Jan 21 2014

Faking Safe Harbor compliance

Published by at 11:13 pm under General

If you’ve ever had to deal with data privacy laws, then you’ve probably heard of the EU Safe Harbor framework.  These are basically a set of 7 basic guidelines (Notice, Choice, Onward Transfer, Security, Data Integrity, Access & Enforcement)  that govern how any US company doing business in the EU will treat private information.  Doesn’t sound too bad, but the reality is that Safe Harbor is a bit of a pain to comply with, since there are different interpretations of the rules for nearly every country in the EU.  The rules in one country, say Italy, might be relatively short and easy to understand, while the rules in another, maybe Germany, might be long, complex and convoluted.  The general outline is the same for all countries, but they get to decide their own specific implimentations.  You can see that this might make it a little hard to comply with the Safe Harbor framework, even though the laws all orginate from the same framework

So it doesn’t surprise me too much to find out that the Federal Trade Commision has announced that a dozen companies, including Level 3 and a few football teams (??), have violated the Safe Harbor rules.  According to Gigaom, the violations are technical in nature, rather than being willful violations.  This means they were probably tracking visitors using cookies in the wrong way or retaining information about their clients they shouldn’t have.  It wouldn’t take much, since in some countries an IP address can be considered privately identifiable information (PII) and retaining that information would be a violation.  On the other hand, I can fully believe that companies such as the accounting firms named in the violoations knew they were keeping information they shouldn’t, but had to in order to perform the roles they’re paid to do.  

I believe one of the points that’s easy to miss in the article is probably the most important: “US companies have been deceiving people by using out-of-date certification marks”.  In other words, these companies at one time had been self-certified or audited by a third-party, but let this lapse and continued to do business and sell products by stating they were Safe Harbor certified.  If the FTC did an audit of their own records, made a list of the organizations that let their certifications and then investigated those organizations, it would explain why these people made the list.  It would also be a warning shot across the bow for other companies that have let their compliance lapse, and an indicator that there are a lot more companies that might be facing scrutiny in the future.  If your company has Safe Harbor responsibilities, I’d definitely review your own compliance level.

I can almost guarantee that Safe Harbor will be getting a lot more attention this year than it has in the past.  The US is, and will be for some time to come, under the microscope by EU governments and organizations.  The NSA efforts uncovered by Snowden make this a given, just as they make the handwaving by the FTC a given.  This probably marks the first time that the FTC has taken Safe Harbor seriously in quite some time, but it won’t be the last.

 

 

One response so far

One Response to “Faking Safe Harbor compliance”

  1. Stuart Barkeron 22 Jan 2014 at 5:09 am

    Here in the UK the stories coming out about the NSA are worrying to some degree and almost a given in others. I would expect any due diligence process to fully look at all accreditations and certifications and flag any that are out of date. I appreciate that doesn’t always happen but it should. More interestingly will be the amount of credibility that safe harbour will hold going forward. I see the need and the inevitable introduction of a new standard to replace safe harbour. I am not sure how many UK companies would use a US service for personally identifiable data going forward now anyway, where they have a choice. This article is just another nail in that coffin.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: