As part of a comprehensive review of EU-US data transfer agreements, the EU Commission released a paper on the Functioning of the Safe Harbor from the Perspective of EU Citizens and Companies Established in the EU on 27 November 2013. Safe Harbor is a method by which personal data may be transferred from EU Member States to organisations in the US despite differing data protection standards.

US organisations must self-certify with the US Department of Commerce that they are compliant with the principles under Safe Harbor. The Paper outlines a number of persisting concerns and makes recommendations on how they can be addressed. This review comes on foot of a broader breakdown of trust between the EU and US on data protection issues that we have considered in another post.

On a high level, the issues raised by the Paper include a general lack of enforcement by the US authorities. The Department of Commerce, it argues, has not done enough to require that organisations have sufficiently transparent and accessible privacy policies that fully incorporate the principles of Safe Harbor. They also do not go far enough in looking behind the self-certifications they rely on. It has further failed to make ADR sufficiently accessible to complainants, particularly with regard to cost.

Meanwhile, the paper argues, the Federal Trade Commission has not taken sufficient enforcement actions against organisations violating their Safe Harbor obligations. The combination of lack of transparency and enforcement has led to non-adherence with Safe Harbor by up to 10% of those claiming to be compliant, and a confused approach from EU national data protection authorities. Ultimately, this has given non-adhering US organisations an unfair competitive advantage.

In the Paper, the Commission makes recommendations for how their concerns could be eased, including:

  • an improvement in transparency by placing a requirement on organisations to publicly disclose privacy policies and contracts with any subcontractors such as cloud service providers and by making it a requirement on organisations to include in their privacy policies an indication of when they apply exceptions to meet law enforcement requirements, such as requests from the NSA.
  • changes to enforcement methods, such as random investigations ensuring effective compliance with privacy policies and a renewed emphasis on investigation of false claims; and
  • improved access to ADR by making it affordable in all cases, and by the Department of Commerce monitoring providers systematically.

It is widely accepted that Safe Harbor is economically beneficial for both sides. While the Commission regards the status quo as unsustainable, its ideal outcome would be the modification of Safe Harbor along the lines it has recommended, not a termination of it.

The US, for its part, has taken some of the Commission’s concerns on board, such as requiring the publication of privacy policies on the websites of Safe Harbor organisations. While the Commission has given the US until summer 2014 to remedy the concerns it has, there are a number of factors that could change between now and then.

The EU reaction to President Obama’s recently announced changes to surveillance legislation has yet to be shaped, the EU parliament aims to adopt the EU Data Protection Regulation that would have profound effects on Safe Harbor and, meanwhile, the LIBE Committee of the EU Parliament have recommended a complete suspension of Safe Harbor in favour of other means of legitimising exports of personal data to the US.

Additionally, the Federal Trade Commission has recently announced that they have made settlements with 12 companies in breach of Safe Harbor requirements, which we will analyse in more detail in an upcoming post.