Report: Despite NSA Worries, Safe Harbor Protects EU Privacy

The Safe Harbor framework was designed to eliminate friction in trade between US and EU companies given the differences the two have when it comes to privacy mandates
The Safe Harbor framework was designed to eliminate friction in trade between US and EU companies given the differences the two have when it comes to privacy mandates

But the Future of Privacy Forum (FPF), a think tank that seeks to advance responsible data practices, has conducted an in-depth study of the Safe Harbor framework and its alternatives, and has found that it has largely been successful in maintaining strong personal privacy protections for European citizens while allowing the free flow of data between the EU and US. 

The report also cautions against the precipitous termination of the Safe Harbor, which has become a cornerstone of trans-Atlantic data transfers, and instead suggests a number of areas where the framework can be strengthened.

“This report shows that the Safe Harbor still is our best bet for protecting peoples’ data in a global economy,” said Christopher Wolf, founder and co-chair of FPF, who is speaking in Brussels at privacy events this week. “By requiring companies to make commitments that can be enforced by the US Federal Trade Commission, EU citizens gain privacy protections in ways not possible without the Safe Harbor agreement. We should continue to look for common-sense solutions to improve the agreement without upsetting the balance that has been the driver of the Safe Harbor’s success.”

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) "adequacy" standard for privacy protection. While the US and the EU share the goal of enhancing privacy protection for their citizens, the US takes a different approach to privacy from that taken by the EU. The US uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. The EU, however, relies on comprehensive legislation that requires, among other things, the creation of independent government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these differences, the Directive could have significantly hampered the ability of US organizations to engage in a range of trans-Atlantic transactions.

In order to bridge these differences and provide a streamlined and cost-effective means for US organizations to satisfy the Directive’s “adequacy” requirement, the US Department of Commerce in consultation with the European Commission developed a Safe Harbor framework, which was approved by the EU in 2000. It allows US organizations that self-certify with the framework to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws.

Since its inception, the Safe Harbor has seen tremendous growth, according to the analysis. As of November 2013, more than 4,000 companies have signed on to the Safe Harbor’s privacy requirements. And the report found that encouragingly, companies spend “considerable” time monitoring and modifying their privacy practices to meet the requirements of the Safe Harbor agreement.

The research also showed that the Safe Harbor is effectively enforced by the Federal Trade Commission (FTC) and third-party actors. Despite a lack of complaints from European Data Protection Authorities, the FTC has used its power to investigate and bring actions against companies for misrepresenting their membership in the Safe Harbor, and against companies that have failed to comply with substantive Safe Harbor requirements. Additionally, third-party dispute resolution providers such as TRUSTe and the Council of Better Business Bureaus handle complaints from EU citizens and are able to resolve many concerns without the need for legal action.

The report wasn’t all sunshine and roses: The group made a number of recommendations for practice improvement. For one, to encourage Safe Harbor membership, improved online tools should be developed to assist companies it said, particularly smaller ones, in determining whether they should self-certify to the Safe Harbor. Additionally, more administrative resources should be allocated to the Department of Commerce for handling outreach and new member inquiries.

To improve compliance, a “Safe Harbor Master” should be appointed and housed in the Department of Commerce, it recommended. The Safe Harbor Master could help companies determine if it makes sense to join the Safe Harbor program given their actual data practices. Once the company is a member, the Master could continue to monitor the company to make sure they are complying (e.g., reviewing policies to make sure they are accurate), issuing guidance to participants and, in cases of recalcitrance, referring targets to the FTC for enforcement. The Master also could prepare annual reports for the EU and coordinate efforts between Department of Commerce and the FTC.

To bolster enforcement efforts, European Data Protection Authorities should do more to educate their citizens about the Safe Harbor program. The amount and substance of information about the Safe Harbor varies widely among DPA websites, the firm found. For instance, in some cases, there is no reasonable way for an average EU citizen to find a basic complaint form. Also, the Department of Commerce’s Safe Harbor website should be updated to better help individuals understand their rights.

“The Safe Harbor framework is uniquely capable of harmonizing US and EU privacy concerns while encouraging trans-Atlantic data transfers,” said Jules Polonetsky, executive director and co-chair of FPF. “Case studies, compliance interviews, and enforcement actions all show that the Safe Harbor is effectively enforced and that participants take heed of Safe Harbor responsibilities. While improvements to the Safe Harbor can and should be made, our focus needs to remain on growing the program and covering more individuals and businesses with these privacy safeguards.”

While some in the EU have called for the repeal of Safe Harbor in the face of the revelations of NSA snooping globally, the FPF found that the consequences of the EU suspending the Safe Harbor would be extremely negative, weakening personal privacy protections for EU citizens and of course impacting the trans-Atlantic economy. Under the Safe Harbor, the FTC has the capacity to enforce against US companies on behalf of EU citizens, simplifying complex jurisdictional issues. The Safe Harbor program also results in stronger investigatory and monitoring powers for the FTC.

Second, alternatives to the Safe Harbor program as a mechanism of compliance with the EU Data Directive may not be feasible for all companies. These alternative mechanisms, including express consent, model contracts, and binding corporate rules, are either too inflexible or too difficult to implement at scale for the wide variety of companies that rely on the Safe Harbor and provide less transparency for regulators about data flows.

Third, eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data, FPF said. The global economy, and particularly the transatlantic economy, will continue to rely on international data transfers, and when US-based companies are presented with a valid legal order from the US government for information, companies will be compelled to provide access to that data regardless of their membership in the Safe Harbor.

What’s hot on Infosecurity Magazine?