Dec. 12 --U.S. administration representatives at the International Association of Privacy Professionals Europe Data Protection Congress 2013, in Brussels Dec. 11-12, defended the U.S.-EU Safe Harbor program in the face of recent criticism from the European Union and cautioned that not all of the EU's recommendations to reform the program might be workable.
Speaking in the conference's opening session Dec. 11, Commissioner of the Federal Trade Commission Julie Brill said that the Safe Harbor program is “a very effective tool for protecting the privacy of EU consumers,” and it shouldn't be suspended or renegotiated.
However, Brill acknowledged that Safe Harbor had been criticized as part of the “tensions in the transatlantic relationship” over data protection that arose in the wake of revelations of U.S. national security surveillance programs leaked by former U.S. National Security Agency contractor Edward Snowden.
Under the U.S.-EU Safe Harbor program, U.S. companies operating in the EU are permitted to transfer the data of EU customers out of the bloc on the basis that they declare compliance with the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC). About 3,350 companies have a currently active certification under the scheme.
The European Commission, the EU's executive arm, published on Nov. 27 a series of recommendations that it said the U.S. administrator of the scheme, the Department of Commerce, should react to by mid-2014, or Safe Harbor might be suspended (12 PVLR 2012, 12/9/13).
The commission has said it is “not convinced” that U.S. companies are respecting Safe Harbor in handling the personal data of Europeans and the U.S. administration might not have respected data protection safeguards when accessing for law enforcement purposes data transferred under Safe Harbor (12 PVLR 1866, 11/4/13).
Brill defended the enforcement of Safe Harbor by the U.S. authorities. She said there had been “numerous investigations into Safe Harbor compliance in recent months,” and 10 enforcement actions since 2009, leading to the sanctioning of companies including Facebook Inc. (10 PVLR 1759, 12/5/11), Google Inc. (10 PVLR 1565, 10/31/11) and MySpace Inc. (11 PVLR 791, 5/14/12).
Brill added that EU concerns about U.S. access to personal data for national security purposes should be addressed outside Safe Harbor. In this respect, “Safe Harbor might be an easy target, but I do not believe it is the right target,” she said.
Hugh Stevenson, deputy director of the FTC's Office of International Affairs, speaking in a session on Safe Harbor Dec. 12, said that enforcement, in particular against companies that falsely claim Safe Harbor certification, was “not working perfectly,” but “this program has grown as privacy enforcement in general has grown.”
There were “matters in the enforcement pipeline, and you can expect to see developments in the coming months,” Stevenson said.
Jan Ostoja-Ostaszewski, an official from the European Commission's Justice Department, which published the Nov. 27 recommendations on Safe Harbor, told Bloomberg BNA Dec. 12 that “all options are on the table” in terms of potential modification or suspension of Safe Harbor.
However, “we see efforts” by FTC and Commerce “to improve the system,” and a number of the commission's recommendations “are already being gradually addressed by the U.S.,” Ostoja-Ostaszewski said.
Brill said Safe Harbor might be improved in line with the commission recommendations through clearer redress systems and the elimination of fees for alternative dispute resolution (ADR). She said that increased transparency could be achieved through requirements for Safe Harbor certified companies to provide links to the FTC Safe Harbor program website, and to ADR providers.
U.S. officials said that not all of the commission's recommendations would easily work in practice.
Among the recommendations is a call for all U.S.-EU Safe Harbor program certified companies to publish the privacy conditions in contracts concluded with subcontractors, such as cloud computing services providers.
Caitlin Fennessy, Safe Harbor administrator for Commerce's International Trade Administration, said Dec. 12 that a contract language requirement would “require close consultation with stakeholders, including industry” over its feasibility, as some Safe Harbor companies have more than 10,000 subcontractors.
U.S. officials didn't respond directly to the commission's recommendation that there should be ongoing “ex officio investigations of effective compliance” of a sample of Safe Harbor companies, although Stevenson said it was regular practice for the FTC Office of International Affairs to check the Safe Harbor status of any company under investigation for potential privacy violations.
Cédric Burton, senior associate at Wilson Sonsini Goodrich& Rosati LLP, Brussels, told Bloomberg BNA Dec. 12 that “Safe Harbor is an easy target from a political point of view.” Among its activities, the law firm assists companies in joining the Safe Harbor program.
“Many Safe Harbor-certified companies have an extremely strong compliance program in place. In practice the level of data protection compliance with Safe Harbor doesn't seem to be any worse than for transfers under Standard Contractual Clauses or Binding Corporate Rules,” Burton said.
“Safe Harbor is and has been very valuable since it is and has been a way for companies to become familiar with EU data protection law principles,” he added.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor on this story: Donald G. Aplin at email@example.com
Further information on the IAPP Europe is available at https://www.privacyassociation.org/community/iapp_europe.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).