Progress Slow on Talks Over Revision Of U.S.-EU Safe Harbor, Officials Say

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Nov. 19 — The U.S. is still considering its response to 13 European Commission recommendations on upgrading the U.S.-European Union Safe Harbor Program, despite a pledge to strengthen the program by the summer, speakers at the International Association of Privacy Professionals Europe Data Protection Congress 2014 said Nov. 19.

EU and U.S. leaders said at a summit in March that they were “committed to strengthening the Safe Harbor Framework in a comprehensive manner by summer 2014” in order to restore trust in trans-Atlantic data transfers, which had been damaged by the leaks about government mass electronic surveillance of personal data from former U.S. National Security Agency contractor Edward Snowden.

However, at the IAPP Congress in Brussels, Ted Dean, U.S. Department of Commerce deputy assistant secretary, said that the U.S. was still “in the midst of consultations to develop how we will respond to the 13 recommendations.”

The European Commission, the EU's executive arm, put forward the recommendations in November 2013, amid concerns that Safe Harbor was inadequate to safeguard the privacy of EU citizens whose data are transferred to the U.S..

Under Safe Harbor, which is administered by the U.S. Department of Commerce, data transfers from the EU are permitted on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor Framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC). Approximately 3,900 companies possess current certifications under Safe Harbor.

Slower Progress Reported

Comments made by speakers at the IAPP Europe Congress 2014 contrasted with comments made by officials earlier in the year on the progress of the review of Safe Harbor.

In June, the former EU Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding said that U.S. officials had agreed to 12 of the 13 commission recommendations, and that the only point to be resolved was the extent to which U.S. national security bodies would be able to access the data of EU citizens transferred under Safe Harbor.

However, U.S. Federal Trade Commissioner Julie Brill said at the IAPP Europe Congress Nov. 19 that only 11 of the 13 recommendations could be answered by either the Department of Commerce or the FTC, and two points relating to access to data by U.S. public authorities are outside their jurisdiction.

Commerce Deputy Assistant Secretary Dean said in response to a question from Bloomberg BNA that when judging the U.S. response to its 13 recommendations, the European Commission should “look at the totality” of the U.S. response and should consider developments such as President Barack Obama's Jan. 17 presidential policy directive (PPD-28) to strengthen executive branch oversight of U.S. intelligence activities.

Dean didn't answer a question from Bloomberg BNA on when the Department of Commerce would respond to the European Commission's recommendations.

Issues of U.S. public authority access to the data of EU citizens transferred by U.S. companies under Safe Harbor were “very challenging,” Dean said.

Suspension Threat

The EU has threatened to suspend Safe Harbor if its 13 points aren't satisfactorily addressed.

In October, one incoming EU commissioner reiterated comments previously made by Reding that Safe Harbor could be suspended.

Dean said he was an “optimist” that the gap between the EU and U.S. on Safe Harbor could be closed, and “we have reached agreement on many of the issues.”

Safe Harbor was an effective framework for trans-Atlantic data transfers, and the Department of Commerce has increased its resources dedicated to administration of the program, Dean said.

Eduardo Ustaran, a partner with Hogan Lovells in London, told Bloomberg BNA Nov. 19 that the slow U.S. response to the commission's 13 recommendations had created a “sense of uncertainty” about Safe Harbor.

“There are companies that take Safe Harbor very seriously,” and it was “frustrating” for them that “those efforts are damaged” by negative perceptions about Safe Harbor, Ustaran, who is a member of the Privacy & Security Law Report's advisory board, said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com