News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How (and Why) Safe Harbor Needs To Be Reformed Related reading: US House subcommittee kicks off draft American Privacy Rights Act consideration

rss_feed

""

There was once hope …

In the aftermath of World War II, many nations realized the importance of protecting universal human rights. Nazi Germany’s use of personal information to conduct the systematic eradication of an entire race united the world in a common cause. The use of national legislation and policies by the Axis Powers during the Second World War to suppress individual human and privacy rights was also a causal factor

On December 10, 1948, the UN General Assembly proclaimed the UN Universal Declaration of Human Rights, which advocated for the global and universal protection of human rights. The major European nations and the U.S. were among the 48 original signatories of the declaration. This momentous date should have marked the beginning of a long-term collaboration and partnership between Europe and the U.S. on global data and information privacy protection issues and topics.

However, it did not.

Despite current differences, we believe there is hope that the EU and the U.S. can identify opportunities to adopt a shared vision for global information privacy protections and rights.

Opportunities for convergence

The EU-U.S. Safe Harbor Agreement’s revision could serve as an opportunity for greater collaboration between both regions for the transfer of data and associated information-privacy issues. More importantly, it might allow European, U.S. and other international privacy advocacy organizations to serve as impartial “watchdogs” that ensure U.S. compliance with Safe Harbor.

Recently, the Center for Digital Democracy (CDD) and some members of the European Parliament called for the suspension of Safe Harbor in light of a U.S. Federal Trade Commission (FTC) investigation into whether some U.S. companies have not willfully complied with the agreement’s provisions.

The CDD is partnering with the Trans-Atlantic Consumer Dialog, a consortium of European consumer rights groups, in an effort to force the FTC to act more aggressively in enforcing Safe Harbor. And though we find it interesting to see a U.S. information privacy advocate (CDD) calling on the FTC to suspend Safe Harbor until it can be completely overhauled, we also find it encouraging and perhaps the beginning of a privacy advocacy community with a shared perspective on information privacy rights as a “human right.” This has been espoused by CDD Executive Director Jeff Chester, who said, “CDD favored the EU’s approach to privacy as a human right.” We encourage other U.S. privacy advocates to take similar public stances as it relates to U.S. companies’ compliance with Safe Harbor.

While the European Parliament has supported calls for Safe Harbor’s suspension in lieu of its revision, the European Commission has strongly opposed that recommendation, believing the community can work through the issues without a major overhaul.

The FTC should leverage the growing support for the revision to convince the European Commission to overhaul Safe Harbor to make it more effective and enforceable. This collaboration might also serve as a starting point for reaching a common perspective between the EU and the U.S. transborder data flows and information privacy protections.

Some critics of Safe Harbor have cited the following shortcomings as factors for why it has failed to achieve its desired objectives:

  1. A perceived lack of transparency regarding the privacy policies of some Safe Harbor participants;
  2. A lack of active enforcement of the Safe Harbor Framework by the U.S. government, and
  3. A failure of some Safe Harbor self-certified companies to actually comply with the principles

We believe the FTC’s current investigation of 30 U.S. firms for alleged violations of Safe Harbor’s provisions simply reinforces these stinging criticisms.

Is there still hope for Safe Harbor?

There is still hope for Safe Harbor; however, it will require a great deal of commitment by companies to comply, the FTC to enforce and compromises by both the U.S. and EU to reach consensus on a common understanding of its meaning and intent.

U.S. desire to reach an agreement with the EU on the Transatlantic Trade and Investment Partnership (TTIP) will serve as a major impetus for both entities to quickly resolve their differences regarding Safe Harbor. The TTIP’s success will depend heavily on the EU’s ability to transfer consumer data to the U.S.

Additionally, the European Commission and European consumer protection groups will be less likely to support this transfer of data without some evidence that U.S. companies will comply with the EU’s Data Protection Directive and other EU data protection legislation.

