FAQ - The Role of the Commissioner

How will companies that commit to cooperate with the Commissioner make those commitments and how will they be implemented?

Under the safe harbor, U.S. organizations receiving personal data from Switzerland must commit to employ effective mechanisms for assuring compliance with the Safe Harbor Principles. More specifically as set out in the Enforcement Principle, they must provide:

1. recourse for individuals to whom the data relate,

2. follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true, and

3. obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations.

An organization may satisfy points (a) and (c) of the Enforcement Principle if it adheres to the requirements of this FAQ for cooperating with the Commissioner.

An organization may commit to cooperate with the Commissioner by declaring in its safe harbor certification to the Department of Commerce (see FAQ on Self-Certification) that the organization:

4. elects to satisfy the requirement in points (a) and (c) of the Safe Harbor Enforcement Principle by committing to cooperate with the Commissioner;

5. will cooperate with the Commissioner in the investigation and resolution of complaints brought under the safe harbor; and

6. will comply with any advice given by the Commissioner where the Commissioner takes the view that the organization needs to take specific action to comply with the Safe Harbor Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the Commissioner with written confirmation that such action has been taken.

The cooperation of the Commissioner will be provided in the form of information and advice in the following way:

  • The advice of the Commissioner can be delivered directly.
  • The Commissioner will provide advice to the U.S. organizations concerned on unresolved complaints from individuals about the handling of personal information that has been transferred under the safe harbor. This advice will be designed to ensure that the Safe Harbor Principles are being correctly applied and will include any remedies for the individual(s) concerned that the Commissioner considers appropriate.
  • The Commissioner will provide such advice in response to referrals from the organizations concerned and/or to complaints received directly from individuals against organizations which have committed to cooperate with the Commissioner for safe harbor purposes, while encouraging and if necessary helping such individuals in the first instance to use the in-house complaint handling arrangements that the organization may offer.
  • Advice will be issued only after both sides in a dispute have had a reasonable opportunity to comment and to provide any evidence they wish. The Commissioner will seek to deliver advice as quickly as this requirement for due process allows. As a general rule, the Commissioner will aim to provide advice within 60 days after receiving a complaint or referral and more quickly where possible.
  • The Commissioner will make public the results of its consideration of complaints submitted to it, if it sees fit.
  • The delivery of advice through the Commissioner will not give rise to any liability for the Commissioner.

As noted above, organizations choosing this option for dispute resolution must undertake to comply with the advice of the Commissioner. If an organization fails to comply within 30 days of the delivery of the advice and has offered no satisfactory explanation for the delay, the Commissioner will give notice of its intention either to submit the matter to the Federal Trade Commission or other U.S. federal or state body with statutory powers to take enforcement action in cases of deception or misrepresentation, or to conclude that the agreement to cooperate has been seriously breached and must therefore be considered null and void. In the latter case, the Commissioner will inform the Department of Commerce (or its designee) so that the list of safe harbor participants can be duly amended. Any failure to fulfill the undertaking to cooperate with the Commissioner, as well as failures to comply with the Safe Harbor Principles, will be actionable as a deceptive practice under Section 5 of the FTC Act or other similar statute.