Many US companies failing to uphold EU privacy rules, privacy group claims in FTC complaint

Many US companies failing to uphold EU privacy rules, privacy group claims in FTC complaint

Summary: The rules that govern how EU data is treated in the US are being violated by major tech companies, according to a privacy group in a filed complaint to the FTC.

(Image: European Commission)

At least thirty US companies are "failing to provide" safeguards for European citizens promised by the US government, a new complaint alleges.

A filing submitted to the US Federal Trade Commission (FTC) on Thursday by the Center for Digital Democracy (CDD) claims Salesforce, Adobe, AOL, and other companies are "compiling, using, and sharing EU consumers' personal information without their awareness and meaningful consent, in violation the Safe Harbor framework."

Read this

Yes, the FBI and CIA can read your email. Here's how

Yes, the FBI and CIA can read your email. Here's how

"Petraeus-gate," some U.S. pundits are calling it. How significant is it that even the head of the CIA can have his emails read by an albeit friendly domestic intelligence agency, which can lead to his resignation and global, and very public humiliation? Here's how.

The US-EU Safe Harbor regulations allow European data, which is generally not allowed to leave the continent, to enter and reside on US servers so long as the same strong data protection and privacy rules are adhered to.

The self-certifying system, however, has come under heavy fire, not least European officials, as being inadequate in the wake of the Edward Snowden disclosures, which detailed massive surveillance by the US National Security Agency.

Based in Washington, DC, the privacy group calls on the FTC, which manages and ensures the validity of the US-EU Safe Harbor rules, to investigate the thirty named companies, which the CDD claims they are involved in, among other things, "data profiling and online targeting."

"All of the companies, we believe, fall far short of the commitments they have made under the Safe Harbor," a summary of the filing says.

"The U.S. is failing to keep its privacy promise to Europe," CDD’s executive director Jeff Chester said in a statement. "Instead of actually ensuring that the U.S. lives up to its commitment to ensure American companies provide EU consumers, our investigation found that there is little oversight and enforcement by the FTC."

The CDD claims the companies are using Safe Harbor as a "shield" to further their data-gathering practices without scrutiny.

"Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on them so they can be profiled and targeted online," he added.

The group's legal director Hudson Kingston said the complaint "describes the systemic failure of the Safe Harbor to function as it was intended."

The transatlantic data transfer rules were introduced following the ratification of Europe's data protection and privacy laws in 1995. Had the Safe Harbor agreement not come to fruition, the rules would have prevented the transfer of personal data to countries outside the EU — including the US — that do not meet the "adequacy" standards for privacy protection. 

But the system has been widely condemned for its flaws, notably when it comes to US national security practices and surveillance laws.

Safe Harbor does not protect against US data requests or secret government orders for information, dubbed FISA warrants. The moment data lands in a company's US data center, it falls under US legal jurisdiction and can be acquired by law enforcement and intelligence agencies.

The political fallout in the wake of the Snowden disclosures led members of the European Parliament to pass a resolution requesting the immediate suspension of the Safe Harbor system. 

EU Justice Commissioner Viviane Reding said after the leaks were made public that the system was "flawed," and threatened to reconsider its ongoing data and intelligence sharing relationship with the US and its law enforcement agencies. 

"The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward," Kingston said.

Topics: Privacy, Data Management, Security, EU

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Moot point...

    if MS loses its current case against the US warrante being valid in Ireland. If that happens, there will be no more US cloud services outside the USA...
    • There shouldn't have been any in the first place.

      It was obvious from the start.

      As soon as your data is in someone else's hands, you have no real control over who accesses it.
  • FTC to the rescue

    If the aggressive stance taken by the FTC to combat violators of the "Do Not Call Registry" is any indication, the privacy violators have nothing to fear.

    FTC bragged ( last year that, " Law enforcement actions — more than 100 so far — have continued, resulting in orders against 291 individuals and corporations." That represents TEN YEARS of enforcement. If my experience with the registry is any indication the 100 or so legal actions is based on many millions of violations by thousands of violators.

    The FTC is a toothless tiger guarding European privacy against attack by mega-national privacy miners. Thankfully, due to the power of the anti-privacy lobby, Americans have no significant privacy rights to guard. If they did, the FTC would undobtedly be picked by the captive congress to fail at that as well.
  • Store only encrypted volumes in the cloud

    That's my MO. There's nothing mineable in there. The NSA is left flummoxed. My privacy is assured.
    • Assuming they didn't steal your keys...

      They do that you know...