Increased FTC Enforcement Makes Compliance with US-EU Data Transfer Regulations More Important

The Federal Trade Commission's recent focus on companies such as American Apparel Inc. that allegedly failed to comply with a U.S.-EU data transfer framework is only likely to grow more intense in the coming months, making it imperative that companies pay attention to renewal deadlines, regularly review their compliance and carefully track upcoming proposals to tighten the program.

In May, American Apparel became the latest of more than a dozen companies that have agreed since January to settle FTC allegations that they falsely claimed in privacy policies and elsewhere that they were complying with the safe harbor framework governing data transfers between the U.S. and European Union even though they had failed to renew their self-certification. The recent flurry of enforcement activity by the FTC coincides with widespread criticism that has been lobbed at the more than decade-old data transfer arrangement since former National Security Agency contractor Edward Snowden began leaking documents last June revealing the broad scope of the federal government's intelligence-gathering capabilities.

The European Commission sought to address the concerns in November, when it released a report that pushed for the tightening of transparency and oversight mechanisms in order to restore trust in the framework and similar data-sharing pacts. In its report, the commission specifically pushed the FTC and the U.S. Department of Commerce, which are responsible for enforcing the safe harbor, to ramp up their scrutiny of companies in the program, naming as one of their 13 recommendations that regulators single out a "certain percentage" of companies for targeted compliance reviews.

The safe harbor program dates back to 2000, when the Commerce Department worked with EU and Swiss authorities to create a mechanism that would allow U.S. companies to comply with EU and Swiss data protection law. Under the EU's 1995 data protection directive as well as under Swiss privacy law, personal data may only be transferred outside the EU to countries that have been formally recognized by the EU as ensuring an "adequate" level of data protection, a classification that has yet to be given to the U.S. The safe harbor framework bridges the gap by requiring U.S. companies to self-certify to the Commerce Department annually that they abide by seven privacy principles when transferring data outside the EU: notice, choice, onward transfer, security, data integrity, access and enforcement.

The recent FTC enforcement actions implicate companies as varied as National Football League franchises, broadband provider Level 3 Communications LLC and children's online gaming company Fantage.com Inc., illustrating the widespread need for an effective mechanism to transfer data between the two regions.

The case against American Apparel highlights the importance of the arrangement for the retail sector, especially e-commerce sites and multinational retailers that rely on cross-border data transfers to sell products to their customers and manage their employees. The actions that have been brought by the FTC since the beginning of the year hinge on technical compliance issues, most commonly the allegation that they had allowed self-certifications to lapse while continuing to tout compliance in privacy policies and other materials.

In order to avoid becoming the FTC's next target, companies that participate in the safe harbor program should put precautions in place to ensure that their yearly reminder from the Commerce Department to renew their self-certification doesn't fall through the cracks.

While the FTC has started its enforcement push by going after what attorneys noted can be perceived as low-hanging fruit, the regulator isn't expected to stop there. For example, the safe harbor principles require companies to give data subjects a chance to opt-out of having their data transferred outside the EU by providing them with a notice that clearly informs them in a timely manner about what data is being collected and what will happen to it.This issue of opt-out could potentially be the next area of enforcement for the FTC.

Attorneys also predict that the FTC will look to insert safe harbor compliance violations into broader enforcement actions alleging lax data security or privacy misrepresentations. The FTC demonstrated its willingness to take this approach in its privacy complaint against Myspace LLC in 2012, which included allegations that the site falsely claimed that it complied with the safe harbor principles that require that consumers be given notice of how their information will be used and the choice to opt out.

Besides ensuring that their policies are in sync with the current safe harbor requirements, companies should also keep a careful eye on how the European Commission's suggestions to overhaul the program — which U.S. and EU leaders have vowed to hammer out by the summer — play out.

While U.S. officials are unlikely to cave to all of their EU counterparts' demands, pressure to ease data protection concerns that threaten to hamper business for multinational companies in the bloc will spur the adoption of at least the proposals that require companies to be more transparent about their privacy practices, attorneys say.

Given the increased responsibilities that self-certified companies will likely soon face, attorneys recommend that businesses take steps now to understand their data flows and ensure that their policies keep pace with the rapidly evolving data transfer landscape.

Categories: Technology & Privacy