As the United States and European Union get closer to finalizing a stronger version of the Safe Harbor Framework, thirteen US companies are agreeing to a settlement on charges that they misled consumers about adhering to the data security principals.
The Federal Trade Commission (FTC) charged seven of the companies with letting their Safe Harbor programs lapse. The other six were allegedly claiming to be certified even though they never actually applied for membership. Under the proposed settlement the companies are prohibited from misrepresenting their participation in this, or any privacy program that is sponsored by the government. The number of charges coming from the FTC on this issue seems to be growing, and there is a good reason why.
The Safe Harbor framework allows thousands of American and European companies to transfer data easily around the globe. The data-sharing deal was on stable footing from its inception in 2000 up until 2013. That’s when former NSA contractor Edward Snowden’s massive document dump alerted European nations that the US was gathering information about their citizens and several heads of state.
The EU and the US are expected to finalize a stronger version of the deal by the end of summer. It is likely to include enhanced scrutiny of the information security practices used by the companies that self-certify. There is no word as to whether there will eventually be consequences that have more teeth, but tougher enforcement efforts are anticipated.
If you claim to be Safe Harbor Certified it is essential that you not only complete the proper paperwork and pay the annual fee, but you must make sure your company complies with seven required privacy principles which include:
- Notice - Individuals must be informed that their data is being collected and about how it will be used.
- Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security - Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
- Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement - There must be effective means of enforcing these rules.
Going forward, if you are claiming Safe Harbor Certification to your clients or online, you must be sure to maintain the standards and make sure your company’s certification does not lapse. Anything less is deception.