European Commission Reviews Safe Harbor

As a result of European Union fears regarding the reliability and security of Safe Harbor practices, the European Commission released its review in late November 2013. Notably, it made thirteen recommendations which are meant to improve the functioning of the Safe Harbor framework. The EC demanded that US authorities come up with remedial actions by the summer of 2014. The EC would then review the functioning of the Safe Harbor scheme based on the implementation of those recommendations.

Safe Harbor is largely based on commitments and self-certification of the companies which have joined the growing list. Companies that sign on understand that the Safe Harbor arrangement is voluntary, but the rules are binding for those who do join.

The EC’s review comes in the midst of a flurry of media attention regarding surveillance and data security practices.

EC Recommendations

The Commission made thirteen recommendations regarding the Safe Harbor framework, which are as follows:


  1. Self-certified companies should publicly disclose their privacy policies.
  2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbor website which lists all the current members of the scheme.
  3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors (e.g. cloud computing services).
  4. Clearly flag on the website of the Department of Commerce all companies which are not currently members of the scheme.


  1. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider.
  2. The ADR should be readily available and affordable.
  3. The Department of Commerce should systematically monitor ADR providers, regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.


  1. Following the certification/recertification of companies under Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (i.e. going beyond control of compliance with formal requirements).
  2. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after one year.
  3. In case of doubts regarding a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
  4. False claims of Safe Harbor adherence should continue to be investigated.

Access by US Authorities

  1. Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor. In particular, companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
  2. It is important that the national security exception foreseen by the Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate.

Media Hype?

In response to the wave of Safe Harbor criticism from Europe, US officials have become defensive. A source from the US Department of Commerce (DoC) argued that much of the negative rhetoric around Safe Harbor comes out of media reports, which make interesting headlines, but may contain little truth. The spokesperson suggested that interactions with European officials were far smoother. Although there has been substantial debate regarding improvement of the data transfer program over the years, the DoC has responded by making the required adjustments.

According to Julie Brill, Federal Trade Commissioner, the program has a ways to go, but it doesn’t mean it should be completely written off. She commented,

“… there is also a desire to retain Safe Harbor and improve it… I don’t think the concerns should be around enforcement and our role. I think enforcement has been strong and will continue to be strong whenever we receive complaints that appear to have merit. Do I think Safe Harbor is perfect? No, there is always room for improvement. But I think it’s an effective mechanism that ought to be retained.”


This article provides a detailed view of the recommendations made by the European Commission regarding EU/US data flows. In this review, released in late November 2013, thirteen recommendations were made, with the intention of improving the Safe Harbor data transfer mechanism.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Europe (CIPP/E), a privacy professional should be comfortable with topics related to this post, including:

  • European Commission (I.B.d.)
  • EU Data Protection Directive (I.C.b.)
  • International data transfers – Safe Harbor (II.I.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>