Despite the bad rep Safe Harbor has been getting lately and the nail-biting that’s followed about its potential doom, the data transfer framework isn’t going anywhere—at least not for now. But its longevity isn’t because organizations and regulators in the EU are suddenly satisfied with the controversial self-certification program—quite the contrary; there’s a lot of mistrust about Safe Harbor-certified U.S. companies’ data protection promises. But the two governments say they’re engaged in healthy talks about U.S. efforts to make ongoing improvements to the framework, six months after the EU issued its fix-these-parts-of-Safe-Harbor-or-else warning to the U.S.
Despite the reported solidarity, the EU in general still strongly mistrusts the U.S. to keep its data safe, one expert says. And that reality, merited or not, is making it pretty difficult for self-certified Safe Harbor companies in the U.S. to win contracts with companies across the pond.
That was the message from regulators and experts during the IAPP’s web conference, “The Future of the U.S.-EU Safe Harbor Framework—Clear or Stormy Seas?” last week. The call brought together Emmanuelle Bartoli, chief privacy and security legal counsel at Atos in Paris; Caitlin Fennessy, CIPP/US, of the U.S. Department of Commerce (DOC), and Phil Lee, CIPP/E, CIPM, of Field Fisher Waterhouse.
Since the European Commission’s aforementioned report, which gave the U.S. until June to make 13 specific improvements to Safe Harbor, including that self-certified companies should disclose their data-sharing relationships with third parties, which might not be so safe; improvements to the dispute-resolution process, and a limit to when the mechanism’s “national security exception” can trump the privacy rules.
Bartoli said that particular provision is dangerous, because it puts the onus on companies themselves to decide whether each government request should fall under the exception. Does the security risk merit the disclosure? What kind of scale is used to measure that risk?
The European Commission said it plans to revisit the situation in June to evaluate how good the U.S. has made on its word that it is committed to seeing the mechanism’s success through and is taking the commission’s suggestions “very seriously,” which is exactly how Fennessy describes how the DOC as taking them. After all, there are more than 3,500 companies that have self-certified since its operationalization in 2000, and their data transfers depend on its continuation.
Fennessy said the DOC’s approach has been aggressive.
“We tried to look at each recommendation to say, what is the most we can do to approach this recommendation and the underlying concern,” she said, “and how can we go beyond to strengthen the program as a whole and ensure it continues to helps stakeholders in the long term.”
Since the 13 recommendations were published, the Federal Trade Commission (FTC) has been busy. It’s reached settlements with more than a dozen companies over Safe Harbor charges, many of those charges being that companies hadn’t kept up on their yearly requirement to recertify but still claimed to be Safe Harbor compliant.
Despite the seemingly friendly collaboration between EU officials and the DOC, which administers Safe Harbor and negotiated its initial terms with the European Commission, Bartoli said during that on a business level, the trust in U.S. companies claiming certification just isn’t there.
“The market in Europe for transfer from Europe to the U.S. is very tough,” Bartoli said. “It’s very tough because the customers are always questioning the security … Self certification in Europe is not something people trust.”
She added that in Germany now, “it’s very difficult to have a data transfer on the basis of Safe Harbor.”
In fact, the office of the data protection authority has said it’s not accepting Safe Harbor applications at this time. Just not doing it.
The only way to beat that, Bartoli said, is for U.S. companies to demonstrate they’re correcting their compliance missteps and for the FTC to improve the enforcement.
Lee agreed with Bartoli that the situation in Europe is grim.
“If you’re trying to transfer data from the EU, you’re stuck between a rock and a hard place,” he said.
However, Safe Harbor has been the low-hanging fruit as of late and a “little unfairly singled out,” he said.
“Of all the data-export solutions, the most enforcement has happened around Safe Harbor,” he said. “There’s been no enforcement of model clauses breaches, no enforcement of binding corporate rules breaches. So, actually, in many senses, Safe Harbor is the most robustly enforced.”
Where the onus lies now, Lee said, is on organizations with third-party vendors. Companies with such relationships would be wise to check in on those contracts now, he said. How does the vendor do data protection? Is it compliant with Safe Harbor, too? Because if you’re sharing data with it, it’d better be.
Lee described a conversation he had recently with a German company being wooed by a U.S. vendor. Lee, aiming to facilitate a deal, tried to convince the German company that the U.S. vendor had done its due diligence and Safe Harbor was the best legal solution of all the options at the time.
“They said, ‘that may be the case, but it’s not safe,’” Lee recalls. “When I ended the conversation with them, they said, we recognize everything you’re saying, but we just don’t like it at the end of the day. It really showed that a lot of the push-back is being driven by the emotional perception rather than on the logic of whether those claiming to be self-certified are meeting the standards required.”
In a lot of ways, though the two aren’t directly related, the skepticism over Safe Harbor can be attributed to the NSA revelations, which only fueled rumbles on U.S. companies’ data protection capabilities to begin with.
Lee has also found that the many of his clients are now looking for contingency plans.
He described their mindset as being, “If Safe Harbor goes south, or our customers refuse to accept Safe Harbor, we need an alternative.”
But Fennessy, as she has remained since the report was published in November, is optimistic that the right people are talking about the right things, and the mechanism will increasingly thrive.
“Our consults with the European Commission have been very positive,” she said.
If you'd like to hear more, "The Future of the U.S. - EU Safe Harbor Framework - Clear or Stormy Seas?" is now available on-demand in the IAPP Store.
If you want to comment on this post, you need to login.