A stricter regime for profiling07 June 2016
FTC Settles Actions Against Twelve Companies for Improperly Representing Safe Harbor Certification
Under the Safe Harbor framework, companies self-certify that they adhere to the seven Safe Harbor privacy principles developed by the U.S. Department of Commerce and the European Commission, one of the methods by which companies can lawfully transfer personal information from the EU to the United States.
The FTC did not claim that any of the companies failed to live up to the substantive requirements of the Safe Harbor privacy principles. Instead, the FTC alleged that all twelve companies stated in privacy policies or marketing materials that they were certified under the Safe Harbor, when in fact they did not maintain active certifications. The FTC also alleged that three of the companies misrepresented their certification in the Swiss-U.S. Safe Harbor program, which similar to the EU-U.S. Safe Harbor allows for transfers of personal information from Switzerland to the United States. One of the companies allegedly let its Safe Harbor certification lapse between April and November 2013 without removing Safe Harbor certification marks or claims from its website, and that was the sole basis for the FTC's complaint.
The terms of the settlements prohibit the companies from making further misrepresentations about their participation in privacy or security programs offered by the government or other standard-setting organizations, including self-regulatory bodies. If one of these companies were to violate the terms of the settlement, it would be subject to civil penalties of $16,000 per violation.
Several EU officials have argued in favor of suspending data transfers to the United States in light of surveillance revelations and perceived weaknesses in the U.S. privacy framework (for example, see here, here, here, and here). One of the concerns expressed by EU stakeholders has been the lack of Safe Harbor-related enforcement. These settlements will help the U.S. government continue to address such concerns.
In light of these Safe Harbor settlements, companies participating in Safe Harbor – or any standard setting program for privacy or security practices, such as online behavioral targeting self-regulatory programs – would be prudent to take steps to confirm that they are living up to their commitments and formal certification requirements.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016