Enforcement has long been a sticking point between the US and the EU. Some of this comes from the inherent clash of juridical cultures between the civil and common law traditions. And some of this just seems to be the EU expecting the bigger and better resourced US Government to pick up some of the slack. Unfortunately, governments on both sides of the Atlantic have limited resources. Realistically, this is the “sweet spot” for Trustmarks. They can provide a wider net of services to companies than the government can (whether because of jurisdictional or financial limitations).
8. Following the certification or recertification of companies under the safe harbor, certain percentage of these companies should be subject to random investigations of effective compliance of their privacy policies.
Spot checking would be a new component to the safe harbor framework. However, this also seems to be a concern more oriented towards government resource allocation. Trustmark’s often do this type of spot checking based on the risk profile of the company which has been certified.
9. Where there has been a finding of noncompliance, following a complaint or investigation, the company should be subject to follow specific investigation after one year.
While this recommendation sounds good in practice, it may not be necessary. In the event that a finding of noncompliance was due to a nonmaterial mistake, which generated little to no actual harm to the consumer, it is neither feasible nor reasonable to require follow-up investigation after a year as there is very likely nothing to find. This being said, follow-up investigations, or spot checking, are very appropriate for violations which are complex, or due to the interaction of multiple parties within the data flow. For example, were subcontractor has inadvertently disclose personal information due to the exploitation of the security vulnerability within their network infrastructure. Fortunately, this is not a difficult requirement implement so long as it is done so in a commercially reasonable way.
10. In the case of doubts about a company’s compliance, or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
Again, this will depend on the type of complaint. It is doubtful that the competent EU data protection Authority is going to be interested in every single instance of an unsubscribe request taking longer than 10 days. The report and memo both recognize that there are a number of consumer complaints which you not fall within the privacy ambit. Consequently, reporting to an EU authority should be managed in a way to most effectively leverage that authorities limited resources. We have already seen this in practice in the United States where Trustmark’s evaluate quality of complaint prior to forwarding on to the Federal Trade Commission.
11. False claims of safe harbor adherence should continue to be investigated.
Obviously, this is not a recommendation for new activity. This is merely, as noted before, a desire to have additional government resources attached to this particular function. Consequently, the ease with which this recommendation may be implemented is contingent upon the budgetary constraints of particular administration.