Safe Harbor’s In Trouble—Unless You Ask the U.S.
With a European Commission report looming, U.S. regulators say they’re committed to the program and to enforcement
By Angelique Carson, CIPP/US
If there’s one thing that’s certain, it’s that Safe Harbor is under fire. But what that will mean for the future of the 15-year-old agreement differs wildly depending on whom you ask—and it seems to differ according to continent.
The U.S. Department of Commerce (DOC) says Safe Harbor is still viable, and the Federal Trade Commission (FTC) says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far.
The EU-U.S. Safe Harbor Framework was established by the U.S. Department of Commerce and the European Commission in 2000 in order to bridge the gap between strict European regulations on data transfers. It allows the 4,000 U.S. companies that have self-certified to the DOC that their data transfer policies adhere to EU standards to transfer data from one jurisdiction to the other. But an increasingly popular belief in Europe seems to be that the FTC—which polices Safe Harbor—isn’t carrying a big enough nightstick.
While controversy over Safe Harbor has been brewing for years, the U.S. National Security Agency PRISM revelations took things to a fever pitch. The winds have picked up and the politically charged sea is choppy. And now, a researcher—the same one who alleged in 2008 that six companies claiming they were certified under Safe Harbor were misrepresenting themselves—has brought forth a new complaint, FTC Commissioner Julie Brill confirmed to The Privacy Advisor.
“We received a list of some 400 companies that he claimed either were falsely purported to be members of Safe Harbor or were otherwise violating it,” Brill said. “We take that complaint—just like we take all complaints—very seriously, and we are taking appropriate actions with respect to that complaint.”
The 2008 allegations resulted in FTC enforcement action. The new charges are being investigated now.
Safe Harbor may be most open to criticism because “it’s self-certifying, and the perception in Europe is increasingly that for many U.S. companies this means that once you put your signature there, it’s as if there’s no consequences attached to it,” said Covington & Burling’s Henriette Tielemans from Brussels. “You should not say you are certified under Safe Harbor if you’re not, because that would be deceiving the consumer. But when you certify and then you don’t do what you said you would be doing, that doesn’t seem to be policed. That’s the idea that runs around. And so some regulators (in Europe) say, ‘We’re just not going to accept it anymore.’”
Christopher Kuner, senior of counsel at Wilson Sonsini Goodrich & Rosati in Brussels, agrees that the political rhetoric surrounding Safe Harbor has reached its peak. He says it started years ago with the 2009 findings that six companies had been deceptive, and things “got off to a bad start.”
But Snowden’s news took things to a whole new level.
“I can’t overstress the hostility toward it here,” Kuner said. “What does it mean, to say, ‘On the one hand, we protect our users’ data but, by the way, not with regard to this big issue of law-enforcement access?’”
Before the Snowden revelations, Kuner said, it was understood that government occasionally accessed data based on specific requests, but the whistleblower has made the widespread practice impossible to ignore.
“That’s been the biggest shock here,” he said. “Not that there is some access to data by law enforcement. But news reports have made it sound like it’s complete wholesale access at all times. A lot of these news reports are contradictory, and it’s not clear what they are based on. But it certainly has caused the temperature to rise.”
Adding momentum is the revision of the EU Data Protection Regulation and parliamentary elections next spring.
However, a source from the U.S. Department of Commerce told The Privacy Advisor a lot of the negative rhetoric surrounding Safe Harbor is generated from media reports that make for good headlines but that bilateral conversations with European counterparts are more positive. While there have been concerns over how to improve the program over the years, the spokesperson said, the DOC has subsequently made adjustments. Once, for example, the European Commission said it wanted Safe Harbor-compliant companies to post their policies not only on the Safe Harbor website but also on the companies’ own websites. In early 2013, it therefore became policy that companies do just that.
“I’m hopeful all the work we’ve done to enhance the program will become recognized,” the spokesperson said. “It remains a valid mechanism to transfer data. Folks in Europe recognize how important Safe Harbor is to transatlantic trade.”
“I believe Safe Harbor is still a viable mechanism,” said the FTC’s Brill. “We vigorously enforce Safe Harbor, and it’s grown over the past 10 years or so. Many more companies are now a part of it than used to be.”
Asked whether she feels her counterparts in Europe are as optimistic about Safe Harbor as she is, Brill conceded that there is “concern” among European parliamentarians and members of the European Commission.
“But I believe there is also a desire to retain Safe Harbor and improve it,” Brill said. “I think both can be true—concern as well as desire to retain it. But we’re going to have to see how things work out over the next several weeks and months.”
Whatever the complaints, those centered on the FTC’s job as policeman are off-base, Brill said.
“I don’t think the concerns should be around enforcement and our role,” she said. “I think enforcement has been strong and will continue to be strong whenever we receive complaints that appear to have merit. Do I think Safe Harbor is perfect? No, there is always room for improvement. But I think it’s an effective mechanism that ought to be retained.”
The DOC spokesperson echoed Brill’s optimism: “We’re still very much hopeful that Safe Harbor will continue to function going forward.”
Kuner isn’t quite as optimistic. For now, the future seems to hinge on the European Commission’s Safe Harbor report, due in December. A representative for the European Commission declined comment for this report, deferring until after the report's release. Kuner expects the report to be highly critical of the mechanism and for demands to be made. Further, he suspects European authorities are hoping to push companies in the direction of Binding Corporate Rules as a transfer mechanism rather than Safe Harbor. But law enforcement can access BCR data as well, meaning they “aren’t really safer than Safe Harbor,” Kuner said. “This is an issue for all kinds of data transfers, not just Safe Harbor. Safe Harbor is just the whipping boy.”
That being said, the forthcoming parliamentary elections mean it’s likely rhetoric will only continue to heat up. Adding to that is the fact that DOC General Counsel and then Interim Secretary Cam Kerry recently retired from the department. He was seen as very much a privacy champion. His replacement, Penny Pritzker, laid out her “strategic vision” for the Commerce Department in a recent speech. While the importance of a strong digital economy and smart use of Big Data was emphasized, “privacy,” “data protection” and “Safe Harbor” can’t be found within the 3,000-plus word speech. (Look for further coverage of Pritzker’s privacy plans.)
Should Safe Harbor be suspended, as the European Commission’s LIBE committee recently threatened, the effects would likely not be felt for a couple of years, as any new rules would take time to be implemented and likely allow for an implementation grace period, according to the DOC spokesperson.
Without Safe Harbor, as can be seen in this analysis for The Privacy Advisor, companies would face more time- and resource-consuming alternatives to data transfers that would require case-by-case review. In addition, enforcement would fall to European data protection authorities rather than U.S. agencies.
“I don’t think this will really go away, and there will be increased tension between the two sides,” Kuner said. “And of course, how this often plays out is that companies get caught in the middle.”
Until December’s report, companies are left to wonder whether it’s going to be smooth sailing from here on out or if the ports they’ve long relied on to transfer data overseas will soon be closed for business.