.g., information about race, religion, or sexual preferences), individuals must be given an affirmative or explicit choice before their information is shared with a third party or used for a purpose other than its original purpose.

A third principle concerns access: Individuals must have access to their personal information, and be able to correct, amend, or delete their information where inaccurate (except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy).

Finally, the remaining four principles relate to third-party transfers (also known as "onward transfers") of data; data security; data integrity; and enforcement.

The FTC's and Other Entities' Power to Enforce the Safe Harbor

As part of their safe harbor obligations, US businesses are required to have a dispute resolution system in place in case an EU citizen feels that a company has not properly handled his or her personal data. Many companies have signed up for dispute resolution and privacy trust programs with third parties such as the Better Business Bureau Online or TrustE, which handle Safe Harbor disputes.

Moreover, depending on the type of industry, the FTC, other US government agencies, and/or state regulators may also enforce the Safe Harbor Principles. When a company has a voluntary privacy policy and scheme in place, its failure to comply with its scheme (if it has made its privacy practices part of its agreement with consumers) may be actionable under federal or state law prohibiting unfair and deceptive trade practices.

A company under the FTC's jurisdiction that self-certifies its compliance with the Safe Harbor principles, but that fails to implement them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices.The FTC has the power to sanction a company for its misrepresentations by seeking administrative orders and civil penalties of up to $12,000 per day for violations. It may also seek an injunction to stop companies from actions that are not in compliance with the Safe Harbor.

After a Decade without Enforcement Actions, the FTC Proceeds Against Seven Companies

For nearly a decade, the FTC brought no enforcement actions against US companies with respect to the Safe Harbor. Accordingly, privacy experts wondered whether the Safe Harbor had any teeth. But now, as noted above, the situation has changed dramatically. In just the last two months, the FTC has entered into settlements with six US companies, and has obtained an injunction against a seventh, for failing to live up to their own statements about complying with the Safe Harbor. As a result, US companies are well-advised to examine their privacy practices to ensure their continued compliance.

In September 2009, the FTC obtained a temporary restraining order against Balls of Kryptonite, LLC, after alleging that the company misled consumers by inaccurately representing that it had self-certified to the US Department of Commerce that it was complying with the Safe Harbor. The FTC successfully argued that, regardless of the company's data privacy practices, its falsely claiming to be Safe Harbor-certified could itself constitute a violation of the FTC Act. Thus, the court order in the case prohibits the defendants from misrepresenting the extent to which they "are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party."

Then, on October 6, 2009, the FTC announced proposed settlements with six more companies. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC; Onyx Graphics, Inc.; Directors Desk LLC; Collectify LLC; and Progressive Gaitways LLC had deceived consumers by representing to the public that they had current certifications to the Safe Harbor program when, in fact, their certifications had lapsed and had not been recertified. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security, or other compliance program.

The proposed FTC settlement agreements highlight the point that companies that are certified to the Safe Harbor program should make sure that their certifications remain current. If companies wish to cease Safe Harbor participation, they should make sure to delete any reference to the Safe Harbor on their Website, and in their marketing materials, and other promotional literature. In the FTC enforcement actions I have described, the companies had let their Safe Harbor certifications lapse, yet exhibits to the FTC's complaints included printouts from their Websites in which they continued to claim Safe Harbor membership.

What the Future May Hold For Safe Harbor Enforcement

The FTC's recent enforcement actions should serve as a sharp wake-up call to any US companies that had been lulled into complacency during the nine years since the Safe Harbor program was launched. All US companies that receive personal information from EU citizens under the Safe Harbor should review their Safe Harbor compliance programs. For those companies that have played it safe, the Safe Harbor remains a viable way for them to transact business with the EU.


Anita Ramasastry, a FindLaw columnist, is the D. Wayne and Anne Gittinger Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, computer data security issues, and other legal issues for this site, which contains an archive of her columns.

Ramasastry is currently on leave from the University to work for the federal government. Theviews expressed in this column aresolely those of Ramasastry in her personal capacity anddo not necessarily represent the views of any of her employers, past or present.

Ads by FindLaw