U.S. Privacy Paves Way for New Safe Harbor: Officials

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Dec. 11 — The U.S. offers sufficient legal safeguards against indiscriminate access to personal data by security agencies and therefore, the issue shouldn't be an obstacle to a new agreement on transatlantic data transfers to replace the invalidated U.S.-EU Safe Harbor framework, U.S. officials said Dec. 11.

Robert S. Litt, general counsel from the Office of the Director of National Intelligence, said there was an incorrect impression in the European Union of U.S. security agencies “sweeping everything up without limitation,” but this was “false” and the U.S. offered privacy protections that were “as robust and effective” as those in the EU.

Litt was speaking at a seminar in Brussels organized by the European Policy Center think tank.

The issue of safeguards on U.S. law enforcement access to data is crucial in the U.S.-EU negotiations to replace Safe Harbor, which was invalidated by the European Court of Justice Oct. 6.

A major justification for the invalidation was that the decision taken by the European Commission, the EU's executive arm, recognizing Safe Harbor as an adequate data protection regime, hadn't taken into account potentially indiscriminate U.S. security agency access to the transferred personal data of EU citizens.

Concerns began to be raised about the legal safeguards in the commission's Safe Harbor decision after leaks in 2013 about U.S. electronic surveillance programs.

The invalidation of Safe Harbor—which permitted transfers of personal data controlled in the EU to the U.S. on the basis that participants complied with principles similar to those in the EU Data Protection Directive (95/46/EC)—affected not only some 4,400 U.S. companies certified in the program but untold thousands of EU companies that relied on the certification to transfer personal data to those companies.

U.S. Protections Adequate 

Litt said that the ECJ “did not find that U.S. law in practice and in fact did not protect privacy rights,” but rather that the commission decision approving Safe Harbor hadn't sufficiently demonstrated that data protection in the U.S. was adequate.

Justin Antonipillai, deputy general counsel from the U.S. Department of Commerce, also speaking at the European Policy Center event, said that U.S. negotiators were working with the commission so that a future EU adequacy finding about the U.S. “would be based on facts, not assumptions,” and could withstand a potential future court challenge in the EU.

The remarks echoed comments made by Julie Brill, commissioner of the U.S. Federal Trade Commission, that an agreement to replace Safe Harbor was feasible by February if it demonstrated the “essential equivalence” of EU and U.S. privacy protections.

EU data protection authorities have said they will start to enforce the ECJ's ruling on Safe Harbor at the end of January if no replacement agreement is in place.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com