By Stephen Gardner
Dec. 12 --U.S. administration
representatives at the International Association of Privacy Professionals
Europe Data Protection Congress 2013, in Brussels Dec. 11-12, defended the
U.S.-EU Safe Harbor program in the face of recent criticism from the European
Union and cautioned that not all of the EU's recommendations to reform the
program might be workable.
Speaking in the conference's opening session
Dec. 11, Commissioner of the Federal Trade Commission Julie Brill said that the
Safe Harbor program is “a very effective tool for protecting the privacy of EU
consumers,” and it shouldn't be suspended or renegotiated.
Brill acknowledged that Safe Harbor had been criticized as part of the
“tensions in the transatlantic relationship” over data protection that arose in
the wake of revelations of U.S. national security surveillance programs leaked
by former U.S. National Security Agency contractor Edward Snowden.
the U.S.-EU Safe Harbor program, U.S. companies operating in the EU are
permitted to transfer the data of EU customers out of the bloc on the basis
that they declare compliance with the Safe Harbor framework, which includes
seven privacy principles similar to those found in the 1995 EU Data Protection
Directive (95/46/EC). About 3,350 companies have a currently active
certification under the scheme.
The European Commission, the EU's
executive arm, published on Nov. 27 a series of recommendations that it said the U.S. administrator of
the scheme, the Department of Commerce, should react to by mid-2014, or Safe
Harbor might be suspended (12 PVLR 2012, 12/9/13).
The commission has
said it is “not convinced” that U.S. companies are respecting Safe Harbor in
handling the personal data of Europeans and the U.S. administration might not
have respected data protection safeguards when accessing for law enforcement
purposes data transferred under Safe Harbor (12 PVLR 1866, 11/4/13).
Brill defended the enforcement of Safe
Harbor by the U.S. authorities. She said there had been “numerous
investigations into Safe Harbor compliance in recent months,” and 10
enforcement actions since 2009, leading to the sanctioning of companies
including Facebook Inc. (10 PVLR 1759, 12/5/11), Google Inc. (10 PVLR 1565,
10/31/11) and MySpace Inc. (11 PVLR 791, 5/14/12).
Brill added that EU
concerns about U.S. access to personal data for national security purposes
should be addressed outside Safe Harbor. In this respect, “Safe Harbor might be
an easy target, but I do not believe it is the right target,” she said.
Hugh Stevenson, deputy director of the FTC's Office of International
Affairs, speaking in a session on Safe Harbor Dec. 12, said that enforcement,
in particular against companies that falsely claim Safe Harbor certification,
was “not working perfectly,” but “this program has grown as privacy enforcement
in general has grown.”
There were “matters in the enforcement pipeline,
and you can expect to see developments in the coming months,” Stevenson
Ostoja-Ostaszewski, an official from the European Commission's Justice
Department, which published the Nov. 27 recommendations on Safe Harbor, told
Bloomberg BNA Dec. 12 that “all options are on the table” in terms of potential
modification or suspension of Safe Harbor.
However, “we see efforts” by FTC
and Commerce “to improve the system,” and a number of the commission's
recommendations “are already being gradually addressed by the U.S.,”
Brill said Safe Harbor might be improved in line
with the commission recommendations through clearer redress systems and the
elimination of fees for alternative dispute resolution (ADR). She said that
increased transparency could be achieved through requirements for Safe Harbor
certified companies to provide links to the FTC Safe Harbor program website,
and to ADR providers.
officials said that not all of the commission's recommendations would easily
work in practice.
Among the recommendations is a call for all U.S.-EU
Safe Harbor program certified companies to publish the privacy conditions in
contracts concluded with subcontractors, such as cloud computing services
Caitlin Fennessy, Safe Harbor administrator for Commerce's
International Trade Administration, said Dec. 12 that a contract language
requirement would “require close consultation with stakeholders, including
industry” over its feasibility, as some Safe Harbor companies have more than
U.S. officials didn't respond directly to the
commission's recommendation that there should be ongoing “ex officio
investigations of effective compliance” of a sample of Safe Harbor companies,
although Stevenson said it was regular practice for the FTC Office of
International Affairs to check the Safe Harbor status of any company under
investigation for potential privacy violations.
Cédric Burton, senior associate at Wilson Sonsini Goodrich& Rosati LLP,
Brussels, told Bloomberg BNA Dec. 12 that “Safe Harbor is an easy target from a
political point of view.” Among its activities, the law firm assists companies
in joining the Safe Harbor program.
“Many Safe Harbor-certified
companies have an extremely strong compliance program in place. In practice the
level of data protection compliance with Safe Harbor doesn't seem to be any
worse than for transfers under Standard Contractual Clauses or Binding
Corporate Rules,” Burton said.
“Safe Harbor is and has been very
valuable since it is and has been a way for companies to become familiar with
EU data protection law principles,” he added.
To contact the reporter on
this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor on
this story: Donald G. Aplin at email@example.com
Further information on the IAPP Europe is available at https://www.privacyassociation.org/community/iapp_europe.
To view additional stories from Privacy & Data Security Law
Resource Center™ register for a free trial now