Viviane Reding, the European Commissioner for Justice, Fundamental Rights and Citizenship, gave a speech Wednesday that touched on a number of international data privacy issues, including the breakdown of data protection relations between the U.S. and European Union since the initial revelations over the NSA's PRISM program nearly nine months ago. Reding outlined three steps that should be taken to rebuild trust between the U.S. and EU, with the first being to remedy the EU's longstanding grievances over Safe Harbor.
The [Safe Harbor] tension has been percolating in the EU for a long time.
managing director, IT Law Group
"Let me put it simply: We kicked the tires and saw that repairs are needed. For Safe Harbor to be fully roadworthy, the U.S. will have to service it," Reding said. "This summer, we will see how well those repairs were carried out. Safe Harbor has to be strengthened or it will be suspended."
Originally established in 2000 by the EU and U.S. Department of Commerce, the Safe Harbor agreement was meant to streamline data privacy and protection compliance issues between the EU and U.S., namely EU Directive 95/46/EC, but complaints around the efficacy of the framework have emanated from inside the European Union for years with little action taken.
The saber-rattling among EU politicians has increased in recent months, though, with Reding's comments coming directly on the heels of a European Parliament committee indicating that Safe Harbor may be suspended by the summer of 2014.
Understanding Safe Harbor, data privacy compliance
Safe Harbor is essentially a compromise under which the EU allows U.S.-based companies to export and manage European citizens' personal data. It came two years after the 1998 EU Directive on Data Protection, which prohibited data transfer to non-European countries without adhering to stringent criteria.
The suspension of the agreement would leave U.S.-based organizations to negotiate and manage contracts, known as standard contractual clauses (SCCs), with each individual organization with which they do business in the EU, likely making data privacy compliance a more time-consuming and expensive proposition for U.S. companies.
Francoise Gilbert, managing director of Calif.-based IT Law Group, said that numerous companies already choose to use SCCs instead of Safe Harbor. Germany, for example, does not recognize the Safe Harbor agreement, so organizations doing business with German companies must already utilize SCCs. Even many large, multinational firms opt for SCCs, Gilbert said, because the contracts are trusted and don't introduce the risk of being investigated by the U.S. Federal Trade Commission (FTC).
For the thousands of companies that do rely on Safe Harbor, though, transitioning to SCCs instead would present new layers of complexity.
"If you do business with 1,000 companies, you have to do 1,000 contracts. Safe Harbor is different because you post your compliance and then that is it; you're done," Gilbert said. "So it's more work; it's more cumbersome. U.S. companies would not like Safe Harbor to go away because it's very simple and usable."
The future of Safe Harbor
So do the EU's moves indicate that Safe Harbor is on the way out? It's unclear; EU officials clearly would like it to stay, with some modifications.
To introduce more transparency into the Safe Harbor self-certification process, the commission called for self-certified companies to publish their privacy policies on their websites, including a link to the Department of Commerce Safe Harbor website, where current members are listed. The commission also requested that the Department of Commerce flag on its website any U.S. companies that are not currently fulfilling their obligations under the Safe Harbor agreement.
Further, the EU commission demanded stricter enforcement measures be enacted by the Department of Commerce. A certain percentage of companies that have gone through the certification or recertification process should be subject to investigations, according to the commission's recommendations, as should any business that falsely represents itself as adhering to Safe Harbor principles.
Gilbert said the lack of enforcement around Safe Harbor has been a particular annoyance for many Europeans. She noted that the FTC did fine Google $22.5 million in 2012 for failing to comply with certain Safe Harbor stipulations, representing the largest penalty in U.S. history for a privacy violation, but such punishments are rare.
In its report, the EU commission noted that approximately 10% of the companies that claim Safe Harbor self-certification are not listed on the Department of Commerce website, a result of both false assertions and the Department of Commerce's inability to monitor companies that never went through the recertification process.
"The FTC slaps companies occasionally, but it's not like they are going after 200 companies a year," Gilbert said. "Europeans have complained for many years about the fact that the certifications that were posted on the U.S. Department of Commerce website were anything from inaccurate to deceptive to incomplete to inappropriate.
"The [Safe Harbor] tension has been percolating in the EU for a long time," Gilbert continued, "but this is not something that is surprising. We've known about this for a long time."
Despite the recent drum-beating from the EU, Gilbert cautioned that Safe Harbor discussions are only preliminary and said the agreement is unlikely to be suspended or revised in the near future. The proposed draft of the EU General Data Protection Regulation likely won't see a vote before May 2014, and until action is taken on that much larger data privacy legislation, Gilbert said any real movement on Safe Harbor is improbable.