The United States may soon be forced to revise its data privacy practices to preserve cross-border data transfers between the two largest trading partners in the world. On November 27, 2013, the European Commission (Commission) released a six-point action plan to restore trust in data flows between the United States and the European Union (EU) following deep concerns about U.S. surveillance activities. The plan, among other recommendations, contemplates accelerated review of the proposed EU data protection reform package as well as the extension of new U.S. privacy protections to EU citizens. Importantly, the plan preserves the U.S.-EU Safe Harbor data transfer mechanism, subject to certain new reforms, despite demands from top European officials to end the agreement.
The Safe Harbor Program
The Safe Harbor is a voluntary self-certification system for transmitting data from the EU (and Switzerland) to the United States. Under the program, U.S. companies can receive personal data from Europe if they agree to accept restrictions requiring them to treat the data as if it is still physically in Europe and subject to EU data privacy laws. Self-certifying under Safe Harbor requires publicly committing to comply with seven Safe Harbor principles and rules that essentially track the EU’s privacy laws. The agreement permits limitations to data protection rules where necessary on grounds of national security, public interest, or law enforcement requirements. As of September 2013, some 3,246 companies had membership in the Safe Harbor.
The Safe Harbor has attracted criticism since its approval in 2000, and European regulators ramped up those criticisms in the wake of the U.S. National Security Agency PRISM scandal. As details of U.S. surveillance activities emerged, European officials increasingly called for review and, in some cases, suspension of the agreement. Jan-Phillipp Albrecht, the rapporteur responsible for guiding the Commission’s proposed data protection reform package through the European Parliament, released a report recommending that the EU discontinue the Safe Harbor program. According to Albrecht, the agreement inappropriately allows U.S. companies to “circumvent” the EU’s more stringent privacy regime. Commission Vice President Viviane Reding openly questioned whether the Safe Harbor is actually safe at all, noting that some companies involved in the PRISM surveillance program are certified under the agreement. Germany’s data protection commissioners also called for an end to the Safe Harbor in a letter written to German Chancellor Angela Merkel.
Six Action Areas
Despite these efforts, the Commission has chosen not to scrap the Safe Harbor just yet. Instead, the Commission has called for action in six areas to restore trust in data flows between the EU and the U.S., including 13 recommendations for modifying the Safe Harbor:
- Adoption of the EU’s Data Protection Reform Package by Spring 2014. According to the Commission, a strong legislative framework with clear rules that are enforceable in situations when data is transferred and processed abroad is, “more than ever,” a necessity. The Commission’s proposed new data protection regulation, however, must be approved by both the European Parliament and the European Council, and it seems unlikely that will occur by Spring 2014. Certain EU member states—including the United Kingdom and Germany—have expressed concerns over some of the proposed provisions and support delaying adoption of the law. EU leaders caved to such demands at a meeting in October, dropping a 2014 deadline previously pushed by the Parliament in favor of a pledge to introduce plans in a “timely fashion.”
- Make the Safe Harbor Safer. The Commission made 13 recommendations to improve the functioning of the Safe Harbor. These recommendations focus on improving transparency, enhancing redress mechanisms, and strengthening enforcement. The list also includes two recommendations addressing U.S. government surveillance: 1) companies should “include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor” and 2) U.S. surveillance should be “strictly necessary and proportionate for national security aims.”
The Commission calls on U.S. authorities to identify remedies by Summer 2014, at which point the Commission will review the functioning of the Safe Harbor based on the implementation of the 13 recommendations. The Commission may then maintain the agreement, suspend it, or revise it in light of its review. The 13 recommendations are:
- Safe Harbor companies should publicly disclose their privacy policies
- Privacy policies should include a link to the U.S. Department of Commerce’s (Commerce) Safe Harbor website, which lists all current members of the agreement.
- Safe Harbor companies should publish privacy conditions of contracts they conclude with subcontractors.
- Commerce should maintain a list of all companies that do not renew their Safe Harbor certification.
- Privacy policies should include a link to an alternative dispute resolution (ADR) provider.
- ADR should be readily available and affordable.
- Commerce should monitor the transparency and accessibility of ADR providers.
- A certain percentage of Safe Harbor companies should be subject to compliance reviews every year.
- Safe Harbor companies that are found not to be in compliance in any given year should be subject to follow-up investigations after one year.
- Commerce should notify the competent EU Data Protection Authority of specific compliance concerns.
- False claims of Safe Harbor compliance should continue to be investigated.
- Privacy policies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor. Companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Safe Harbor principles to meet national security, public interest, or law enforcement requirements.
- National security exceptions under the Safe Harbor should be used only to the extent that is strictly necessary or proportionate.
- Strengthen Data Protection Safeguards in Law Enforcement. The Commission calls for current negotiations on an “umbrella agreement” for transfers and processing of police and law enforcement data to be conducted swiftly, so that citizens of both the U.S. and the EU receive equal protections in relation to requests for law enforcement data.
- Use Existing Mutual Legal Assistance and Sectoral Agreements to Obtain Data. The Commission requests that the U.S. commit to making use of existing legal frameworks and sectoral U.S.-EU agreements, such as the Passenger Name Records Agreement and Terrorist Financing Tracking Program (TFTP), when making requests for companies to turn over data to law enforcement agencies. In practice, this would prevent the U.S. from approaching companies directly for data except under exceptional and judicially reviewable situations. By including this action item, the Commission rebuffed a call from Parliament in October 2013 to suspend the TFTP, which allows for the sharing of financial data in order to track terrorist financing, amid growing anger over U.S. surveillance revelations.
- Address European Concerns in the Ongoing U.S. Reform Process. President Obama has announced a review of U.S. national security activities, and the Commission requests that any new protections that result from this process be extended to EU citizens.
- Promote Privacy Standards Internationally. The Commission invites the U.S. to accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). Convention 108 is regarded as one of the most influential international instruments for data protection and heavily influenced the EU’s existing data privacy laws.
The Commission’s recommended actions are a much softer critique of the Safe Harbor than some had expected. As a response to reports of U.S. surveillance activities and criticisms of the Safe Harbor, the Commission’s six-point plan seems hopeful rather than punitive, to the disappointment of some. The Center for Digital Democracy, for example, released a statement that the EU “should have found that the entire Safe Harbor scheme is inadequate.” BEUC—The European Consumers’ Organisation stated that “it is hard to see the purpose of proceeding without tackling such basic flaws and perhaps the time has come to put the Safe Harbor agreement to one side and move on.” Of course, the Commission still could scrap the Safe Harbor or require more substantive revisions if the U.S. does not meaningfully respond to its recommendations.