How will companies that commit to cooperate with the Federal Data Protection and Information Commissioner (the Commissioner) make those commitments and how will they be implemented?
Under the Safe Harbor, U.S. organizations receiving personal data from Switzerland must commit to employ effective mechanisms for assuring compliance with the Safe Harbor Principles. They must provide, as specified in the Enforcement Principle: (a) recourse for individuals to whom the data relate; (b) follow-up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (c) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations. An organization may satisfy points (a) and (c) of the Enforcement Principle if it adheres to the requirements of this FAQ for cooperating with the Commissioner.
An organization may commit to cooperate with the Commissioner by declaring in its Safe Harbor certification to the Department of Commerce (see FAQ 6: Self-Certification) that the organization:
The cooperation of the Commissioner will be provided in the form of information and advice in the following way:
As noted above, organizations choosing this option must undertake to comply with the advice of the Commissioner. If an organization fails to comply with this advice and has offered no satisfactory explanation for its noncompliance, the Commissioner will give notice of its intention either to submit the matter to the Federal Trade Commission or other U.S. federal or state body with statutory powers to take enforcement action in cases of deception or misrepresentation, or to conclude that the agreement to cooperate has been seriously breached and must therefore be considered null and void. In the latter case, the Commissioner will inform the Department of Commerce (or its designee) so that the list of Safe Harbor participants can be duly amended. Any failure to fulfill the undertaking to cooperate with the Commissioner, as well as failures to comply with the Safe Harbor Principles, will be actionable as a deceptive practice under Section 5 of the FTC Act or other similar statute.