FTC Beat
Posts Tagged ‘Safe Harbor’
Aug 28
2017

A Giant Demanding Piece of … Restrictiveness: Do you need to pay attention to the coming GDPR?

GDPR. If you see those letters and think it is an acronym for Gosh Darned Pain in the Rear (or an edgier equivalent) you are in large-part correct.  But if you don’t know any more than that, and you are a company with any ties to Europe, then you need to read further.

GDPR, the General Data Protection Regulation, is an extensive and broad-reaching regulation issued by the European Union dealing with how companies (including U.S. companies) process the data of people living in the E.U.  It replaces the E.U. Data Protection Directive and is slated to take effect May 25, 2018.

Companies that fall under the regulation’s requirements need to ensure (1) individuals’ data they are processing is secure in their hands, (2) that they have individuals’ consent to process it (or have an enumerated reason they don’t need consent), and (3) that they will keep individuals notified of individuals’ rights and developments surrounding the use of their data.

If you are a U.S.-based company, with little European presence, you may slough off the idea of getting into GDPR compliance. You may have analyzed the GDPR’s predecessor (the Data Protection Directive), decided that it didn’t implicate you, and assume the GDPR won’t implicate you either. Or you may have relied upon the Safe Harbor and assume you can continue to operate under that. Don’t draw assumptions. Don’t ignore the regulation. If you do, and you are ultimately found to have violated it, you could face some hefty penalties. Under the GDPR, there are two sets of thresholds for administrative fines[1]:

  • Up to €10million (almost US$ 12million) or up to 2% of global revenue, whichever is higher, for certain violations, including failure to implement data protection by design, failure to maintain written records, to report breaches when required; and
  • Up to €20million (almost US$ 24million) or up to 4% of global revenue, whichever is higher, for other violations, including failure to adhere to basic processing principals such as consent, notification of individuals’ rights, and international transfers.

These fines are meant to catch attention. Hopefully, they caught yours. They may inspire you to do a double take to see whether or not your business will be subject to the GDPR. The GDPR has a broader reach than the earlier Data Protection Directive. Moreover, the Safe Harbor is no longer valid.  It has been replaced by a “Privacy Shield” regime – which applies to data that companies transfer from the E.U. to the U.S.  But even the Privacy Shield is on shaky ground and it may not be enough to shield companies (so to speak) from liability for GDPR violations. GDPR is broader, covering information on E.U. residents even if the data is not transferred across borders – and instituting stricter measures in terms of how data should be handled.

Here are some questions you should ask to help you determine whether you need to prepare for the GDPR:

  • Do you have an E.U. office, or even a company representative who operates out of Europe?

If you have any real and effective European activity through stable arrangements (terms in italics represent terms used by E.U. courts to define implicated businesses), then you will be subject to the GDPR even if you do not process personal data in the E.U. So long as the data processed in the context of the European activities, the GDPR applies.

  • Are you outside of the E.U., but process data about E.U.-based individuals in connection with offering goods or services?

It does not matter whether or not there is any payment involved in the offer. Your offers can be free of charge and you are still implicated by the rule. So long as your company anticipates activity directed at E.U. individuals (e.g., you suggest items in E.U. currency or pay a search engine to increase access to E.U.-based people), you are implicated.

  • Are you outside of the E.U., but monitor the behavior of individuals in the E.U.?

If you track E.U.-based individuals online to create profiles, or to analyze or predict preferences, you are implicated.

The long and short is that, if you touch Europe, directly or remotely, in your operations and you process data that incorporates E.U. individuals, you should spend time assessing GDPR compliance.

For starters:

  • Review your E.U.-focused actual or directed information
  • Review the type of information you collect/use
  • Review the types of consent obtained and notifications on data usage provided
  • Review your service contracts to determine your company’s role in data processing and follow-on companies’ roles in data processing

[1] We will treat the E.U.’s ability to enforce these penalties in a later post, but assume they will be able to reach your assets.

Jan 22
2014

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.

The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status.  The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse.  The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements.    The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.

As background, European Union countries have strict standards regarding the transfer of personal information outside of the EU.  Back in 2000, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework..  This “Safe Harbor” permits U.S. companies to transfer personal data lawfully from the EU.  To participate in the Safe Harbor, a company must self-certify to the Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard for ensuring the protection of personal data.  These principles are: notice, choice, onward transfer (i.e., transfer to third parties), access, security, data integrity, and enforcement.  A company’s privacy policy must address these principles. The FTC, among other agencies, may enforce Safe Harbor compliance.

The process is entirely voluntary.  Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere.  Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.

The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current.  Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations.  The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.

While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.

In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.”  The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date.  While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.

posted in:
Uncategorized
Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts