We discussed the Safe Harbor Framework last month in some detail, but summarize, it is a voluntary set of rules agreed between the European Commission and the US Department of Commerce with the aim of ensuring that that US firms comply with EU data protection laws when handling EU citizen’s data.
As we reported, US companies widely flout this agreement, either signing up to it but not abiding by its guidelines (a new report showed that almost 500 companies were guilty of this), or even more widely, displaying the Safe Habor logo on their websites, and/or stating that they abide by the Framework, when in fact they have never signed up to it in the first place, and in no way implement its proposals.
Until now the US Federal Trade Commission (FTC), whose job it is to enforce the Framework standards and deal with false claims, has shown little interest in doing so, and has instead insisted that the Framework protects EU citizens’ as it stands.
Frustrated at this lack of action by the FTC, and despite noises from the Europeans Commission suggesting reforms to the Framework, the EU commissioner has proposed a new and separate EU data privacy bill, which it is hoped will be ready for adoption before the EU elections in May.
This has at last spurred the FTC into action, and it announced plans to settle with twelve US businesses for alleged breaches of the Framework, because they ‘deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework’.
In addition to sending out the message that business’ should not claim to certified when they aren’t, the crackdown also sends the message that,
- self-certifications should be kept up-to-date by filing timely annual re-certifications
- privacy policies should make it clear that they are self-certified, and that if they fail to live up to this self-certification then processes exist to address the matter
- businesses should meet the Framework guidelines in practice, not just on paper
Whether this will move will have an impact on hardening EU attitudes remains to be seen, but it has been speculated that it may in fact have the opposite effect, deepening European concerns about data protection by US companies.
One option to allay fears that does not rely on regulation is to use Binding Corporate Rules (BCR), a voluntary set of policies agreed to by a business to abide by the Framework, but which are authorised and overseen by European Data Protection Authorities, a solution that since the introduction of BCR rules in 2012 has been shown to allow business a great deal flexibility in managing their own data processing, while also affording a high degree of protection to users’ data.