The Federal Trade Commission's recent focus on companies such as American
Apparel Inc. that allegedly failed to comply with a U.S.-EU data transfer
framework is only likely to grow more intense in the coming months, making
it imperative that companies pay attention to renewal deadlines, regularly
review their compliance and carefully track upcoming proposals to tighten
the program.
In May, American Apparel became the latest of more than a dozen companies
that have agreed since January to settle FTC allegations that they falsely
claimed in privacy policies and elsewhere that they were complying with
the safe harbor framework governing data transfers between the U.S. and
European Union even though they had failed to renew their self-certification.
The recent flurry of enforcement activity by the FTC coincides with widespread
criticism that has been lobbed at the more than decade-old data transfer
arrangement since former National Security Agency contractor Edward Snowden
began leaking documents last June revealing the broad scope of the federal
government's intelligence-gathering capabilities.
The European Commission sought to address the concerns in November, when
it released a report that pushed for the tightening of transparency and
oversight mechanisms in order to restore trust in the framework and similar
data-sharing pacts. In its report, the commission specifically pushed
the FTC and the U.S. Department of Commerce, which are responsible for
enforcing the safe harbor, to ramp up their scrutiny of companies in the
program, naming as one of their 13 recommendations that regulators single
out a "certain percentage" of companies for targeted compliance reviews.
The safe harbor program dates back to 2000, when the Commerce Department
worked with EU and Swiss authorities to create a mechanism that would
allow U.S. companies to comply with EU and Swiss data protection law.
Under the EU's 1995 data protection directive as well as under Swiss
privacy law, personal data may only be transferred outside the EU to countries
that have been formally recognized by the EU as ensuring an "adequate"
level of data protection, a classification that has yet to be given to
the U.S. The safe harbor framework bridges the gap by requiring U.S. companies
to self-certify to the Commerce Department annually that they abide by
seven privacy principles when transferring data outside the EU: notice,
choice, onward transfer, security, data integrity, access and enforcement.
The recent FTC enforcement actions implicate companies as varied as National
Football League franchises, broadband provider Level 3 Communications
LLC and children's online gaming company Fantage.com Inc., illustrating
the widespread need for an effective mechanism to transfer data between
the two regions.
The case against American Apparel highlights the importance of the arrangement
for the retail sector, especially e-commerce sites and multinational retailers
that rely on cross-border data transfers to sell products to their customers
and manage their employees. The actions that have been brought by the
FTC since the beginning of the year hinge on technical compliance issues,
most commonly the allegation that they had allowed self-certifications
to lapse while continuing to tout compliance in privacy policies and other
materials.
In order to avoid becoming the FTC's next target, companies that participate
in the safe harbor program should put precautions in place to ensure that
their yearly reminder from the Commerce Department to renew their self-certification
doesn't fall through the cracks.
While the FTC has started its enforcement push by going after what attorneys
noted can be perceived as low-hanging fruit, the regulator isn't expected
to stop there. For example, the safe harbor principles require companies
to give data subjects a chance to opt-out of having their data transferred
outside the EU by providing them with a notice that clearly informs them
in a timely manner about what data is being collected and what will happen
to it.This issue of opt-out could potentially be the next area of enforcement
for the FTC.
Attorneys also predict that the FTC will look to insert safe harbor compliance
violations into broader enforcement actions alleging lax data security
or privacy misrepresentations. The FTC demonstrated its willingness to
take this approach in its privacy complaint against Myspace LLC in 2012,
which included allegations that the site falsely claimed that it complied
with the safe harbor principles that require that consumers be given notice
of how their information will be used and the choice to opt out.
Besides ensuring that their policies are in sync with the current safe
harbor requirements, companies should also keep a careful eye on how the
European Commission's suggestions to overhaul the program —
which U.S. and EU leaders have vowed to hammer out by the summer — play out.
While U.S. officials are unlikely to cave to all of their EU counterparts'
demands, pressure to ease data protection concerns that threaten to hamper
business for multinational companies in the bloc will spur the adoption
of at least the proposals that require companies to be more transparent
about their privacy practices, attorneys say.
Given the increased responsibilities that self-certified companies will
likely soon face, attorneys recommend that businesses take steps now to
understand their data flows and ensure that their policies keep pace with
the rapidly evolving data transfer landscape.