this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.
What makes this significant is that for Internet companies operating globally, including in Europe -- and that means almost all the major companies -- the FTC has established the precedent of applying European Union principles on privacy via the U.S.-EU Safe Harbor Framework.
This framework was developed to help reconcile the differing privacy standards in the U.S. versus the European Union to allow companies to transfer data from Europe to U.S. users without getting specific permission on data transfers by the EU. Companies wanting this ease of data transfer have to certify compliance with the principles established by the framework and companies that violate those principles face enforcement action by the FTC -- as happened with the Google settlement this week.
What this means is a chunk of European privacy law is now being enforced in the U.S. So what is this basic E.U. law on privacy that American consumers will be getting the benefit of now? See the Safe Harbor principles listed here:
Organizations must comply with the seven Safe Harbor Privacy Principles, which require the following:
Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
Onward Transfer (Transfers to Third Parties)
To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
There is still good reason for U.S. lawmakers to establish strong privacy legislation of its own, if only to make sure companies not operating in Europe follow the rules as well. I've noted that beyond negative "don't do" rules, there is a lot of more positive actions to facilitate privacy that the U.S. can learn from European policymakers.
But the FTC order this week does highlight that, at minimum, companies operating globally can't escape basic privacy protections for U.S. residents just by blocking privacy legislation here. If they want to operate globally, they need to raise privacy standards to the much higher standards of European nations they include in their network.