The Safe Harbor Certification

How the safe harbor and the criminal provision work.

4 comments

  1. David Hoffman
    I have received some feedback over social media that people are concerned that the criminal law provision in the bill will mean that corporate officers could go to jail if if there is a relatively innocent violation of the terms of the bill. That is not what we intended and not what I think the draft does. The goal was to allow companies the opportunity to have a safe harbor from civil penalties, but to also make certain that safe harbor could only be used by companies who implement a robust privacy program. We chose the following language for the standard for the criminal liability “knew that the statements required by the certification are not true. Reckless disregard of whether a statement is true, or a conscious effort to avoid learning the truth, can be construed as acting knowingly under this statute. ” We just want to capture situations where a corporate officer does not do the review, knows the content in the review is not accurate, or consciously ignores issues presented in the review. We were going for something very close to the False Statements Act, which already governs similar certifications to the former EU-US Safe Harbor Agreement and the current Privacy Shield. What do people think about the language we used? Did we get the intent requirement right?

  2. Peter Swire
    A few thoughts on the criminal statute: (1) Criminal intent in environmental law. I used to teach environmental law. There have been ongoing battles there about what “knowing” violation means. ation means. Professor Richard Lazarus gives the history here: http://nrs.harvard.edu/urn-3:HUL.InstRepos:13548461. Lazarus does a good job of showing the complexity of the issues.

    (2) Section 7 of the draft bill imposes criminal penalties if an accountability report is filed, “knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this Act.” This could be read as the opposite of risk-based. Imagine a manager who has invested heavily in privacy protection, and has done a gap analysis, and knows they have made big progress but have only 98 of the 100 elements covered. If the manager files the report knowing a violation of 2 of the elements, then that appears to be a criminal action under the statute.

    (3) One way to address this is to exclude de minimis violations. Change the language to “does not substantially comport” with “the requirements” of the Act. Or, something like a “material” violation is criminal, but less than that is not. The problem with “material,” however, is that it is a term of art in securities law, about moving the stock price, so not clear the standard in the privacy setting between a “material” violation and a “non-material” violation.

    (4) Another model here is Sarbanes Oxley, where corporate officers have to certify to the accuracy of the financial reports under Section 302, subject to criminal penalties under Section 906. Interestingly, the language is pretty close to what is in Intel’s draft bill. Notably it includes the compliance with “all the requirements” as in the draft bill. On the plus side for privacy, people take Sarbox certifications very seriously. The concerns, however, have been about whether the compliance cost is too high – the certifications flow down from top management to lower level managers, to avoid the huge penalties.

    (5) In conclusion, I am not sure the best way to draft. As written, however, I suspect there will be loud objections from the business community that this is re-creating Sarbanes Oxley, with the requirements in practice of all of those sub-certifications. May be worth researching what proposals have been made to make the compliance there more workable while still keeping the structure of accountability.

    • Danny Weitzner
      David, I’d be interested in hearing more about your rationale for the Safe Harbor provision. It appears that it is based on the view that having a robust privacy program ram entitles the covered entity to one free pass against all by equitable relief. That’s a big bet on the value of such programs. As I wrote in reply to Tim Sparapani on the overall structure of the statute, I do consider accountability programs to be valuable management tools, but I’d like to hear more about the thinking behind this view?

      • David Hoffman
        Danny – What we attempted to achieve with Section 7(a)(3) was to have the safe harbor only apply to civil penalties and not equitable remedies. The idea is based on on a fear that organizations might have about the lack of predictability of potential FTC enforcement (I do not have that fear, but I know many in the business community do), while still making certain that if an individual is harmed, that they can recover. This still strikes me as the right approach to provide for the protection of individuals while providing a carrot for organizations to have a corporate officer certify the accountability program. Is there a better way to do this?