Will the US-EU Safe Harbor Run Aground? | Practical Law

Will the US-EU Safe Harbor Run Aground? | Practical Law

A discussion concerning data privacy, recent developments in EU data protection reform and the future of the US-EU Safe Harbor following public disclosure of the US National Security Agency's PRISM program in June 2013.

Will the US-EU Safe Harbor Run Aground?

Practical Law Legal Update 1-573-3845 (Approx. 6 pages)

Will the US-EU Safe Harbor Run Aground?

by Practical Law Intellectual Property & Technology
Published on 08 Jul 2014European Union, International
A discussion concerning data privacy, recent developments in EU data protection reform and the future of the US-EU Safe Harbor following public disclosure of the US National Security Agency's PRISM program in June 2013.
The US-EU Safe Harbor framework is an important cross-border data transfer mechanism that enables certified organizations to transfer personal data from the EU to the US in compliance with European data protection laws. However, the Safe Harbor's future has been cast into doubt by EU data protection reforms proposed, at least in part, in reaction to reports of the US National Security Agency's (NSA) mass surveillance of the communications of EU citizens and other individual customers of US telephone and internet service providers.

The Current US-EU Harbor Framework

The EU Data Protection Directive (Directive 95/46/EC) generally prohibits organizations from transferring personal data from the EU to countries outside the European Economic Area (EEA) unless there is an adequate level of data protection (the adequacy requirement). Under Directive 95/46/EC, the adequacy requirement is met if the European Commission recognizes that the data recipient's country's laws provide an adequate level of data protection.
The European Commission does not recognize the US as meeting the adequacy requirement. However, a US entity can satisfy this requirement and lawfully receive the personal information of EU citizens (personal data) from organizations located in the EU if it complies with a set of privacy principles and Frequently Asked Questions (FAQs) developed by the US Department of Commerce and approved by Decision 520/2000/EC of the European Commission (the Safe Harbor Decision). The Safe Harbor Principles obligate US recipients of EU personal data transfers to fulfill requirements on both the substantive protection of personal data (data integrity, security, choice and onward transfer principles) and the procedural rights of data subjects, the individuals whose data is being transferred (notice, access and enforcement principles).
For more detail on these Safe Harbor requirements, see U.S.-EU Safe Harbor Overview.
Under the current Safe Harbor Principles, to be eligible to receive transfers of personal data from the EU, a US organization must:
  • Conform its relevant personal data practices to the Safe Harbor framework.
  • File a self-certification form with the Department of Commerce.
  • Publish a Safe Harbor privacy policy that states how the organization complies with the Safe Harbor.
  • Annually verify and recertify its Safe Harbor compliance.
The FTC is responsible for determining whether a US entity's failure to comply with the Safe Harbor certification requirements constitutes an unfair or deceptive act or practice under Section 5 of the Federal Trade Commission Act (FTC Act). To date, the FTC has brought some 23 enforcement actions asserting violations of Safe Harbor commitments by major organizations in a cross-section of industries, including Google (2011), Facebook (2011) and Myspace (2012) (see Legal Update, FTC Releases 2014 Privacy and Data Security Update and Communication from the Commission to the European Parliament and the Council, COM(2013) 847 (Nov. 27, 2013)).

Proposed Safe Harbor Reform

Despite the FTC's enforcement efforts, EU businesses and regulators continued to express concern about whether the Safe Harbor's self-certification procedure is adequate. As far back as January 25, 2012, the European Commission proposed a General Data Protection Regulation and Data Protection Directive that would:
  • Revise the current EU data protection framework by repealing and replacing the EU Data Protection Directive.
  • Impose more rigorous Safe Harbor adequacy requirements, oversight and enforcement for EU data transfers to the US.
EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU citizens whose data transfers to US online service providers was made possible by these providers' self-certified Safe Harbor compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council Safe Harbor reforms consisting of the following 13 requirements:
  • Self-certified companies should publicly disclose their privacy policies on their websites in clear and conspicuous language.
  • The privacy policies of self-certified companies' websites should include a link to the Department of Commerce Safe Harbor website that lists all current Safe Harbor-compliant companies.
  • Self-certified companies should notify the Department of Commerce and publish the privacy conditions of any contracts they enter into with subcontractors.
  • The Department of Commerce should clearly flag on its website all companies that are no longer currently fulfilling Safe Harbor requirements and hold these companies to an obligation to continue to apply the Safe Harbor requirements for data that has been received under Safe Harbor.
  • Safe Harbor-compliant companies' websites should include a link in their privacy policies to either or both of the companies' chosen alternative dispute resolution (ADR) provider and EU panel to allow EU data subjects to contact this intermediary immediately in case of data privacy or security problems.
  • ADR should be made readily available and affordable to EU data subjects to resolve complaints under the Safe Harbor.
  • The Department of Commerce should monitor ADR providers more systematically regarding the transparency and accessibility of information they provide about their procedures and the follow-up they give to complaints (including the publication of findings of non-compliance as a mandatory sanction for non-compliance).
  • Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements.
  • Whenever a complaint or investigation results in a finding of Safe Harbor non-compliance, the non-compliant company should be subject to a follow-up investigation after one year.
  • The Department of Commerce should inform the competent EU data protection authority of any doubts or pending complaints about a company's compliance.
  • False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities.
  • Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.
  • A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary or proportionate to the protection of national security.
(See Communication from the Commission to the European Parliament and the Council, COM(2013) 847 (Nov. 27, 2013).)

