Remaining in Safe Waters – Global Privacy Book

Francoise Gilbert

How to Ensure Continued Compliance with The Safe Harbor Requirements

The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them to reduce the amount of red tape that usually accompanies the transfer of personal data to the United States and from a European Union Member State, and EEA Member State or Switzerland.

However, the initial self-certification filing is only one of many obligations. In order for the self-certification to remain valid, the company must re-certify each year of its compliance with the Safe Harbor Principles and pay the related fee to the Department of Commerce. When a company wishes to renew its self-certification, it must go through the same due diligence as for the initial filing, and… much more.

Initial Self-Certification

Self-certification of a company’s compliance with the Safe Harbor Principles is a multiple step process. In order to prepare for the filing of the required documents with the US Department of Commerce, the company must go through a comprehensive analysis and evaluation that is necessary and appropriate to self-certify that its privacy policies and procedure comply with the Safe Harbor Principles

In its self-certification papers, the company represents that it does have the policies and procedures described in these documents. An “omission” or a misrepresentation exposes the entity to severe penalties for breach of Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

Re-certification Process

Many companies are unaware of the extensive requirements and commitments that attach to the filing of the re-certification documents. These documents must be signed and approved by a corporate officer of the company (typically the CEO or the General Counsel), and must attest and verify that the company is complying with specific requirements. Thus, it is very important to pay attention to the many legal requirements that are associated with the recertification process.

Like for the initial filing, an error in the re-certification documents exposes the entity to enforcement action and severe penalties. The “error” could be found a “misrepresentation” and the company might be sued under Section 5 of the FTC Act for unfair or deceptive practices.

Annual Verification

The documents that are to be filed with the US Department of Commerce as part of the renewal of the certification must verify the following:

The published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented, and accessible;
The privacy policy conforms to the Safe Harbor Principles;
Individuals are informed of how complaints are handled, and the independent mechanisms through which they may pursue complaints;
The organization has in place procedures for training employees in its implementation, and disciplining them for failure to follow it;
The organization has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Audit or Assessment

In order to be comfortable signing this statement, it is prudent that an “audit” or “privacy assessment” or “compliance review” be conducted. This audit should allow to verify and be satisfied that the statements and commitments made in the privacy policy are accurate, that appropriate training is conducted, and that a dispute resolution procedure in place.

Companies may elect to conduct this audit internally. Law firms and consulting firms that focus on information privacy and security matters also conduct these audits.

Companies should not wait until the last minute to conduct or have conducted this audit. They must plan sufficient time to address any of the deficiencies that the audit might have identified. Otherwise, the representations made in their self-certification renewal papers would be inaccurate, misleading, or fraudulent.

Record Keeping

In addition, to the representations listed above, the Department of Commerce requires companies to retain appropriate records on the implementation of their safe harbor privacy practices. In other words, not only must a company represent that it has in place the required processes, procedures and policy, but it must also have a written record that documents the investigation conducted, the deficiencies identified, and the actions taken.

These records are to be made available upon request in case of an investigation or a complaint about non-compliance, or investigation about unfair and deceptive practices by a law enforcement agency – most likely the Federal Trade Commission.

FTC Enforcement – Twenty-Year Injunction

The FTC has already conducted enforcement actions and has prosecuted businesses for their misrepresentations in connection with Safe Harbor self-certification. These companies were charged for falsely claiming that they held current certification under the Safe Harbor program. See, for example, this consent agreement (pdf): http://www.ftc.gov/os/caselist/0923137/091006worldinnovatorsagree.pdf

The consent decrees with each of these businesses include reporting requirements, whereby marketing and advertizing documents claiming compliance with the Safe Harbor principles must be filed with the Commission. In addition, each company is enjoined for 20 years from misrepresenting in any manner that it complies with or adheres to any privacy, security, or other compliance program sponsored by the US government or any other entity.

For more information

For additional information on the Safe Harbor, see Chapter 9 of Francoise Gilbert’s two-volume treatise Global Privacy and Security Law.