In the wake of the Edward Snowden’s intelligence leaks and increasing concerns about the use of personal information, the Center for Digital Democracy recently filed a Fair Trade Commission complaint alleging that 30 US Databrokers and data management firms had violated the European Union’s Privacy Directive Safe Harbor framework.  According to the CDD, the collection of private data of EU residents, including online tracking, purchasing history, addresses, income and family structures, each violates EU Safe Harbor commitments made by the companies as required by the EU Privacy Directive. 

What is the Safe Harbor Framework and Why is it Useful?

The EU Privacy Directive establishes the protection of one’s personal data as a fundamental human right and prohibits the transmission of such data outside of the EU unless the covered entity or individual can certify that “adequate safeguards” are in place. This of course, raises issues when EU-protected personal data needs to be sent cross-border to U.S. businesses because the EU does not view the U.S. as having adequate safeguards. 

Exceptions are made where U.S. companies use EU-approved standard contractual clauses (SCCs), which embody key EU privacy principles. In the case of transfers of personal data across EU borders within a multinational corporation, the EU has issued approved binding corporate rules (BCRs).

Yet, the biggest exception to the directive’s prohibitions on transmission of personal data is the EU’s “safe harbor”.  Under that safe harbor, data can be transmitted to third party nations where “the third country in question ensures an adequate level of protection and the [EU] laws implementing other provisions of the Directive are respected prior to the transfer.”  Companies seeking protection of the safe harbor certify their compliance with the Directive’s seven privacy principles and subject to themselves to enforcement by the Federal Trade Commission in the event of non-compliance. More than 3,000 U.S. businesses have enrolled in the Safe Harbor program, and it underlies millions of data transfers from the EU. 

U.S. Criticized for Lax Enforcement of Safe Harbor

The EU Data Protection Authority and the CDD have each recently criticized the FTC for its weaker enforcement of what the EU deems to be privacy violations. And the CDD’s complaint alleges more than just personal data has been used by the 30 companies it targeted in its FTC complaint.  As CDD’s Legal Director Hudson Kingston has explained, “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended. Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce . . . The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”

Jeff Chester, CDD’s executive director further elaborated in in a statement:  “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further the information-gathering practices without serious scrutiny . . . Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online

FTC Steps Up Safe Harbor Enforcement

 In an apparent response to some of these criticisms, the FTC has started to more actively enforce safe harbor violations in 2014. In January of this year the FTC announced it had settled privacy violations with 12 companies.  Then, in June 2014, the FTC announced that it had settled privacy violations under the safe harbor with 14 U.S. companies.  We expect increasing enforcement to continue in light of actions like the CDD complaint.