IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson, CIPP/US

If there’s one thing that’s certain, it’s that Safe Harbor is under fire. But what that will mean for the future of the 15-year-old agreement differs wildly depending on whom you ask—and it seems to differ according to continent.

The U.S. Department of Commerce (DOC) says Safe Harbor is still viable, and the Federal Trade Commission (FTC) says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far.

The EU-U.S. Safe Harbor Framework was established by the U.S. Department of Commerce and the European Commission in 2000 in order to bridge the gap between strict European regulations on data transfers. It allows the 4,000 U.S. companies that have self-certified to the DOC that their data transfer policies adhere to EU standards to transfer data from one jurisdiction to the other. But an increasingly popular belief in Europe seems to be that the FTC—which polices Safe Harbor—isn’t carrying a big enough nightstick.  

I believe Safe Harbor is still a viable mechanism. We vigorously enforce Safe Harbor, and it’s grown over the past 10 years or so. Many more companies are now a part of it than used to be.

- Federal Trade Commissioner Julie Brill

While controversy over Safe Harbor has been brewing for years, the U.S. National Security Agency PRISM revelations took things to a fever pitch. The winds have picked up and the politically charged sea is choppy. And now, a researcher—the same one who alleged in 2008 that six companies claiming they were certified under Safe Harbor were misrepresenting themselves—has brought forth a new complaint, FTC Commissioner Julie Brill confirmed to The Privacy Advisor.

“We received a list of some 400 companies that he claimed either were falsely purported to be members of Safe Harbor or were otherwise violating it,” Brill said. “We take that complaint—just like we take all complaints—very seriously, and we are taking appropriate actions with respect to that complaint.”

The 2008 allegations resulted in FTC enforcement action. The new charges are being investigated now.

Safe Harbor may be most open to criticism because “it’s self-certifying, and the perception in Europe is increasingly that for many U.S. companies this means that once you put your signature there, it’s as if there’s no consequences attached to it,” said Covington & Burling’s Henriette Tielemans from Brussels. “You should not say you are certified under Safe Harbor if you’re not, because that would be deceiving the consumer. But when you certify and then you don’t do what you said you would be doing, that doesn’t seem to be policed. That’s the idea that runs around. And so some regulators (in Europe) say, ‘We’re just not going to accept it anymore.’”

Christopher Kuner, senior of counsel at Wilson Sonsini Goodrich & Rosati in Brussels, agrees that the political rhetoric surrounding Safe Harbor has reached its peak. He says it started years ago with the 2009 findings that six companies had been deceptive, and things “got off to a bad start.”

But Snowden’s news took things to a whole new level.

“I can’t overstress the hostility toward it here,” Kuner said. “What does it mean, to say, ‘On the one hand, we protect our users’ data but, by the way, not with regard to this big issue of law-enforcement access?’”

Before the Snowden revelations, Kuner said, it was understood that government occasionally accessed data based on specific requests, but the whistleblower has made the widespread practice impossible to ignore.

“That’s been the biggest shock here,” he said. “Not that there is some access to data by law enforcement. But news reports have made it sound like it’s complete wholesale access at all times. A lot of these news reports are contradictory, and it’s not clear what they are based on. But it certainly has caused the temperature to rise.”

Adding momentum is the revision of the EU Data Protection Regulation and parliamentary elections next spring.

However, a source from the U.S. Department of Commerce told The Privacy Advisor a lot of the negative rhetoric surrounding Safe Harbor is generated from media reports that make for good headlines but that bilateral conversations with European counterparts are more positive. While there have been concerns over how to improve the program over the years, the spokesperson said, the DOC has subsequently made adjustments. Once, for example, the European Commission said it wanted Safe Harbor-compliant companies to post their policies not only on the Safe Harbor website but also on the companies’ own websites. In early 2013, it therefore became policy that companies do just that.

