Twelve US companies have allowed their US-EU Safe Harbor certification to expire, but continued to display certification seals on their websites. When pressed by the FTC, all 12 companies quickly agreed to settle the FTC complaints. Settlement details have not yet been released.
What is the US-EU Safe Harbor Certification?
The European Union Data Protection Directive acts to restrict the private data storage, use, and transmission among participating EU states. The directive’s seven principles are:
- Notice – people should know that data is being collected
- Purpose – data should only be used for stated purposes
- Consent – people should be required to give consent for data disclosure
- Security – data should be kept secure
- Disclosure – people should know who is collecting their data
- Access – people should be allowed to access their data and make corrections to any inaccurate data (for example, if a credit reporting agency incorrectly lists an account)
- Accountability – people should be able to hold companies accountable when they mess up
EU companies must abide by each local EU state’s enforcement laws in order to do business. International businesses must abide by the same protection laws, and if they don’t, they won’t be allowed to transfer personal data into or out-of the EU countries. Obviously compliance with so many different local data laws is difficult; the US attempts to solve this problem with the Safe Harbor Certification. If a US company self-certifies that they comply with all seven principles, they can operate within the EU countries without hassle. This self-certification needs to be renewed once a year, and if they fail to do so, as these 12 companies did, they must remove all certification marks from their websites. If they don’t, the FTC will investigate and fine them.
Which US Companies let their certification lapse?
According to the FTC, the following 12 companies let their certification lapse, didn’t remove their certification marks, were charged by the FTC, and decided to settle the FTC charges against them:
- Apperian, Inc.: Company specializing in mobile applications for business enterprises and security;
- Atlanta Falcons Football Club, LLC: National Football League team;
- Baker Tilly Virchow Krause, LLP: Accounting firm;
- BitTorrent, Inc.: Provider of peer-to-peer (P2P) file sharing protocol;
- Charles River Laboratories International, Inc.: Global developer of early-stage drug discovery processes;
- DataMotion, Inc.: Provider of platform for encrypted email and secure file transport;
- DDC Laboratories, Inc.: DNA testing lab and the world’s largest paternity testing company;
- Level 3 Communications, LLC: One of the six largest ISPs in the world;
- PDB Sports, Ltd., d/b/a Denver Broncos Football Club: National Football League team;
- Reynolds Consumer Products Inc.: Maker of foil and other consumer products;
- Receivable Management Services Corporation: Global provider of accounts receivable, third-party recovery, bankruptcy and other services; and
- Tennessee Football, Inc.: National Football League team.
What’s the significance?
We don’t know the penalty that will be imposed yet, but each company can be fined up to $16,000. The fine is pitifully insignificant for all of these companies, so it will likely not have much dissuasive impact on US companies for non-compliance. There is no indication that any of the companies intentionally mis-used personal data, so in reality there won’t be much of a functional impact for US or EU citizens. The most significant result of these enforcement actions is the message that the US sends to the EU: that we respect their sovereignty, that we intend to comply with their laws, and that we will hold our own companies responsible when they break those laws.