Twelve companies agreed this week to settle Federal Trade Commission (FTC) charges that they falsely claimed they were abiding by the Safe Harbor privacy framework, but had allowed their annual self-certification to lapse.
The FTC has made enforcement of the US-EU and US-Swiss Safe Harbor a priority following recent European Commission’s critisicm that enforcement was lax.
What is the Safe Harbor?
The US-EU and US-Swiss Safe Harbor frameworks enable U.S. companies to transfer personal consumer and healthcare data from the European Union (EU) and Switzerland to the United States. The program was developed by the US department of commerce to provide a streamlined process for businesses to appropriately process information from employees and customers in the EU, European Economic Area (EEA), and Switzerland.
The European Commission recognizes the US-EU Safe Harbor program and framework as providing adequate protection for the rights of data individuals in connection with the transfer of their personal data from the EU/EEA, including human resources data, and clinical data.
Who was fined by the FTC?
The life-science and laboratory companies included Charles River Laboratories International and DDC Laboratories. Other companies cited included Apperian, the Atlanta Falcons, BitTorrent, DataMotion, Reynold Consumer Products, Level 3 Communications, the Denver Broncos, and others.
Seven Safe Harbor Principles
Companies who transfer personal data or health data from the European Union to the U.S. or to U.S. data centers must have policies, procedures, and systems that protect for the privacy, security, and integrity of confidential data and and adhere to Safe Harbor Principles of Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement. They must prominently post a notice of their privacy principles on their website and pay a nominal annual fee to the program.
What to do?
We recommend that companies perform a systematic self-assessment on an annual basis and make certain to pay their application fee before their safe harbor expires each year.
Performing a reaffirmation through the safe harbor website is a critical annual activity. Double-Helix can provide a robust check-list and help your company through the process. The principles are in harmony with the latest HIPAA/HITECH requirements, such that a robust privacy, security, and breach notification program for HIPAA will meet the majority of requirements.
Learn more about the Safe Harbor process on the department of commerce site http://export.gov/safeharbor/
To check if a company, data-center, or provider you do business with has a proper active registration in the U.S.-EU or U.S. Swiss Safe Harbor program, visit http://safeharbor.export.gov/list.aspx.