“I’m hopeful all the work we’ve done to enhance the program will become recognized,” the spokesperson said. “It remains a valid mechanism to transfer data. Folks in Europe recognize how important Safe Harbor is to transatlantic trade.”

“I believe Safe Harbor is still a viable mechanism,” said the FTC’s Brill. “We vigorously enforce Safe Harbor, and it’s grown over the past 10 years or so. Many more companies are now a part of it than used to be.”  

Asked whether she feels her counterparts in Europe are as optimistic about Safe Harbor as she is, Brill conceded that there is “concern” among European parliamentarians and members of the European Commission.

When you certify and then you don’t do what you said you would be doing, that doesn’t seem to be policed. That’s the idea that runs around. And so some regulators [in Europe] say, ‘We’re just not going to accept it anymore.’

- Covington and Burling Partner Henriette Tielemans

“But I believe there is also a desire to retain Safe Harbor and improve it,” Brill said. “I think both can be true—concern as well as desire to retain it. But we’re going to have to see how things work out over the next several weeks and months.”

Whatever the complaints, those centered on the FTC’s job as policeman are off-base, Brill said. 

“I don’t think the concerns should be around enforcement and our role,” she said. “I think enforcement has been strong and will continue to be strong whenever we receive complaints that appear to have merit. Do I think Safe Harbor is perfect? No, there is always room for improvement. But I think it’s an effective mechanism that ought to be retained.”

The DOC spokesperson echoed Brill’s optimism: “We’re still very much hopeful that Safe Harbor will continue to function going forward.”

Kuner isn’t quite as optimistic. For now, the future seems to hinge on the European Commission’s Safe Harbor report, due in December. A representative for the European Commission declined comment for this report, deferring until after the report's release. Kuner expects the report to be highly critical of the mechanism and for demands to be made. Further, he suspects European authorities are hoping to push companies in the direction of Binding Corporate Rules as a transfer mechanism rather than Safe Harbor. But law enforcement can access BCR data as well, meaning they “aren’t really safer than Safe Harbor,” Kuner said. “This is an issue for all kinds of data transfers, not just Safe Harbor. Safe Harbor is just the whipping boy.”

That being said, the forthcoming parliamentary elections mean it’s likely rhetoric will only continue to heat up. Adding to that is the fact that DOC General Counsel and then Interim Secretary Cam Kerry recently retired from the department. He was seen as very much a privacy champion. His replacement, Penny Pritzker, laid out her “strategic vision” for the Commerce Department in a recent speech. While the importance of a strong digital economy and smart use of Big Data was emphasized, “privacy,” “data protection” and “Safe Harbor” can’t be found within the 3,000-plus word speech. (Look for further coverage of Pritzker’s privacy plans.)

Should Safe Harbor be suspended, as the European Commission’s LIBE committee recently threatened, the effects would likely not be felt for a couple of years, as any new rules would take time to be implemented and likely allow for an implementation grace period, according to the DOC spokesperson.

Without Safe Harbor, as can be seen in this analysis for The Privacy Advisor, companies would face more time- and resource-consuming alternatives to data transfers that would require case-by-case review. In addition, enforcement would fall to European data protection authorities rather than U.S. agencies.

“I don’t think this will really go away, and there will be increased tension between the two sides,” Kuner said. “And of course, how this often plays out is that companies get caught in the middle.”

Until December’s report, companies are left to wonder whether it’s going to be smooth sailing from here on out or if the ports they’ve long relied on to transfer data overseas will soon be closed for business.


(Editor's Note: A panel including representatives from the Federal Trade Commission, Department of Commerce, European Commission and CNIL will speak about "Safe Harbour: Lessons Learned and Protocols" at the IAPP Data Protection Congress, Dec. 10-11, in Brussels.)

Read More by Angelique Carson:
What Would You Do?
Breach Roundup
Fordham Law Develops Privacy Curriculum for Middle Schoolers
LIBE Adopts Compromise Amendments; Sends Draft to Council


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»