Safe harbor allows US companies to be certified, through a third party or by self-certification, as providing protection for customers' data to the standard required by the European Union. Without it, US companies would not be allowed to export European customer data to their servers in the US. So far there has been little indication that this threat is being taken seriously on either side of the Atlantic – but that may be just beginning to change.
"So many European companies benefit from the safe harbor scheme that it seems hard to imagine that their politicians would really scrap it. That feels like a cutting off a nose to spite a face reaction," comments James Mullock, a lawyer with the UK-based Osborne Clarke law firm. But he adds, "the politicians are using a set of circumstances to take a course of action which ideologically they strongly believe in, so rational behaviour may not result." He recommends that any company currently relying on safe harbor should examine "other data transfer compliance mechanisms in case safe harbor is killed off.”
Meanwhile, the FTC is applying sanctions on 12 US companies that have falsely represented compliance with safe harbor. Those sanctions amount to consent orders under which the 12 companies will agree to stop their false representation – sanctions that will hardly persuade members of the European Parliament that US industry is taking safe harbor and EU data protection requirements seriously.
Now the Electronic Privacy Information Center (EPIC) has stepped in and published its 'comments' to the FTC on the issue. Its very first recommendation is that "The Commission should prioritize U.S.-EU safe harbor enforcement." The wording of the document is clearly couched in terms of protecting the privacy of US consumers; but the effect is an attempt to save safe harbor.
"EPIC commends the Commission for beginning to address widespread concern about Safe Harbor compliance but cautions that the minimal sanctions that currently result do not provide sufficient assurance of compliance." EPIC urges the Commission to require that the 12 companies comply with the Consumer Privacy Bill of Rights (a statement of consumer rights emanating from the White House) and be more transparent in their compliance reports. It further suggests increased sanctions against one of the companies concerned (DDC Labs) which is a DNA testing firm with operations in both the EU and US.
EPIC is not calling, in this document at least, for all US companies to be required to conform to the US Privacy Bill of Rights. However, the association of the Bill of Rights with failure to comply with safe harbor is an interesting approach. The bolstering of European safe harbor requirements (which have never been adequately enforced in the US) with specifically US requirements (which would inevitably be more strictly enforced by the FTC) could provide a compromise route that would satisfy politicians on both sides of the Atlantic.
The LIBE committee's proposals specifically "urge the US to propose new personal data transfer rules that meet EU data protection requirements:" and tying safe harbor to the Privacy Bill of Rights could provide a way forwards.
It is worth noting, however, that EPIC is not at all convinced that the FTC will consider its arguments. Its final comment is, "EPIC further notes that the Commission has yet to modify an order in response to a request for public comment, and wonders whether the Commission intends in this instance to give any weight to the comments it has requested."