We recommend the Department of Commerce (DoC), the European Commission and the FTC establish an EU-U.S. Safe Harbor Agreement Reform Subcommittee in light of Safe Harbor’s potential negative impact on the TTIP. This subcommittee would initially focus its efforts on addressing the European Commission’s recommendations made in its November 2013 critique of Safe Harbor. The critique made several recommendations, which included the following recommended areas of improvements:

  1. More active enforcement activity by U.S. authorities;
  2. Safe Harbor participant companies make their privacy policies publicly available while providing links to such policies on the DoC’s website;
  3. Safe Harbor participants notify the DoC of any transfers of personal data to third parties;
  4. Safe Harbor participants publicly disclose to their alternative dispute resolution provider that handles data security complaints, so that persons who have been harmed by privacy policy violations and the principles can quickly obtain remedy, and
  5. Safe Harbor companies detail the circumstances under which U.S. authorities may access EU personal data processed by that company.

The three entities should strive to reach some consensus and compromise on which of the recommendations best address Safe Harbor’s current shortcomings.

Next, we strongly recommend the DoC and the FTC conduct their own assessment of Safe Harbor’s effectiveness in discouraging non-compliance.

It is time for Safe Harbor to transition from a voluntary, self-certification process to one of stringent enforcement coupled with hefty fines and penalties for noncompliance. The revised Safe Harbor agreement must dissuade disreputable and unethical U.S. businesses from violating Safe Harbor’s provisions by opting to do the “easy wrong over the hard right” of complying with it.

Authors
Headshot Christopher Stevens, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Headshot Stephen Holland Nonmember Contributor
Tags
Europe
U.S.
Privacy Law
Transborder Data Flow
1 Comment

If you want to comment on this post, you need to login.

  • comment David • Aug 28, 2014 
    In the spirit of transparency and self-certification why not address the trust issue by sharing the 3rd Party or self-assessment for compliance with Safe Harbor principles with the FTC and make it accessible to any EU or indedd non-EU DPA? How would that work in practice? I would suggest that we do not re-invent the wheel but use internationally recognised audit standards and qualified CPAs (no I am not an auditor!) which are already recognised for financial and service organisation controls. Why not leverage the work for privacy controls and integrate this into standard process and security audits which have to be done anyway thus minimising the additional burden of proof? AICPA (US) and CICA (Canada) set up Trust/Integrity and Privacy Task forces as part of its Assurance Services Executive Committe to assist CPAs in performing examinations under AT 101 Professional Standard. A virtually unnoticed Privacy section of the SOC 2 reporting on controls at a service organisation was published May 1 2011. It was subject of an IAPP Washington conference session in 2012 (?) and yet seems not to have had the recognition it deserves. Yes, SMEs will have additional work but if 3rd party SH assessors are CPA certified or IAPP were to endorse the standard with maybe a "lite" version based on risk (different types of PII have different associated risks) then this would not only provide EU assurance but extend the value globally for international cross-recognition. I don't understand why the EU DPAs or indeed FTC have not jumped on this! 

Now, this is not a simple solution as audits can and should have findings or recommendations - so the DPAs are going to have to show tolerance and understanding that there will be remediations to gaps in compliance - noone is perfect! Until this is conveyed under an official procedure then SH companies will be retisent to share their audits. This will not work if the DPAs fail to understand that enforcement is not just about gaps but what an organisation does to address those gaps.....it's what you do about it that counts. Otherwise you will get rubber stamping/check-box/fear-based approach that will do nothing to improve the practical and real enforcement of privacy.

Surely demonstrating that the processes and procedures have been established within a US company are more meaningful evidence of compliance and enforcement than the authors' proposals....

P.S AICPA is the American Institute of Certified Public Accountants and developed the Privacy Controls reporting with CICA which is the Candadian Institute of Chartered Accoutants
Related Stories
Corrected text of EU AI Act released
The corrigendum of the EU Artificial Intelligence Act has been released. The document corrects and clarifies language in the act and is required before it can fully come into effect. Editor's note: Explore the IAPP AI Governance Center and subscribe to the AI Governance Dashboard. Full story...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Privacy Law
Transborder Data Flow
Recent Comments