FTC Urged to Investigate 30 Companies' EU Safe Harbor Practices

The Federal Trade Commission (FTC) has received a complaint asking it to investigate thirty companies for alleged U.S.-EU Safe Harbor violations. 

The Center for Digital Democracy (CDD) filed a complaint with the FTC on August 13, 2014, alleging that thirty companies – including Adobe, AOL, and Acxiom – were not adequately protecting European Union (EU) consumers’ rights. 

While the data privacy and collection practices differ for each company, some of the violations cited in the CDD’s complaint include failing to provide meaningful privacy policies, inadequately explaining data collection practices, failing to provide appropriate opt-out mechanisms, and claiming that collected data is “anonymous,” but failing to inform consumers that the collected data is sufficient to allow tracking.  CDD also said several companies claimed to be “data processors” subject to less stringent EU regulations, but CDD asserts that the companies in reality play a central role in collecting data to profile and target consumers.

The U.S.-EU Safe Harbor agreement is a voluntary program established in 2000 and recognized as an adequate way to transfer EU data to the U.S.  Under the program, companies self-certify annually to the U.S. Department of Commerce (DOC) that they abide by certain privacy principles when transferring data outside the EU.  Companies agree to provide clear data privacy and collection notices and offer opt-out mechanisms for EU consumers.

The Safe Harbor program came under scrutiny after the Edward Snowden leaks about the extent of U.S. surveillance programs.  The European Commission, alarmed at the reports, urged the U.S. to establish more stringent data security mechanisms and provide greater safe harbor oversight.  The European Parliament went further, voting in March to no longer recognize the Safe Harbor.  Although the FTC has brought actions for Safe Harbor violations over the last several years, it has stepped up enforcement actions this year in light of criticism about the program.  Since January of this year, the FTC has filed suits against fourteen companies for alleged Safe Harbor violations.  The CDD is urging the FTC to continue its enforcement efforts, specifically with regard to the thirty companies cited in its complaint.  CDD Legal Director Hudson Kingston said, “CDD’s complaint describes the systemic failure of the Safe Harbor to function as it was intended” and claims “safe harbor has to be overhauled to make sure it actually works.”  

For more information about privacy and data security issues, contact Sheila A. Millar at millar@khlaw.com or 202 434-4143; or Tracy P. Marshall at marshall@khlaw.com or 202 434-4234.