European Parliament Draft Legislative Resolutions

At its plenary session on March 12, 2014, the European Parliament adopted, as amended, two draft legislative resolutions on the data protection reform proposals set out by the European Commission in January 2012. In a sharply worded report accompanying these resolutions, the European Parliament:
  • Condemned the NSA's surveillance of the communications of EU citizens and the jurisdictional grounds on which this surveillance was purportedly based.
  • Pronounced that the EU-US Safe Harbor framework does not ensure an adequate level of protection for EU citizens.
  • Called for the immediate suspension of the European Commission Decision (2000/520/EC) declaring the adequacy of the Safe Harbor principles.
  • Noted that the major companies identified as being involved in the NSA's mass surveillance self-certified their adherence to the Safe Harbor principles, and recommended that EU member states therefore immediately suspend the transfer of data to US organizations that have self-certified their Safe Harbor compliance.
  • Called on the European Commission to present a comprehensive assessment of the US privacy framework covering commercial, law enforcement and intelligence activities and concrete recommendations based on the absence of a general data protection law in the US by December 2014.
  • Urged the European Commission to engage with the US administration to establish a legal framework providing for a high level of protection for individuals' personal data when transferred to the US and ensuring the equivalence of EU and US privacy frameworks.
  • Pressed for the EU and US to conclude an Umbrella Agreement guaranteeing the right of citizens to privacy and data protection and ensuring proper redress for EU citizens whose data is collected by US intelligence and law enforcement authorities.
(See European Parliament resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens' fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)).)

State of Play

EU Legislation

The European Parliament resolutions proposing data privacy reform legislation have been passed on for consideration and potential revision by the European Council, which, as of this date, has not stated its position. However, there are significant differences between the views of the European Council and European Parliament that are expected to result in potential "trilogues" between these institutions and the European Commission. If the trilogues fail and the European Council adopts a common position that has not been pre-approved by the European Parliament's negotiators, the European Parliament can either reject all the changes proposed by the Council (in which case the proposed legislation will fail), or propose counter-amendments.
Any revised amendments must then be put to the European Commission which must, in its turn, deliver an opinion on the amendments to the European Council and Parliament. It is likely therefore that, by the time the European Parliament is ready to put revised amendments forward, a new Commission will be in place because the term of the current Commission expires in autumn of 2014.

US-EU Negotiations on Safe Harbor Reform

European Commission Vice-President Viviane Reding, the EU Commissioner who heads the directorate responsible for the proposed data privacy legislation, has reported that the US Department of Commerce has agreed to 12 of the 13 Safe Harbor reforms called for in the Communication from the Commission to the European Parliament and the Council, COM(2013) 847 (Nov. 27, 2013). The reported point of continued disagreement is on the European Commission's requirement that the US restrict its electronic data surveillance practices to surveillance that is necessary or proportionate to the protection of national security.

Likely Outcome

Despite the rhetoric, it seems unlikely that the current Safe Harbor will be suspended. The likely outcome is that:
  • US and EU negotiators will agree to the terms of a revised Safe Harbor framework proposed agreement substantially in accord with the European Commission's November 2013 Communication (see Proposed Safe Harbor Reform).
  • The controlling EU authorities will successfully negotiate and adopt a modified data protection framework that incorporates a version of Safe Harbor that, in line with the November 2013 European Commission Communication, strengthens current data protection policies and prohibits organizations from complying with governmental orders to disclose personal information.
For more information on Safe Harbor and EU data protection reform, see Articles, Privacy & Data Security: The Future of the US-EU Safe Harbor and Whither EU data protection reform? The current position and outlook.