In January 2014, the Department of Commerce’s International Trade Administration (“ITA”) posted a Key Points document to provide additional information about the benefits, oversight and enforcement of the U.S.-European Union and U.S.-Swiss Safe Harbor Frameworks. The Key Points document supplements information about the Safe Harbor Frameworks already available on the Department of Commerce website. For example, in the Key Points, the ITA notes that:
- The Safe Harbor Frameworks provide significant economic benefits not only to the U.S. economy, but also to the EU and Swiss economies. The ITA notes that “[m]any U.S. organizations that self-certify to Safe Harbor do so at the express request of European customers/clients or partners, while others are actually U.S. subsidiaries or divisions of European organizations.”
- Anyone can check the Safe Harbor lists on the Department of Commerce’s website to verify whether an organization has certified to one or both of the Safe Harbor Frameworks, and if the organization’s certification is current. The ITA notes that if an organization fails to complete the annual re-certification process in time, the organization’s certification status is changed from “Current” to “Not Current.” The ITA also emphasizes that agreeing to adhere to the Safe Harbor Frameworks is a permanent undertaking in the sense that an organization must continue to apply the Safe Harbor Privacy Principles to personal data obtained through the Safe Harbor Frameworks for as long as the organization stores, uses or discloses the data – even if the organization “subsequently leaves the Safe Harbor for any reason.”
- The ITA plays an important role in overseeing the Safe Harbor Frameworks even if they function as self-certification programs. The ITA indicates that it reviews “every” Safe Harbor initial self-certification and annual re-certification submission, and that it contacts organizations to inform them if their submissions are incomplete and explain what steps must be taken to finalize the process. The ITA notes that “during the first nine months of 2013, the ITA notified approximately 56% of the organizations from which it had received first-time self-certification submissions and 27% of the organizations from which it had received recertification submissions to inform the organizations of shortcomings identified during the review.”
- The Safe Harbor Frameworks require that there be “readily available and affordable” dispute resolution.
- At the time the Key Points document was issued, the Federal Trade Commission had brought ten Safe-Harbor-related enforcement actions, all of which resulted in consent decrees. The ITA emphasizes that, although the FTC is committed to prioritizing referrals from EU and Swiss data protection authorities and private sector third party dispute resolution providers, the FTC “can and has pursued cases on its own initiative.”
See our January 21, 2014 blog post on the most recent round of Safe Harbor enforcement actions brought by the FTC (subsequent to the ITA’s release of the Key Points document).