Snapchat settlement shines a light on a potential EU / FTC safe harbour stitch-up
When Europe learned about the extent of NSA surveillance on the personal information of European citizens there was immediate concern over the effectiveness of the EU/US safe harbour agreement. Under European data protection laws, personal data cannot be exported to a foreign country that does not have data protection laws considered comparable to EU laws. The US does not have comparable data protection – and therefore cannot receive European data.
To solve this commercial impasse, the relevant authorities came up with the safe harbour agreement. Under this, US companies can be certified (or can certify themselves) as effectively conforming to European laws. Without that certification, they cannot handle European data in the US.
One of the requirements is that they agree not to pass any of that data to a third-party. Snowden’s revelations show that vast troves of the data gets passed to the NSA without judicial oversight or public transparency. Clearly, then, the intent of the safe harbour agreement is not working.
Europe was incensed – so incensed that it threatened to suspend the safe harbour agreement altogether. Few people have taken this seriously. I wrote at the time,
In a pit of fique, the EC has declared that if the US doesn’t do what it wants, it might reconsider the safe harbor agreement that allows US companies to export personal European data even though the US is not considered safe to secure it. It won’t, of course. Can you imagine the uproar if Europeans could suddenly not have their hourly fix of Facebook or Twitter or Google mail?
EC continues its froth(ing at the mouth) over the NSA
The Hunton and Williams international law firm has concluded similar:
Despite the rhetoric, it seems unlikely that the Safe Harbor will be suspended… Any such action would cause considerable uncertainty and would disrupt existing business arrangements that fuel the global economy.
The Future of the US-EU Safe Harbor
But the rhetoric coming from Commissioner Reding has been unequivocal: if the US does not tighten and improve enforcement of safe harbour by this coming summer, it will be suspended. Last November it
set out actions to be taken in order to restore trust in data flows between the EU and the U.S., following deep concerns about revelations of large-scale U.S. intelligence collection programmes, which have had a negative impact on the transatlantic relationship.
Restoring Trust in EU-US data flows
This includes 13 specific recommendations.
The Commission is calling on U.S. authorities to identify remedies by summer 2014. The Commission will then review the functioning of the Safe Harbour scheme based on the implementation of these 13 recommendations.
But when you examine these 13 recommendations (which the EC could have called ‘requirements’, but did not), they are all decidedly weak.
The competent authority enforcing safe harbour in the US is the Federal Trade Commission (FTC).
All of this is necessary background before we consider the FTC’s latest privacy settlement with a US company. It accused Snapchat of multiple privacy failings (notably, that it did not do what it claimed to be doing).
Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers… The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.
Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False
FTC Chairwoman Edith Ramirez actually commented, “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
This should be reassuring to Reding and the EC – the FTC seems to be taking false security claims seriously. That is effectively exactly what the EU is demanding in its 13 recommendations that will ensure the continuance of the safe harbour agreement: that US companies actually do what the safe harbour certification says they will do.
But despite these tough words from the FTC, the actual settlement agreement with Snapchat is pathetic.
Under the terms of its settlement, Snapchat will not be fined. But the app maker will be prohibited from misrepresenting the privacy, security or confidentiality of user data within the app and be required to implement a comprehensive privacy program to be monitored by an independent party over the next 20 years. If Snapchat violates the settlement in the future, it could face financial penalties.
Snapchat agrees to settle FTC charges that it deceived users – The Washington Post
Incidentally, the ‘financial penalties’ amount to the colossal fine of $16,000.
What all of this amounts to (just for the sake of argument, imagine a company like Facebook misrepresenting its privacy policies and falling foul of the safe harbour agreement) is a slap on the wrist, a demand for improvement and a promise not to do it again, with the threat of a $16,000 fine if it breaks its word. But doing this pretty well conforms to the lily-livered 13 Recommendations.
The result is effective collusion between politicians on both sides of the Atlantic to make it seem as if they are working for the people while not actually causing any problems to business. Same as it ever was, and everyone’s a winner – except the people.