Safe Harbor

Three companies to be fined for relying on invalidated Safe Harbor to transfer data from the EU

Fortune reported that Hamburg, Germany’s data protection commissioner, Johannes Caspar, is taking five unspecified global companies to task for continuing to transfer EU data to the US after the Safe Harbor ruling made it illegal, The Hamburg data protection authority is preparing to fine three companies for relying on the Safe Harbor privacy framework as the legal basis for their trans-Atlantic data transfers, the report states. “Two other firms are also under investigation” according to the report. Caspar refused to disclose the names of the companies for legal reasons, but said they are “large international companies” and “subsidiaries of US-based global corporates.”

February 29th, 2016|European Union, International|

New US-EU Safe Harbor agreement may be around the corner

Various sources report that US and EU representatives met on December 17, 2015 to hash out an agreement that would replace the recently invalidated Safe Harbor privacy framework. The two governments aim to have a replacement framework in place by January, says EU Justice Commissioner Vera Jourová. One of the main goals of the new program is to allow EU citizens’ grievances to be filed directly with their national privacy regulator.

As reported in our client alert and blogs, in October 2015, judges from the European Court of Justice issued a judgment striking down a 15-year old agreement, known as the Safe Harbor framework, which allowed US and European organizations to freely move personal data between the two regions as long as the US ensured an adequate level of data protection at the company and certified that it would abide by the seven EU data privacy principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement. The invalidation ruling impacted nearly 4,000 businesses that relied on the Safe Harbor framework to transfer data between the US and Europe and requires all businesses to revaluate their compliance with European data privacy and security standards.

December 22nd, 2015|European Union, Legislation|

FTC settles with 14 companies that falsely claimed participation in Safe Harbor privacy framework

On June 25, 2013, the FTC approved final orders that settle charges against 14 companies for falsely claiming to participate in the international privacy framework known as the U.S.-EU Safe Harbor, which allows U.S. companies to gather customer information in Europe and send it to the United States, beyond the EU’s legal jurisdiction, as long as certain criteria are met. Three of the companies were also charged with similar violations related to the U.S.-Swiss Safe Harbor. Under the settlements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or other self-regulated or standard-setting organization. Consumers who want to know whether a U.S. company is a participant in the U.S-EU or U.S.-Swiss Safe Harbor program can check its certification at http://export.gov/safeharbor.

July 9th, 2014|Judgment|

Challenges of international background investigations

Many transactions today, whether they involve an employment hiring decision or a new business relationship, are cross-border or have an international component. The need for effective risk management both in the U.S. and abroad has vastly expanded in recent years with the passing of legislation and increased enforcement actions. Behind just about every business decision, there is a widening range of stakeholders — from regulators to shareholders to board members — who expect that the due diligence process will minimize unlawful activities.

International background investigations, which are essential for a comprehensive approach to due diligence, present special challenges since each country has its own laws, customs, and procedures. Language barriers, name variations and transliterations, limited information and technology, broad definitions of crimes, and proliferation of fraudulent educational and accreditation institutions, are just some of the factors that add to the complexity of these investigations.

As a general rule, in most European countries, criminal records are not available to the public. In Asia, public accessibility to most court filings is limited. In South America, public records vary greatly from country to country. South Africa provides some disclosure of police records and warrants to the public, along with civil filings. Canada’s public records availability differs by province, and only a few permit criminal records release. India and Australia have the most searchable records, similar to the U.S.

For employment purposes, the Fair Credit Reporting Act (FCRA) imposes certain obligations for international background screening performed by a U.S. Consumer Reporting Agency (CRA), including mandating reasonable procedures to ensure the accuracy of the information it reports. If a public record such as a criminal conviction is found, the CRA must ascertain that the information is correct, up-to-date, and reported in a way that does not violate data or privacy protection rules.

In 2000, an agreement between the U.S. Department of Commerce and the European Commission established privacy and data protection guidelines, the “Safe Harbor Principles,” to enable U.S. companies to satisfy a requirement under European Union law for adequate protection of personal information transferred from the European Economic Area (the 25 member states of the European Union plus Iceland, Liechtenstein and Norway.) In addition to these principles, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions and businesses that receive personal information to establish safeguards for the handling and disclosure of that information. And the Fair and Accurate Credit Transactions Act (FACTA), a federal legislation, also contains provisions to help reduce identity theft and obligates the proper disposal of personal consumer information.

The cost of an international background investigation typically is higher than domestic searches, and varies with each country, the type of information that needs to be obtained and the purpose of the investigation. When performed by a reputable firm with qualified foreign contacts, an international background investigation can reduce negligent hiring liability, and prevent a catastrophic investment or reputational damage.

July 25th, 2011|Educational Series, Legislation|