Many US companies failing to uphold EU privacy rules, privacy group claims in FTC complaint

The rules that govern how EU data is treated in the US are being violated by major tech companies, according to a privacy group in a filed complaint to the FTC.
Written by Zack Whittaker, Contributor
Image: European Commission

At least thirty US companies are "failing to provide" safeguards for European citizens promised by the US government, a new complaint alleges.

A filing submitted to the US Federal Trade Commission (FTC) on Thursday by the Center for Digital Democracy (CDD) claims Salesforce, Adobe, AOL, and other companies are "compiling, using, and sharing EU consumers' personal information without their awareness and meaningful consent, in violation the Safe Harbor framework."

The US-EU Safe Harbor regulations allow European data, which is generally not allowed to leave the continent, to enter and reside on US servers so long as the same strong data protection and privacy rules are adhered to.

The self-certifying system, however, has come under heavy fire, not least European officials, as being inadequate in the wake of the Edward Snowden disclosures, which detailed massive surveillance by the US National Security Agency.

Based in Washington, DC, the privacy group calls on the FTC, which manages and ensures the validity of the US-EU Safe Harbor rules, to investigate the thirty named companies, which the CDD claims they are involved in, among other things, "data profiling and online targeting."

"All of the companies, we believe, fall far short of the commitments they have made under the Safe Harbor," a summary of the filing says.

"The U.S. is failing to keep its privacy promise to Europe," CDD’s executive director Jeff Chester said in a statement. "Instead of actually ensuring that the U.S. lives up to its commitment to ensure American companies provide EU consumers, our investigation found that there is little oversight and enforcement by the FTC."

The CDD claims the companies are using Safe Harbor as a "shield" to further their data-gathering practices without scrutiny.

"Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on them so they can be profiled and targeted online," he added.

The group's legal director Hudson Kingston said the complaint "describes the systemic failure of the Safe Harbor to function as it was intended."

The transatlantic data transfer rules were introduced following the ratification of Europe's data protection and privacy laws in 1995. Had the Safe Harbor agreement not come to fruition, the rules would have prevented the transfer of personal data to countries outside the EU — including the US — that do not meet the "adequacy" standards for privacy protection. 

But the system has been widely condemned for its flaws, notably when it comes to US national security practices and surveillance laws.

Safe Harbor does not protect against US data requests or secret government orders for information, dubbed FISA warrants. The moment data lands in a company's US data center, it falls under US legal jurisdiction and can be acquired by law enforcement and intelligence agencies.

The political fallout in the wake of the Snowden disclosures led members of the European Parliament to pass a resolution requesting the immediate suspension of the Safe Harbor system. 

EU Justice Commissioner Viviane Reding said after the leaks were made public that the system was "flawed," and threatened to reconsider its ongoing data and intelligence sharing relationship with the US and its law enforcement agencies. 

"The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward," Kingston said.

Editorial standards