Some US companies fail to comply with UK privacy rules

By Benjamin Salisbury

If you're buying products or services from US companies and you're concerned about the privacy of your personal information, you may want to keep an eye on lists of companies that comply with EU privacy laws -- and those that promise to, but don't.

When you buy from a US company, you're not automatically guaranteed the same protections for your personal data -- your name, address and social networking profile -- as you are in the UK. That's because US and EU privacy laws don't always match up.

The U.S.-EU Safe Harbor Framework was created to reassure EU residents that if they're doing business with a US company that's part of the scheme, the way their personal information is stored and used meets EU requirements.

safe-harbor

However, some firms who claim to be current certified members of the scheme, aren't -- including companies with a significant presence in the
UK.

What is the U.S.-EU Safe Harbor Framework?
The agreement allows US firms who participate in it to collect personal information from European residents. Firms must self-certify annually with US Department of Commerce that they will comply with seven privacy principles consistent with European law: notice, choice, onward transfer, security, data integrity, access and enforcement.

By signing on to this agreement, US companies can present themselves
as a secure and safe option for Brits, and can benefit from this positive position.

The US Department of Commerce lists US firms that have committed to complying with the Safe Harbor rules; you can also check a firms' privacy policy to see how it applies the Safe Harbor Framework rules and terms, and how it handles complaints.

What are US firms doing with Brits' personal information?
The US Federal Trade Commission (FTC) reports that the most common problem is misrepresentation -- companies that were once in compliance with the framework have let their self-certifications lapse without removing consumer statements or visuals indicating they're Safe Harbor participants.

"We do not allege that the companies [that were not in compliance] were engaged in practices that would violate the terms of the Safe Harbor frameworks," says Jay Mayfield, senior public affairs specialist at the FTC. "Our allegations relate to whether the companies had properly renewed their certifications under the frameworks."

It appears the companies in question are not misusing personal information for now, but the possibility of misuse in the future remains.

"As you can see, the most common concern is that personal information is not kept secure [principle 7]," Hannah McCausland, senior policy officer at the Information Commissioners' Office, said in an emailed response to questions.

Consequences for US companies not in compliance
The FTC has sued many companies in the US for misrepresenting their participation in the Safe Harbor Framework. These include American International Mailing Inc. -- which is an international freight and logistics firm -- and TES Franchising, LLC -- an organization that helps create and support entrepreneurs.

The companies were banned from further misrepresentation and will face a hefty fine if they are found in violation again (up to $16,000 per violation, per day), according to Mayfield. The FTC's orders cover more than just the companies' misrepresentation of their Safe Harbor status -- they also cover their status under any privacy program.

More information about the program for European consumers (including a link to the US Department of Commerce's site, which contains even more information) can be found on the FTC website.

Published: 6 May 2015