Yesterday, the Federal Trade Commission ("FTC") announced that it had agreed to settle with 12 US businesses for alleged breaches of the US Safe Harbor framework. The companies involved were from a variety of industries and each handled a large amount of consumer data. But aside from the surprise of the large number of companies involved, what does this announcement really tell us about the state of Safe Harbor?
This latest action suggests that the FTC is ramping up its Safe Harbor enforcement in response to recent criticisms from the European Commission and European Parliament about the integrity of Safe Harbor (see here and here) - particularly given that one of the main criticisms about the framework was its historic lack of rigorous enforcement.
Background to the current enforcement
So what did the companies in question do? The FTC's complaints allege that the companies involved 'deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework'. Although participation in the framework is voluntary, if you publicise that you are Safe Harbor certified then you must, of course, maintain an up-to-date Safe Harbor registration with the US Department of Commerce and comply with your Safe Harbor commitments
Key compliance takeaways
In this instance, the FTC alleges that the businesses involved had claimed to be Safe Harbor certified when, in fact, they weren't. The obvious message here is don't claim to be Safe Harbor certified if you're not!
The slightly more subtle compliance takeaway for businesses who are correctly Safe Harbor certified is that they should have in place processes to ensure:
- that they keep their self-certifications up-to-date by filing timely annual re-certifications;
- that their privacy policies accurately reflect the status of their self-certification – and if their certifications lapse, that there are processes to adjust those policies accordingly; and
- that the business is fully meeting all of its Safe Harbor commitments in practice – there must be actual compliance, not just paper compliance.
The "Bigger Picture" for European data exports
Despite this decisive action by the FTC, European concerns about the integrity of Safe Harbor are likely to persist. If anything, this latest action may serve only to reinforce concerns that some US businesses are either falsely claiming to be Safe Harbor certified when they are not or are not fully living up to their Safe Harbor commitments.
The service provider community, and especially cloud businesses, will likely feel this pressure most acutely. Many customers already perceive Safe Harbor to be "unsafe" for data exports and are insisting that their service providers adopt other EU data export compliance solutions. So what other solutions are available?
While model contract have the benefit of being a 'tried and tested' solution, the suite of contracts required for global data exports is simply unpalatable to many businesses. The better solution is, of course, Binding Corporate Rules (BCR) - a voluntary set of self-regulatory policies adopted by the businesses that satisfy EU data protection standards and which are submitted to, and authorised by, European DPAs. Since 2012, service providers have been able to adopt processor BCR, and those that do find that this provides them with a greater degree of flexibility to manage their internal data processing arrangements while, at the same time, continuing to afford a high degree of protection for the data they process.
It's unlikely that Safe Harbor will be suspended or disappear – far too many US businesses are dependent upon it for their EU/CH to US data flows. However, the Safe Harbor regime will likely change in response to EU concerns and, over time, will come under increasing amounts of regulatory and customer pressure. So better to consider alternative data export solutions now and start planning accordingly rather than find yourself caught short!