TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How (and Why) Safe Harbor Needs To Be Reformed Related reading: A view from DC: The gossip test for sensitive data


There was once hope …

In the aftermath of World War II, many nations realized the importance of protecting universal human rights. Nazi Germany’s use of personal information to conduct the systematic eradication of an entire race united the world in a common cause. The use of national legislation and policies by the Axis Powers during the Second World War to suppress individual human and privacy rights was also a causal factor

On December 10, 1948, the UN General Assembly proclaimed the UN Universal Declaration of Human Rights, which advocated for the global and universal protection of human rights. The major European nations and the U.S. were among the 48 original signatories of the declaration. This momentous date should have marked the beginning of a long-term collaboration and partnership between Europe and the U.S. on global data and information privacy protection issues and topics.

However, it did not.

Despite current differences, we believe there is hope that the EU and the U.S. can identify opportunities to adopt a shared vision for global information privacy protections and rights.

Opportunities for convergence

The EU-U.S. Safe Harbor Agreement’s revision could serve as an opportunity for greater collaboration between both regions for the transfer of data and associated information-privacy issues. More importantly, it might allow European, U.S. and other international privacy advocacy organizations to serve as impartial “watchdogs” that ensure U.S. compliance with Safe Harbor.

Recently, the Center for Digital Democracy (CDD) and some members of the European Parliament called for the suspension of Safe Harbor in light of a U.S. Federal Trade Commission (FTC) investigation into whether some U.S. companies have not willfully complied with the agreement’s provisions.

The CDD is partnering with the Trans-Atlantic Consumer Dialog, a consortium of European consumer rights groups, in an effort to force the FTC to act more aggressively in enforcing Safe Harbor. And though we find it interesting to see a U.S. information privacy advocate (CDD) calling on the FTC to suspend Safe Harbor until it can be completely overhauled, we also find it encouraging and perhaps the beginning of a privacy advocacy community with a shared perspective on information privacy rights as a “human right.” This has been espoused by CDD Executive Director Jeff Chester, who said, “CDD favored the EU’s approach to privacy as a human right.” We encourage other U.S. privacy advocates to take similar public stances as it relates to U.S. companies’ compliance with Safe Harbor.

While the European Parliament has supported calls for Safe Harbor’s suspension in lieu of its revision, the European Commission has strongly opposed that recommendation, believing the community can work through the issues without a major overhaul.

The FTC should leverage the growing support for the revision to convince the European Commission to overhaul Safe Harbor to make it more effective and enforceable. This collaboration might also serve as a starting point for reaching a common perspective between the EU and the U.S. transborder data flows and information privacy protections.

Some critics of Safe Harbor have cited the following shortcomings as factors for why it has failed to achieve its desired objectives:

  1. A perceived lack of transparency regarding the privacy policies of some Safe Harbor participants;
  2. A lack of active enforcement of the Safe Harbor Framework by the U.S. government, and
  3. A failure of some Safe Harbor self-certified companies to actually comply with the principles

We believe the FTC’s current investigation of 30 U.S. firms for alleged violations of Safe Harbor’s provisions simply reinforces these stinging criticisms.

Is there still hope for Safe Harbor?

There is still hope for Safe Harbor; however, it will require a great deal of commitment by companies to comply, the FTC to enforce and compromises by both the U.S. and EU to reach consensus on a common understanding of its meaning and intent.

U.S. desire to reach an agreement with the EU on the Transatlantic Trade and Investment Partnership (TTIP) will serve as a major impetus for both entities to quickly resolve their differences regarding Safe Harbor. The TTIP’s success will depend heavily on the EU’s ability to transfer consumer data to the U.S.

Additionally, the European Commission and European consumer protection groups will be less likely to support this transfer of data without some evidence that U.S. companies will comply with the EU’s Data Protection Directive and other EU data protection legislation.

We recommend the Department of Commerce (DoC), the European Commission and the FTC establish an EU-U.S. Safe Harbor Agreement Reform Subcommittee in light of Safe Harbor’s potential negative impact on the TTIP. This subcommittee would initially focus its efforts on addressing the European Commission’s recommendations made in its November 2013 critique of Safe Harbor. The critique made several recommendations, which included the following recommended areas of improvements:

  1. More active enforcement activity by U.S. authorities;
  2. Safe Harbor participant companies make their privacy policies publicly available while providing links to such policies on the DoC’s website;
  3. Safe Harbor participants notify the DoC of any transfers of personal data to third parties;
  4. Safe Harbor participants publicly disclose to their alternative dispute resolution provider that handles data security complaints, so that persons who have been harmed by privacy policy violations and the principles can quickly obtain remedy, and
  5. Safe Harbor companies detail the circumstances under which U.S. authorities may access EU personal data processed by that company.

The three entities should strive to reach some consensus and compromise on which of the recommendations best address Safe Harbor’s current shortcomings.

Next, we strongly recommend the DoC and the FTC conduct their own assessment of Safe Harbor’s effectiveness in discouraging non-compliance.

It is time for Safe Harbor to transition from a voluntary, self-certification process to one of stringent enforcement coupled with hefty fines and penalties for noncompliance. The revised Safe Harbor agreement must dissuade disreputable and unethical U.S. businesses from violating Safe Harbor’s provisions by opting to do the “easy wrong over the hard right” of complying with it.

1 Comment

If you want to comment on this post, you need to login.

  • comment David • Aug 28, 2014
    In the spirit of transparency and self-certification why not address the trust issue by sharing the 3rd Party or self-assessment for compliance with Safe Harbor principles with the FTC and make it accessible to any EU or indedd non-EU DPA? How would that work in practice? I would suggest that we do not re-invent the wheel but use internationally recognised audit standards and qualified CPAs (no I am not an auditor!) which are already recognised for financial and service organisation controls. Why not leverage the work for privacy controls and integrate this into standard process and security audits which have to be done anyway thus minimising the additional burden of proof? AICPA (US) and CICA (Canada) set up Trust/Integrity and Privacy Task forces as part of its Assurance Services Executive Committe to assist CPAs in performing examinations under AT 101 Professional Standard. A virtually unnoticed Privacy section of the SOC 2 reporting on controls at a service organisation was published May 1 2011. It was subject of an IAPP Washington conference session in 2012 (?) and yet seems not to have had the recognition it deserves. Yes, SMEs will have additional work but if 3rd party SH assessors are CPA certified or IAPP were to endorse the standard with maybe a "lite" version based on risk (different types of PII have different associated risks) then this would not only provide EU assurance but extend the value globally for international cross-recognition. I don't understand why the EU DPAs or indeed FTC have not jumped on this! 
    Now, this is not a simple solution as audits can and should have findings or recommendations - so the DPAs are going to have to show tolerance and understanding that there will be remediations to gaps in compliance - noone is perfect! Until this is conveyed under an official procedure then SH companies will be retisent to share their audits. This will not work if the DPAs fail to understand that enforcement is not just about gaps but what an organisation does to address those's what you do about it that counts. Otherwise you will get rubber stamping/check-box/fear-based approach that will do nothing to improve the practical and real enforcement of privacy.
    Surely demonstrating that the processes and procedures have been established within a US company are more meaningful evidence of compliance and enforcement than the authors' proposals....
    P.S AICPA is the American Institute of Certified Public Accountants and developed the Privacy Controls reporting with CICA which is the Candadian Institute of Chartered Accoutants