Data Privacy Safe Harbor in Jeopardy as EU Considers Reforms
June 17 2014
As the European Union considers new rules for data privacy and security, an existing safe harbor that allows U.S. companies to move personal data out of the European Union hangs in the balance.
Under the current laws, which took effect in 1998, companies are barred from moving personal data of citizens of EU member countries out of the European Union unless the destination country has data privacy protection that it deems adequate. The United States has never passed that test, but under a deal it struck with the European
Union in 2000 U.S. companies can move consumer data out of the European Union if they comply with seven outlined principles, including keeping personal data secure and allowing people to see any data held about them.
The European Union is currently working on a set of data privacy reforms that may include requirements that companies get consent from consumers before capturing data, notify individuals when data is compromised by a data breach, delete personal data when asked, and build data protection safeguards into products and services.
As the European Union works through such reforms, some EU politicians and others have called for the safe harbor to be scrapped, which could cause huge compliance headaches for U.S. companies that do business in Europe. Last year’s revelations about the extent to which the U.S. National Security Agency was gathering data about EU citizens, and the involvement of U.S. companies in this process, has contributed to calls to end the safe harbor.
Another blow to the safe harbor is allegations that U.S. companies aren’t upholding their end of the bargain. A European Commission review of how well the safe harbor scheme was working, published in November, was scathing. It concluded there was little active monitoring by the Federal Trade Commission on how well companies complied with the principles, nor was there enforcement in cases of non-compliance. Companies simply need to self-certify to the Department of Commerce that they follow the seven principles. It, in turn, publishes a list of certiﬁed companies, although it conceded that 10 percent of the 4,000 or so active companies on its list were probably not compliant.
Commenting on the situation in February, European Data Protection Supervisor Peter Hustinx said there must be “a concerted effort to restore trust” in data privacy and this needs to include “effective application and enforcement of the instruments regulating international transfers between the European Union and the United States, in particular the existing safe harbor principles.”
The Bridge Project
“The primary goal for this project is to stop trying to convince the other side that it is doing a bad job with regards to data protection and to get them to focus on the shared ultimate goal of effective privacy protection.”
Dutch Data Protection Authority
While Europe waits to see how the United States responds to that challenge, a multinational group of privacy experts are attempting to iron out the differences between the European Union and the United States. Data regimes. The Privacy Bridge Project includes 10 privacy experts from the European Union and 10 from the United States, convened by Jacob Kohnstamm, chairman of the Dutch Data Protection Authority. It held its ﬁrst meeting in April and will hold four more sessions before publishing a report and recommendations next year.
Kohnstamm hopes the group can come up with “a practical, pragmatic, and technological solution” to bridge the gap between the data privacy regimes. He stresses the need to ﬁnd common ground and abandon the age-old position that “interoperability” will only be achieved when one regime has made wholesale changes to its privacy laws.
“There is no point arguing about the United States’ First or Fourth Amendments or the European Union’s Treaty of Lisbon: They are not going to be changed, so it’s best not to even ﬁght about them,” he says. “The primary goal for this project is to stop trying to convince the other side that it is doing a bad job with regard to data protection, and to get them to focus on the shared ultimate goal of effective privacy protection, to see where there are similarities and to build on those.”
Bojana Bellamy, president of law ﬁrm Hunton & Williams’ Centre for Information Policy Leadership and one of the experts working on the project, calls it “a really positive and necessary development.”
Building a bridge across the legal divide is “vital for businesses, governments, and citizens, and essential for economic prosperity,” she says. The composition of the group—academics and legal experts from Europe and the United States in equal measure—reﬂects a conscious effort to ensure independence, as was the decision not to invite industry representatives, Bellamy says. “The project will invite other experts—corporates and IT experts, for example— to give their views and provide feedback on the existing rules, but the group will be independent,” she explains.
SAFE HARBOR PRINCIPLES
Below is a list of the seven Safe Harbor Privacy Principles’ requirements:
Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, afﬁrmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than itsoriginal purpose or the purpose authorized subsequently by the individual.
Onward Transfer (Transfers to Third Parties)
To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the Directive or another adequacy ﬁnding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles.
Sanctions must be sufﬁciently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certiﬁcation letters will no longer appear in the list of participants and safe harbor beneﬁts will no longer be assured. Source: Export.gov.
The Privacy Bridge project “is a welcome move toward restoring a rational approach” to data privacy, says Richard Kemp, principal at Kemp IT Law, a law ﬁrm that specializes in data protection issues. The surveillance revelations and fall-out over the European Court of Justice’s recent Google ruling have unhelpfully polarized the debate, he believes. The court ruled on May 13 that Google was a data processor under EU law so it had to comply with its “right to be forgotten” rules.
But Kemp questions whether Europe’s new data laws—due to be ﬁnalized in 2015 and in effect by 2016-2017— will overtake the project. “The efforts of the Privacy Bridge Project could be for nothing as a new set of rules is due shortly after it presents its report,” he says.
“There is also an issue about whether the people involved in the project have much sway within the corridors of power in both the European Union and the United States—ultimately, it will be politicians who decide what may be adopted or followed.”
Kemp says the original data protection directive missed the rise of the internet, which is why data protection and storage have become such big issues; similarly the proposed new EU directive has missed the rise of the cloud and its commercial take-up. “With over 3,000 amendments already to the proposed EU legislation, there is a feeling that the rules are already behind the technological capabilities used to store and transfer personal data that companies worldwide are already using,” he says.
Robert Bond, partner and head of the data protection and information practice at law ﬁrm Speechly Bircham, does not believe that the existing mix of safe harbor and “model clauses” needs to be replaced—companies can move data to the United States if the transfer is made under a contract that includes model clauses approved by the Commission. He also doubts that the Privacy Bridge Project is the best way to move forward.
“The project is focused on data being transferred safely and securely between the European Union and United States. That’s ﬁne, but in the real world data moves all around the world,” Bond says. “Instead, there should be a greater focus on developing a set of global principles for data transfer, perhaps starting with inter-regional conventions regarding data principles and data sharing. Just focusing on the United States and the European Union is missing the point.”
But Greg Mason, a partner at Forensic Risk Alliance, a provider of international e-Discovery and forensic accounting services, gives the project a cautious welcome. “Having a more comprehensive program in place, where all concerned parties are involved in the creation of the program, is an intelligent approach,” he says. “Assuming there can be agreement between the experts from both sides of the Atlantic, this could present a viable option for many companies that would be affected by a suspension of the Safe Harbor program.”