Today the European Commission issued a broad-ranging warning to the U.S., calling on the country to “restore trust in EU-U.S. data flows.” The Commission’s report explains that the EU is free to revoke its participation in the EU-U.S. Safe Harbor Framework. EU data protection laws heavily restrict companies’ transfer of personal data from the EU to the U.S., allowing such transfers only if one of a limited set of conditions is satisfied. In many cases, the easiest way around these restrictions is for the U.S. company to join the Safe Harbor program, which requires the company to agree to comply with certain privacy principles that are based on EU data protection law. (Other options include obtaining individuals’ consent to the transfer, which can be impossible, or having the U.S. and EU companies sign certain types of contracts, which often must be filed with EU authorities, who can bog down the transfer with a regulatory approval process.)
The European Commission’s report complains about what it perceives as lax enforcement of the Safe Harbor by U.S. authorities (there have been very few publicly known Safe Harbor enforcement actions since the program’s inception in 2000, which makes it a popular option for U.S. companies). The Commission argues that unchecked noncompliance by minority of participating U.S. companies gives them an unfair competitive advantage over compliant participating U.S. companies and over EU companies that are subject to more stringent regulation. The Commission also expresses concern over the U.S. government’s access to data that is transferred to the U.S. pursuant to Safe Harbor.
To address these and other concerns regarding the flows to data to the U.S. from the EU, the Commission recommends a multi-pronged approach. The Commission demands that the U.S. take steps to address the 13 recommendations below by summer 2014, after which the Commission will conduct a broader review of the Safe Harbor program:
Transparency
1. Self-certified companies should publicly disclose their privacy policies.
2. Privacy policies of self-certified companies’ websites should include a link to the Department of Commerce Safe Harbor website, which lists all the “current” members of the scheme.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
4. Clearly flag on the website of the Department of Commerce all companies that are not current members of the scheme.
Redress
5. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider they have selected for addressing European citizens’ Safe Harbor disputes with the companies.
6. ADR should be readily available and affordable.
7. The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
Enforcement
8. Following the certification or recertification of companies under Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond monitoring of compliance with formal requirements).
9. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
10. In case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
11. False claims of Safe Harbor adherence should continue to be investigated.
Access by US authorities
12. Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor. In particular, companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements. The reports gives as an example language from Nokia’s privacy policy: “We may be obligated by mandatory law to disclose your personal data to certain authorities or other third parties, for example, to law enforcement agencies in the countries where we or third parties acting on our behalf operate.”
13. The national security exception foreseen by the Safe Harbor Decision should be used only to an extent that is strictly necessary or proportionate.