Safe Harbor Program
Subscribe to Safe Harbor Program's Posts

The Privacy Shield: September 30, 2016, Deadline for Early Self-Certification Offers Compliance Opportunity and Risk

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.

read more

Court of Justice of the European Union Says Safe Harbor Is No Longer Safe

Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States.

The CJEU determined that the European Commission’s 2000 decision (Safe Harbor Decision) validating the Safe Harbor program did not and “cannot eliminate or even reduce the powers” available to the data protection authority (DPA) of each EU member country. Specifically, the CJEU opinion states that a DPA can determine for itself whether the Safe Harbor program provides an “adequate” level of personal data protection (i.e., “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” as required by the EU Data Protection Directive (95/46/EC)).

The CJEU based its decision invalidating that Safe Harbor opinion in part on the determination that the U.S. government conducts “indiscriminate surveillance and interception carried out … on a large scale”.

The plaintiff in the case that gave rise to the CJEU opinion, Maximilian Schrems (see background below), issued his first public statement praising the CJEU for a decision that “clarifies that mass surveillance violates our fundamental rights.”

Schrems also made reference to the need for “reasonable legal redress,” referring to the U.S. Congress’ Judicial Redress Act of 2015. The Judicial Redress Act, which has bi-partisan support, would allow EU residents to bring civil actions in U.S. courts to address “unlawful disclosures of records maintained by an [U.S. government] agency.

Edward Snowden also hit the Twittersphere with “Congratulations, @MaxSchrems. You’ve changed the world for the better.”


Today’s CJEU opinion invalidating the Safe Harbor program follows on the September 23, 2015, opinion from the advocate general (AG) to the CJEU in connection with Maximilian Schrems vs. Data Protection Commissioner.

In June 2013, Maximilian Schrems, an Austrian student, filed a complaint with the Irish DPA. Schrems’ complaint related to the transfer of his personal data collected through his use of Facebook. Schrems’ Facebook data was transferred by Facebook Ireland to Facebook USA under the Safe Harbor program. The core claim in Schrems’ complaint is that the Safe Harbor program did not adequately protect his personal data, because Facebook USA is subject to U.S. government surveillance under the PRISM program.

The Irish DPA rejected Schrems’ complaint because Facebook was certified under the Safe Harbor Program. Schrems appealed to the High Court of Ireland, arguing that the Irish (or any other country’s) DPA has a duty to protect EU citizens against privacy violations, like access to their personal data as part of U.S. government surveillance. Since Schrems’ appeal relates to EU law (not solely Irish law), the Irish High Court referred Schrems’ appeal [...]

Continue Reading

read more

The FTC Means It: Another Safe Harbor Enforcement Action

No doubt about it: the U.S. Federal Trade Commission (FTC) is serious about taking action against companies that misrepresent their U.S.-EU Safe Harbor certification status.  On February 11, 2014, the FTC announced that children’s online entertainment company agreed to settle charges that it deceptively represented, through statements in its online privacy policy, that it held a current certification under the U.S.-EU Safe Harbor framework.  The settlement follows on the heels of the FTC’s settlements (announced on January 21, 2014) with 12 companies that made representations about Safe Harbor compliance when in fact their certifications had lapsed. These 13 settlements, announced within in the first six weeks of 2014 and added to the 10 settlements reached for similar actions from 2009 to 2012, indicate the FTC’s commitment to ensuring that the Safe Harbor Program remains a vital and effective compliance mechanism for U.S.-based multinational companies.

The Allegations and Order

According to this recent FTC complaint, failed to complete its annual recertification of Safe Harbor compliance but continued to make publically-available statements about its compliance with the U.S.-EU Safe Harbor Framework.  From June 2011 (when the company made its initial self-certification) to January 2014 (when the company renewed its self-certification), the FTC examined the company’s privacy policies and online statements for representations concerning its Safe Harbor status. 

In its complaint, the FTC alleged that the company, “…expressly or by implication…” misrepresented that it was a current participant in the Safe Harbor Framework when, from June 2012 until January 2014, its certification had lapsed.  The FTC cited the following statement made on the company’s website as an example of the false and misleading representations:

“When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.” 

While the FTC does not allege substantive violations of the Safe Harbor Framework, the sanctions that follow place compliance obligations on the company.  The Settlement Agreement Containing Consent Order:  

  • enjoins from misrepresenting its compliance with any governmental or self-regulatory data privacy program for 20 years; and
  • imposes on detailed record-keeping requirements for five years, including maintenance of records (i) for all advertisements or other statements containing representations about privacy program participation; (ii) all materials that form the basis for preparing such representations; and (iii) all materials that call into question the company’s compliance with the Order.

If violates the settlement agreement, the FTC is empowered to assess up to $11,000 per day in monetary penalties.

Compliance Tips

Based on these enforcement actions, any company that self-certifies under the U.S,-EU Safe Harbor Framework should immediately:

  • check its certification status to ensure that it is marked “current” on the Department of Commerce website:;
  • review any privacy policies and online statements referencing the Safe Harbor program to ensure that they properly reflect the status of their certification;
  • institute a systemic [...]

    Continue Reading

read more




2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law