Web Analytics

"U.S.-EU Safe Harbor Framework: Know Your Obligations"


The transfer of data between U.S. companies and EU citizens has been a hot topic for years. And the U.S.-EU Safe Harbor Framework was designed to help facilitate that data transfer by providing principles for U.S. companies to follow and reduce complexities of otherwise complying with the EU laws following the EU data regulation in 1995. Administered by the Department of Commerce, the Safe Harbor Framework is a voluntary privacy program that allows companies to transfer data from the EU to the U.S. in compliance with EU law. But whether companies that participate in the Safe Harbor are actually honoring their obligations under the Safe Harbor isn’t always clear.

For a company to participate in Safe Harbor, it must certify that it abides by seven principles—notice, choice, onward transfer, security, data integrity, access and enforcement—and reaffirm each year that it’s still in compliance. The latter portion of the Safe Harbor has landed several companies in hot water with the Federal Trade Commission (FTC). While some companies claim they are Safe Harbor participants, failing to make that annual affirmation results in noncompliance with the Safe Harbor.

Since 2010, in fact, the FTC has brought 26 law enforcement actions against U.S. companies that claim to participate in the Safe Harbor Framework in an effort to ensure they are following through with their obligations. The most recent targets of the FTC were American International Mailing (AIM) and TES Franchising.

Both companies had claimed in their privacy policies that they were Safe Harbor Framework participants, when in reality, their participation had lapsed. AIM hadn’t reaffirmed its certification since 2010, but continued to claim on its website that it was a Framework participant. TES was in even more trouble. Not only had the company claimed in its privacy policy that it was a member of the Framework when it too had let its annual affirmation lapse, according to the FTC, TES also did not “provide a readily available and affordable independent recourse mechanism to investigate and resolve consumer complaints and disputes”—a direct violation of the “enforcement” principle of the Safe Harbor.

The FTC strongly encourages companies who claim to be Safe Harbor participants to ensure they are compliant with the rule, to avoid ending up like AIM, TES or the other 24 companies who have faced FTC action. You can check your status on the export.gov website in seconds and it may be time well spent.


Originally published in Safe and Sound, May 1, 2015

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.