Anders Ansip, Vice-President designate for Digital Single Market, has suggested that the suspension of the Safe Harbor Regime should not be ruled out if agreement cannot be reached with the U.S. Government as to how the national security exemption for processing personal data without consent should be applied. In his view, the U.S. Government needs to provide more specific conditions for when this exemption may be applicable. Mr. Ansip is quoted as saying, “Safe Harbor is not secure. The agreement has yet to live up to its name. If the U.S. Government does not make a clear statement, we must consider suspending the agreement.”
The US-EU Safe Harbor program allows for thousands of U.S. companies to transfer to the U.S. the personal data of EU citizens on the basis that U.S. companies apply data processing conditions that are similar to those enshrined in EU Data Protection Directive. Over 3,000 companies have now registered. In 2004, only 400 companies were registered.
Under the terms of the Safe Harbor program, third parties must still be notified when their personal information is collected and utilized. However, in light of the privacy revelations, EU officials have criticized the U.S. Federal Trade Commission (“FTC”), which is charged with enforcing the Safe Harbor Rules for failing to provide adequate protection to EU citizens.
In November 2013, in part as a result of the disclosure of PRISM by the former National Security Agency contractor Edward Snowden, the European Commission issued a list of 13 recommendations to address the deficiencies in the Safe Harbor program. More specifically, these recommendations include:
- Self-certified companies should publicly disclose their privacy policies.
- Privacy policies of self-certified companies’ websites should always include a link to the U.S. Department of Commerce Safe Harbor website which lists all the ‘current’ members of the scheme.
- Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
- Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
- The privacy policies on companies’ websites should include a link to the alternative dispute resolution (“ADR”) provider and/or EU panel.
- ADR should be readily available and affordable.
- Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
- Following the certification or recertification of companies under Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
- Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
- In case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
- False claims of Safe Harbor adherence should continue to be investigated.
Access by U.S. authorities
- Privacy policies of self-certified companies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor. In particular, companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
- It is important that the national security exception foreseen by the Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate.
All but the last of these has been addressed by the FTC. Ansip’s view appears to be that the exception of national security should not be applied on a regular basis and that it must remain an exception. If an agreement with the U.S. Government cannot be reached, suspension of the Safe Harbor program should not be ruled out. Justice Commissioner Věra Jourová expressed a similar view.
A copy of the Communication from the EU Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU is availablehere.