In 1998 the European Commission’s Directive on Data Protection went into effect, prohibiting the transfer of EU citizens’ data to non-EU countries unless they meet strict privacy protection standards.
In order to facilitate subsequent data-sharing between the U.S. and EU, the U.S. Department of Commerce worked with the European Commission to develop the U.S. – EU Safe Harbor Framework. By signing up to the program, U.S. organizations can send a clear signal to others in the EU that the standards mandated by the EU’s Directive on Data Protection are being met.
For U.S. organizations, signing up has several benefits. All 28 member states of the European Union accept the standard, being a signatory is a sign of commitment to privacy, approval to exchange data with the EU will be automatically granted, and legal issues raised in relation to data sharing can be heard in the United States.
After meeting the standards required by framework, organizations must self-certify every year with the Department of Commerce and state in their privacy policy statements that they adhere to the Safe Harbor Privacy Principles. Herein lies the problem.
By allowing their self-certifications to lapse, BitTorrent Inc. and another eleven companies including ISP Level 3 Communications, encrypted email company DataMotion and a trio of NFL teams, fell short of the framework’s requirements (full company list).
“Enforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These twelve cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program,” said FTC Chairwoman Edith Ramirez in a statement.
As can be seen by BitTorrent Inc.’s Safe Harbor entry, the company’s self-certification expired in January 2008 and still lists Ashwin Navin as the company’s president. Navin vacated that role in November 2008.
While there is no suggestion that BitTorrent Inc. or any of the other organizations involved compromised customer privacy in any way, failure to self-certify and then falsely claiming to participate in the U.S. – EU treaty is unacceptable to the U.S, particularly in light of the recent NSA scandal. With that in mind all 12 organizations have agreed to settle with the FTC by entering into “consent agreements” – BitTorrent Inc.’s can be read here (pdf).
Considering BitTorrent Inc.’s recent publicity drive on the privacy front, the charges by the FTC will come as a disappointment to the company, particularly since their error appears to have stemmed from an administrative oversight rather than actual carelessness with data.
