Related Links

Related Stories

  • Reding threatens to Suspend Safe Harbor Agreement
    In a hard hitting speech on data protection and privacy, EU commissioner for justice Viviane Reding threatens to suspend the EU/US safe harbor agreement, insists that president Obama should address European concerns in his NSA surveillance reforms, and warns the UK that she will not hesitate to "launch infringement proceedings" over GCHQ.
  • Report: Despite NSA Worries, Safe Harbor Protects EU Privacy
    The Safe Harbor framework was designed to eliminate friction in trade between US and EU companies given the differences the two have when it comes to privacy mandates – and it’s a framework that some have said should be dismantled given revelations that the NSA has been eavesdropping on European governments and organizations.
  • Hundreds of US Companies Lie about Safe Harbor Conformance
    The adequacy of the EU-US Safe Harbor agreement that ensures US companies provide the same levels of data protection to EU personal data as that provided by European law has been called into question during a LIBE committee meeting.
  • Europe to Re-evaluate Safe Harbor Agreement
    Following the European Parliament's decision to launch an inquiry into US surveillance programs – and similar European programs – vice president Viviane Reding has informally announced that the European Commission will re-evaluate the EU/US safe harbor agreement.

Top 5 Stories


EPIC Calls on The FTC to Supplement Safe Harbor with the Privacy Bill of Rights

24 February 2014

On 12 March, the full European Parliament will vote on the proposals adopted by the Civil Liberties, Justice and Home Affairs committee (LIBE) following the allegations of mass spying by the NSA arising from the documents leaked by Edward Snowden. One of the proposals is for the "immediate suspension" of the safe harbor agreement with the US.

Safe harbor allows US companies to be certified, through a third party or by self-certification, as providing protection for customers' data to the standard required by the European Union. Without it, US companies would not be allowed to export European customer data to their servers in the US. So far there has been little indication that this threat is being taken seriously on either side of the Atlantic – but that may be just beginning to change.

"So many European companies benefit from the safe harbor scheme that it seems hard to imagine that their politicians would really scrap it. That feels like a cutting off a nose to spite a face reaction," comments James Mullock, a lawyer with the UK-based Osborne Clarke law firm. But he adds, "the politicians are using a set of circumstances to take a course of action which ideologically they strongly believe in, so rational behaviour may not result." He recommends that any company currently relying on safe harbor should examine "other data transfer compliance mechanisms in case safe harbor is killed off.”

Meanwhile, the FTC is applying sanctions on 12 US companies that have falsely represented compliance with safe harbor. Those sanctions amount to consent orders under which the 12 companies will agree to stop their false representation – sanctions that will hardly persuade members of the European Parliament that US industry is taking safe harbor and EU data protection requirements seriously.

Now the Electronic Privacy Information Center (EPIC) has stepped in and published its 'comments' to the FTC on the issue. Its very first recommendation is that "The Commission should prioritize U.S.-EU safe harbor enforcement." The wording of the document is clearly couched in terms of protecting the privacy of US consumers; but the effect is an attempt to save safe harbor.

"EPIC commends the Commission for beginning to address widespread concern about Safe Harbor compliance but cautions that the minimal sanctions that currently result do not provide sufficient assurance of compliance." EPIC urges the Commission to require that the 12 companies comply with the Consumer Privacy Bill of Rights (a statement of consumer rights emanating from the White House) and be more transparent in their compliance reports. It further suggests increased sanctions against one of the companies concerned (DDC Labs) which is a DNA testing firm with operations in both the EU and US.

EPIC is not calling, in this document at least, for all US companies to be required to conform to the US Privacy Bill of Rights. However, the association of the Bill of Rights with failure to comply with safe harbor is an interesting approach. The bolstering of European safe harbor requirements (which have never been adequately enforced in the US) with specifically US requirements (which would inevitably be more strictly enforced by the FTC) could provide a compromise route that would satisfy politicians on both sides of the Atlantic.

The LIBE committee's proposals specifically "urge the US to propose new personal data transfer rules that meet EU data protection requirements:" and tying safe harbor to the Privacy Bill of Rights could provide a way forwards.

It is worth noting, however, that EPIC is not at all convinced that the FTC will consider its arguments. Its final comment is, "EPIC further notes that the Commission has yet to modify an order in response to a request for public comment, and wonders whether the Commission intends in this instance to give any weight to the comments it has requested."

This article is featured in:
Compliance and Policy


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×