U.S. Officials Respond to EU Concerns Over Safe Harbor Data Transfer Program

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

Dec. 12 --U.S. administration representatives at the International Association of Privacy Professionals Europe Data Protection Congress 2013, in Brussels Dec. 11-12, defended the U.S.-EU Safe Harbor program in the face of recent criticism from the European Union and cautioned that not all of the EU's recommendations to reform the program might be workable.

Speaking in the conference's opening session Dec. 11, Commissioner of the Federal Trade Commission Julie Brill said that the Safe Harbor program is “a very effective tool for protecting the privacy of EU consumers,” and it shouldn't be suspended or renegotiated.

However, Brill acknowledged that Safe Harbor had been criticized as part of the “tensions in the transatlantic relationship” over data protection that arose in the wake of revelations of U.S. national security surveillance programs leaked by former U.S. National Security Agency contractor Edward Snowden.

Under the U.S.-EU Safe Harbor program, U.S. companies operating in the EU are permitted to transfer the data of EU customers out of the bloc on the basis that they declare compliance with the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC). About 3,350 companies have a currently active certification under the scheme.

The European Commission, the EU's executive arm, published on Nov. 27 a series of recommendations that it said the U.S. administrator of the scheme, the Department of Commerce, should react to by mid-2014, or Safe Harbor might be suspended (12 PVLR 2012, 12/9/13).

The commission has said it is “not convinced” that U.S. companies are respecting Safe Harbor in handling the personal data of Europeans and the U.S. administration might not have respected data protection safeguards when accessing for law enforcement purposes data transferred under Safe Harbor (12 PVLR 1866, 11/4/13).

Brill Touts Enforcement

Brill defended the enforcement of Safe Harbor by the U.S. authorities. She said there had been “numerous investigations into Safe Harbor compliance in recent months,” and 10 enforcement actions since 2009, leading to the sanctioning of companies including Facebook Inc. (10 PVLR 1759, 12/5/11), Google Inc. (10 PVLR 1565, 10/31/11) and MySpace Inc. (11 PVLR 791, 5/14/12).

Brill added that EU concerns about U.S. access to personal data for national security purposes should be addressed outside Safe Harbor. In this respect, “Safe Harbor might be an easy target, but I do not believe it is the right target,” she said.

Hugh Stevenson, deputy director of the FTC's Office of International Affairs, speaking in a session on Safe Harbor Dec. 12, said that enforcement, in particular against companies that falsely claim Safe Harbor certification, was “not working perfectly,” but “this program has grown as privacy enforcement in general has grown.”

There were “matters in the enforcement pipeline, and you can expect to see developments in the coming months,” Stevenson said.

Commission Acknowledges U.S. Efforts

Jan Ostoja-Ostaszewski, an official from the European Commission's Justice Department, which published the Nov. 27 recommendations on Safe Harbor, told Bloomberg BNA Dec. 12 that “all options are on the table” in terms of potential modification or suspension of Safe Harbor.

The U.S.-EU Safe Harbor program is “a very effective tool for protecting the privacy of EU consumers,” and it shouldn't be suspended or renegotiated.  
Julie Brill, Commissioner,
Federal Trade Commission

However, “we see efforts” by FTC and Commerce “to improve the system,” and a number of the commission's recommendations “are already being gradually addressed by the U.S.,” Ostoja-Ostaszewski said.

Brill said Safe Harbor might be improved in line with the commission recommendations through clearer redress systems and the elimination of fees for alternative dispute resolution (ADR). She said that increased transparency could be achieved through requirements for Safe Harbor certified companies to provide links to the FTC Safe Harbor program website, and to ADR providers.

Workability of Changes Questioned

U.S. officials said that not all of the commission's recommendations would easily work in practice.

Among the recommendations is a call for all U.S.-EU Safe Harbor program certified companies to publish the privacy conditions in contracts concluded with subcontractors, such as cloud computing services providers.

Caitlin Fennessy, Safe Harbor administrator for Commerce's International Trade Administration, said Dec. 12 that a contract language requirement would “require close consultation with stakeholders, including industry” over its feasibility, as some Safe Harbor companies have more than 10,000 subcontractors.

U.S. officials didn't respond directly to the commission's recommendation that there should be ongoing “ex officio investigations of effective compliance” of a sample of Safe Harbor companies, although Stevenson said it was regular practice for the FTC Office of International Affairs to check the Safe Harbor status of any company under investigation for potential privacy violations.

Compliance Programs

Cédric Burton, senior associate at Wilson Sonsini Goodrich& Rosati LLP, Brussels, told Bloomberg BNA Dec. 12 that “Safe Harbor is an easy target from a political point of view.” Among its activities, the law firm assists companies in joining the Safe Harbor program.

“Many Safe Harbor-certified companies have an extremely strong compliance program in place. In practice the level of data protection compliance with Safe Harbor doesn't seem to be any worse than for transfers under Standard Contractual Clauses or Binding Corporate Rules,” Burton said.

“Safe Harbor is and has been very valuable since it is and has been a way for companies to become familiar with EU data protection law principles,” he added.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor on this story: Donald G. Aplin at daplin@bna.com

Further information on the IAPP Europe is available at https://www.privacyassociation.org/community/iapp_europe.

Request Bloomberg Law: Privacy & Data Security