Highlights of Safe Harbor: Staying Alive?
We reviewed the weaknesses of the Safe Harbor from the start, as a political compromise, and underlined that Safe Harbor has always been a voluntary commitment, with an incomplete and imperfect “match” to European data protection laws and enforcement authority. If an organisation signs up to it, the Federal Trade Commission (FTC) can theoretically take action that a participant has committed an unfair or deceptive practice.
We reviewed the weaknesses of the Safe Harbor from the start, as a political compromise, and underlined that Safe Harbor has always been a voluntary commitment, with an incomplete and imperfect “match” to European data protection laws and enforcement authority. If an organisation signs up to it, the Federal Trade Commission (FTC) can theoretically take action that a participant has committed an unfair or deceptive practice. The FTC is a five-member commission with narrowly defined statutory authority to enforce against unfair and deceptive trade practices, wholly separate from the U.S. Department of Commerce which simply administers the registration process. The FTC has no authority over financial services, insurers, or common carriers (such as telecoms), and as a budgetary and historic matter, directs its enforcement priorities to matters impacting U.S. consumers. The FTC does take frequent and aggressive enforcement action in the areas of privacy and data security against U.S. companies, and has tacked on some Safe Harbor-related findings in enforcement actions against Facebook, Google and Facebook. However, as a general matter, they do not conduct substantive reviews or audit compliance with Safe Harbor framework. Enforcement actions against other companies have been limited to very obvious instances of non-compliance, such as falsely posting in a privacy policy that a company had signed up to the framework, or allowing a certificate to lapse. In short, the FTC is not similar to a European data protection authority in many ways, and of course, with regard to the CJEU decision, has no jurisdiction or say in matters pertaining to U.S. Government access to communications or other personal data of through law enforcement or intelligence gathering methods.
Full report available to Event Participants and Report Subscribers.