At the end of November, the European Commission released its report regarding US-EU data flows and its feedback on the often-criticized Safe Harbor Framework. The EC’s report made 13 recommendations which would hopefully improve this data transfer procedure. According to the EC, US officials will have until summer 2014 to implement the recommendations before a review.
European Perspectives on Safe Harbor
Originally established in 2000 by the US Department of Commerce and the European Commission, the Safe Harbor Framework intended to bridge the gap between strict European regulations on data transfers. It permits the 4000 self-certified US companies to say that their data transfer policies comply with EU standards, allowing them to transfer data from one jurisdiction to another. However, it’s commonly believed amongst European officials that the FTC isn’t policing the Safe Harbor framework the way it really should.
According to Henriette Tielemans from Covington & Burling’s in Brussels, the problem with Safe Harbor is that
“… it’s self-certifying, and the perception in Europe is increasingly that for many US companies this means that once you put your signature there, it’s as if there’s no consequences attached to it. You should not say you are certified under Safe Harbor if you’re not, because that would be deceiving the consumer. But when you certify and then you don’t do what you said you would be doing, that doesn’t seemed to be policed. That’s the idea that runs around [in Europe].”
Sophie in`t Veld, the vice president of the Dutch Parliament`s Civil Liberties and Home Affairs Committee is encouraged that the EC is taking steps to correct the situation, something she feels is long overdue. The Commission’s report signals that things are beginning to change:
“For so many years, European data protection laws were basically completely ignored, and the member states and the European Commission did little to make sure they were being properly implemented and enforced, so these are the first signs that maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws. I hope it’s a new era where our laws will finally be enforced on European territory.”
Breakdown of the Commission’s Response
The recent EC response was multifaceted, including the following parts:
- A strategy paper on transatlantic data flows. This set out the challenges and risks following the revelations of US intelligence collection programs, and the steps required to address those concerns.
- An analysis of the functioning of Safe Harbor which regulates data transfers for commercial purposes between the EU and the US.
- A factual report on the findings of the EU-US Working Group on Data Protection, initially set up July 2013.
- A review of existing agreements on passenger Name Records (PNR).
- A review of the Terrorist Finance Tracking Programme (TFTP) regulating data exchanges in these sectors for law enforcement purposes.
In order to ensure that data flows are maintained between the EU and US, a high level of data security should be enforced. The EC called for immediate action in the following six areas:
- A swift adoption of the EU’s data protection reform
- Making Safe Harbor Safe
- Strengthening data protection safeguards in the law enforcement area
- Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data
- Addressing European concerns in the on-going US reform process
- Promoting privacy standards on an international level
According to the US Department of Commerce, Safe Harbor is still viable. In support, the Federal Trade Commission (FTC) maintains that it has rigorously enforced compliance with the data transfer mechanism. However, privacy officials and other observers from European countries don’t seem convinced. Specifically, German officials have been keen to end the agreement and rectify the situation.
Speaking out in support of the framework, Federal Trade Commissioner Julie Brill commented, “I believe Safe Harbor is still a viable mechanism. We vigorously enforce Safe Harbor, and it’s grown over the past 10 years or so. Many more companies are now a part of it than [there] used to be.”
This article introduces the European Commission’s recent critique of the EU/US Safe Harbor Framework. It called for swift action in six main areas, which are outlined here. More in-depth coverage of the EC’s review will be provided in a future article.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Europe (CIPP/E), a privacy professional should be comfortable with topics related to this post, including:
- EU Data Protection Directive (I.C.b.)
- International data transfers – Safe Harbor (II.I.c.)