The FTC, meanwhile, maintains its authority to sanction American companies falsely or deceptively (in FTC’s view) representing their compliance with these principles as part of the Safe Harbor program. FTC Commissioner Julie Brill recently touted prior FTC enforcement actions against Facebook, and others, for falsely representing compliance with the Safe Harbor Framework. At a recent conference in Europe, I listened to a senior FTC official implore EU privacy regulators not to significantly modify the EU-US Safe Harbor agreements as they provide a key jurisdictional “peg” for FTC enforcement of EU privacy principles against US companies.
FTC enforcement can be costly, including requirements for companies to allow independent monitoring of its privacy compliance for 20 years. So, connecting the dots: EU regulators have declared Google in violation of key privacy principles (and other cloud powerhouses are already, or soon will be, in the EU’s sights); such companies certify compliance with these principles in order to export data to the United States; and the EU regulators, at least in the case of Google, have implicitly found these compliance certifications to be untrue.
Will US FTC enforcement action against Google and others similarly situated in the future necessarily follow? Who knows, but it is likely the FTC will at least consider it. And Google — and other US IT giants operating in the EU — would be wise to remember that violations of EU privacy law can have consequences that go beyond the borders of the EU.
–Commentary by SafeGov expert Bryan Cunningham, Cunningham Partners LLCsafegoveu