Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The European Commission, which has the authority to make changes to the US Safe Harbor program, has published a paper titled “Rebuilding Trust in EU-US Data Flows” that sets out the changes that the Commission would like to see the US adopt. While it would be a bit premature to start revising your company’s privacy policy and preparing for surprise audits by the US government, the paper sends some strong signals as to what to expect in perhaps a year’s time.
As most readers will know, the US Safe Harbor program is a voluntary program under which US companies agree to assume various legal obligations, and in turn are permitted by EU data protection laws to receive the personal data of EU residents.
The Commission’s recommendations are obviously in response to the revelations concerning the US’s intelligence activities involving the collection, via US internet services providers and others, of vast quantities of data transmitted by, or concerning, EU residents. The Commission cannot comment, of course, on the intelligence activities of its own member states, since, as the Commission notes, “whilst the EU can take action in areas of EU competence, in particular to safeguard the application of EU law, national security remains the sole responsibility of each Member State.” This means that the Commission’s interests in restricting surveillance of the online activities of EU residents may not be entirely congruent with the interests of its member states, which will need to take into account their own intelligence activities and intelligence sharing arrangements as well as their concerns for the privacy of their citizens. That said, the Commission does not appear at all reluctant to recommend changes to US intelligence programs and the powers of the Foreign Intelligence Surveillance Court.
The other key context for the recommendations is the ongoing trade talks between the US and EU, known as the Transatlantic Trade and Investment Partnership (T-TIP). The Commission pointedly states in today’s communication that the EU views T-TIP and data protection laws (including Safe Harbor) as separate matters, and that the T-TIP negotiations will not affect its views on Safe Harbor: “For this reason, data protection standards will not be negotiated within the Transatlantic Trade and Investment Partnership, which will fully respect the data protection rules.” That seems rather a brave statement at this stage of the T-TIP negotiations (which are not due to be concluded until sometime in 2014). It remains to be seen whether the Commission will be successful in completely separating the two issues, given the fundamental commercial value of personal data.
But let’s assume for now that neither EU national security interests nor the T-TIP talks will have any influence on the discussion about Safe Harbor. What is the Commission proposing? Broadly, the following:
- a broad review of the functioning of Safe Harbor
- improving the US government’s supervision and monitoring of compliance of Safe Harbor participants
- ensuring that the national security exception that is currently available under Safe Harbour is used only “to an extent that is strictly necessary and proportionate”
- EU citizens must receive the same level of protection (due process and judicial redress) as US citizens in intelligence-gathering operations
- The US government should commit that “personal data held by private entities in the EU will not be accessed directly by US law enforcement agencies outside of formal channels of co-operation, such as Mutual Legal Assistance agreements and sectoral EU-US . . . authorising such transfers under strict conditions, except in clearly defined, exceptional and judicially reviewable situations.”
- US intelligence collection programs should be “improved by strengthening the role of the Foreign Intelligence Surveillance Court and by introducing remedies for individuals.”
The Commission also provided a summary of 13 specific recommendations in a separate press release today. The following selections from these 13 requirements are slightly paraphrased – see the EC’s memo for the full recommendations.
- Requiring the Safe Harbor website to list all companies that are NOT current member of Safe Harbor (which would be in the hundreds of thousands, if not more, as there are only some 3,000 plus participants today)
- Privacy policies on companies’ websites should include a link to an alternative dispute resolution (ADR) provider
- The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints
- The US government should conduct proactive compliance investigations (not contingent on complaints or any signs of non-compliance)
- Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour
- Companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements
The Commission’s Communication and related press releases should have the positive effect of making the discussion around Safe Harbor more specific in light of the Commission’s concrete suggestions. Meanwhile, the larger context of sweepingly ambitious trade treaty negotiations, citizens’ reactions (on both sides of the Atlantic) to government surveillance programs (and not just by the USA), and national interests in intelligence-gathering and counterterrorism may make it difficult to negotiate the changes to Safe Harbor in isolation. But that’s not really a bad thing. Data protection laws don’t exist in a vacuum, after all.