Nymity: In a nutshell, what is the EU-US Safe Harbor, to whom does it apply and who enforces it?

Wolf: As your readers know, the EU Directive on Data Protection went into effect in October 1998.  In addition to the protections it provides persons in the EU, the Directive prohibits the transfer of personal data from EU countries to non-EU nations that lack "adequate" privacy protections.  That prohibition on cross-border data transfer has the potential of interfering with global commerce.  Adequacy is defined by the protections that exist under the EU regime, which are comprehensive, albeit criticized by some as too bureaucratic.  The absence of a comprehensive regime in the US and the difference in the US approach to protection of personal privacy is deemed by the EU authorities to be inadequate for purposes of cross-border transfers of data from the EU to the US.

Some characterize the US approach to privacy as "targeted", focusing on sectors of business holding the most sensitive data (health, financial, those that deal with kids, etc.); prohibiting unfair and deceptive data practices; encouraging data security by requiring disclosure of breaches;  and relying on targeted enforcement as an important part of the privacy framework.

Still, the EU deems the protections in the US inadequate for purposes of cross-border transfer. There are three principal methods to legally export data from the EU to the US and overcome the prohibition against export to a country deemed to lack adequate protections.  The first two are through so-called "model contracts" and "Binding Corporate Rules".  The third is pursuant to a "Safe Harbor" framework that that EU and US agreed upon in 2001. To participate in the Safe Harbor, a U.S. company self-certifies to the U.S. Department of Commerce that it will follow the Safe Harbor Privacy Principles, which contain the core requirements of the EU Data Protection Directive (notice, choice, access, security, protection in onward transfers, data integrity, and enforcement).

The company also is to publicize its adherence to the Safe Harbor Principles on its website. The Federal Trade Commission (FTC) is charged with enforcement of the Safe Harbor undertakings under Section 5 of the Federal Trade Commission Act, which governs deceptive and unfair business practices.  In other words, a company that commits publicly to adhering to the Safe Harbor principles (and that it has so certified to the Department of Commerce) is subject to enforcement by the FTC if it does not do so.  Companies must do what they promise to do.

Nymity: Earlier this year the FTC settled with six companies claiming to comply with international privacy framework. Who filed the complaints and why?

Wolf: In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they were current with their Safe Harbor certifications.  In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program. The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies' misrepresentations were deceptive.  The scope of the FTC's actions is limited to the companies' lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program.  We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and key further actions against companies with lapsed certifications.

Nymity: Since the adoption of the Safe Harbor arrangement, what had been the enforcement history?

Wolf: Despite the fact that the EU-US Safe Harbor arrangement has been in effect for most of the decade, these were the very first enforcement actions.

Nymity: What is required in the settlement agreements?

Wolf: The settlements with the companies, which became final in November, prohibit each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party.  In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC. 

Nymity: What FTC activities are possible or expect related to SafeHarbor Framework in 2010?

Wolf: We know that the new FTC leadership is committed to more aggressive enforcement of privacy laws, and now that the precedent has been set for enforcement under the Safe Harbor -- even given the rudimentary focus of the first enforcement action -- I expect to see more Safe Harbor enforcement in 2010.  We also know that the FTC is re-examining the current privacy regime, focusing on whether  regulatory frameworks built during the mainframe era need retooling in light of technology advancement.  In the era of social networks, behavioral advertising, cloud computing, and electronic discovery in civil litigation, data transfer issues are increasingly complicated.  So we may hear from the FTC on whether the Safe Harbor is fully relevant to the modern era.

Nymity: Do you expect to see alternative methods more frequently employed by parties seeking to transfer data from the EU to the US other than through the Safe Harbor framework.

Wolf: The big news this past year had to do with Binding Corporate Rules (BCRs) becoming a more attractive option for companies that transfer data from the EU to the United States and elsewhere.  A number have countries have agreed to a "mutual recognition procedure" that makes it much easier to get approvals of BCRs throughout the EU.  Previously, companies had to have  their BCRs approved by the Data Protection Authorities (DPAs) in multiple countries, in a long and costly process Under the new procedure, once a lead data authority approves the BCRs, a large number of EU DPAs now have agreed, under the mutual recognition process, to endorse the lead authority's approval and follow the lead authority by providing their own approval. 

So, this past year saw Accenture, eBay and Hyatt Hotels adopt BCRs under the mutual recognition process, as a means of cross-border personal data transfers.  BCRs allow companies to transfer data around the world using a single set of rules, and BCRs can all be used to provide overall data protection compliance for a company.  My prediction is that we will see a rise in the number of multi-national companies using BCRs as a means of data transfer.  At the same time, I expect the Safe Harbor to continue gaining momentum for US companies seeking a legal means of transferring data from the EU to the US.