Earlier this year, 12 United States (US) business were identified as having violated their EU Safe Harbor attestations; essentially these companies had falsely claimed compliance (or allowed their compliance status to lapse) with the international privacy framework. Despite the rift caused by Edward Snowden’s testimony and assertions of the lack of US privacy controls, US firms receiving EU protected data are expected to comply with the EU regulation. Firms that have attested to compliance with EU Safe Harbor should obviously be mindful of their compliance obligations, or risk similar charges by the FTC. Let’s take a brief look at how we got here, where we are headed, and what it means to US companies receiving EU Safe Harbor protected data.
The European Commission’s Directive on Data Protection, enacted October 1998 prohibits the transfer of European Union (EU) residents’ personal data to non-EU countries if they do not meet the EU’s “adequacy” standard for privacy protection. In other words, transferring EU residents’ personal data to the US does not comply with the EU Directive and therefore is illegal. The US privacy practices do not meet the adequacy standards as dictated by the EU law. These standards have specific principles that must be followed regarding data accuracy, availability, permissible use, collection, security, and retention.
Stopping the flow of data between the EU and the US would have significant economic and political ramifications. Recent events suggest institutionalized holes in US data protection. With this in mind as well as other incidents, the EU Parliament overwhelming voted in favor of suspending the program. However, the ruling body also agreed to not alter the program until at least 2015. This suggests political posturing, but also the need for the US to revisit its position on data privacy, at least for personal data originating from the EU.
IMPLICATIONS for the US
It also appears that the intent of the EU Parliament’s decision on this topic was to strongly encourage the US to strengthen its data sharing practices and provided assurances. That discussion also included material concerns that the now infamous NSA whistleblower – Edward Snowden – publicly characterized as routine lax (data) sharing principles in the US. So what are the near and long term ramifications and must US businesses still comply with EU Safe Harbor? Fundamentally the requirements to comply with the EU Safe Harbor law have not changed. However, the assertions made by Snowden about lax data privacy controls may have raised the scrutiny of the EU, thus pressing the US FTC to act more swiftly in helping to enforce compliance with the EU law, as evidenced by January 2014 FTC settlements with the 12 companies found to have falsely attesting to EU Safe Harbor compliance.
A SEA CHANGE or BABY STEPS – an effort to smoothing the ruffled feathers of EU Parliament regarding taking EU Safe Harbor seriously
Either way, likely next steps will include various US government agencies taking an interest in an effort to improve international relationships, thus sending a message to US businesses that attesting and complying with EU Safe Harbor is an obligation that needs to be taken seriously. Otherwise, noncompliance will likely become a lucrative revenue stream (in the form of fines and monetary settlements).
US COMPLIANCE ENFORCEMENT
The January 2014 FTC news release, by FTC Chairwoman Edith Ramirez, ““Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These 12 cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.”
PROTECT YOURSELF – BE COMPLIANT
So what should US companies that receive EU Directive protected data be doing to help ensure their compliance? If your US organization is attesting, immediately revisit your program and the effectiveness of the controls in place for compliance. If there is any compliance uncertainty, consider an exhaustive internal audit or consider employing an objective management consulting firm specializing in EU Safe Harbor compliance. Second, for those organizations that have never attested, but are receiving EU protected data, consider attesting; otherwise you may end up on the US FTC’s wall of shame and be subject to monetary penalties for violating the EU law. Either course will improve your organization’s position by reducing the regulatory risk, and if the compliance program is implemented correctly you will improve your organization’s image and brand reputation.
The twelve companies are:
- Apperian, Inc.: Company specializing in mobile applications for business enterprises and security
- Atlanta Falcons Football Club, LLC: National Football League team
- Baker Tilly Virchow Krause, LLP: Accounting firm
- BitTorrent, Inc.: Provider of peer-to-peer (P2P) file sharing protocol
- Charles River Laboratories International, Inc.: Global developer of early-stage drug discovery processes
- DataMotion, Inc.: Provider of platform for encrypted email and secure file transport
- DDC Laboratories, Inc.: DNA testing lab and the world’s largest paternity testing company
- Level 3 Communications, LLC: One of the six largest ISPs in the world
- PDB Sports, Ltd., d/b/a Denver Broncos Football Club: National Football League team
- Reynolds Consumer Products Inc.: Maker of foil and other consumer products
- Receivable Management Services Corporation: Global provider of accounts receivable, bankruptcy and other
- Tennessee Football, Inc.: National Football League team