Although U.S. media coverage of the Edward Snowden leaks regarding the National Security Agency’s PRISM program has waned in recent months, the issue remains a hot topic in the European Union (EU). Of particular interest to the EU is whether or not to extend its 14-year old Safe Harbor Framework arrangement with the U.S. permitting the transfer of personal data to the U.S. from the EU. If your company either has a presence in the EU or intends to have a presence there, this issue should be on your radar.
The EU has been in the forefront of providing legal protection for a wide range of personal data. EU Directive 95/46/EC (the “Data Protection Directive”), established nearly 20 years ago, ensures common standards of data privacy protection for personally identifiable data across EU member states. Under the Data Protection Directive, persons in France can take solace in knowing that companies in Spain or Italy are required to maintain the same general level of data privacy safeguards as are provided in France. More importantly, the Data Protection Directive (subject to a few exceptions) prohibits transferring personal data from outside the EU to a non-member state unless the non-member state offers a commensurate level of data protection to that found in the EU. In what may come as a surprise to some, the EU does not consider the U.S. to offer a level of data privacy protection equivalent to that of the EU. Consequently, transfers of personal data to the U.S. from the EU are subject to a number of limitations.
Both the U.S. and EU have taken steps to address these transfer limitations. On July 21, 2000, the U.S. Commerce Department announced that it had negotiated a Safe Harbor Framework with the EU Commission. The Safe Harbor Framework applies to most U.S. companies receiving personal data from the EU (though companies that are not directly subject to FTC or Department of Transportation jurisdiction — such as banks, insurance companies and telecommunication carriers — cannot participate in the Safe Harbor Framework).
Under the Safe Harbor Framework, U.S. businesses may register with the U.S. Department of Commerce and self-certify compliance with a variety of data privacy practices. The Safe Harbor Framework also sets forth seven principles relating to data privacy protection. These principles require, among other things, that companies take reasonable precautions to protect data from misuse and unauthorized access, and that “an organization… inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, [and] the types of third parties to which it discloses the information[.]” Currently more than 3,000 companies certify compliance with the principles, thus enabling those businesses to more easily transfer personal data from the EU to the U.S. and transact business in the EU generally.
However, there is a growing perception in Europe that U.S. enforcement of data privacy laws has been lax. This has led to criticism of the Safe Harbor Framework by some Europeans. Indeed, some EU politicians have even suggested revoking the Safe Harbor Framework. In November 2013, the European Commission itself issued a critique of the Safe Harbor Framework and recommended changes in its operation. Specifically, the Commission criticized the perceived lack of transparency regarding the privacy policies of some Safe Harbor participants, the lack of active enforcement of the Safe Harbor Framework by the U.S. government, and the failure of some Safe Harbor self-certified companies to actually comply with the Principles. The Commission’s recommended improvements to the Safe Harbor Framework, included:
- More active enforcement activity by U.S. authorities
- Safe Harbor participants companies making their privacy policies publicly available and providing links to such policies on the Commerce Department’s website
- Safe Harbor participants notifying the Commerce Department of any transfers of personal data to third parties
- Safe Harbor participants publicly disclosing their alternative dispute resolution provider that handles data security complaints, so that persons who have been harmed by violations of privacy policies and the Principles can quickly obtain a remedy
- Safe Harbor companies detailing the circumstances under which U.S. authorities may access EU personal data processed by that company
It remains to be seen whether the EU Commission’s recommendations will be met and a crisis averted. Although U.S. Attorney General Eric Holder and European Commission Chair Viviane Reding had a recent meeting in which there were discussions about the potential to allow EU citizens access to the U.S. legal system so that they may challenge potential privacy violations, there is no pending U.S. legislation regarding any of the Safe Harbor recommendations. Meanwhile, if the EU follows through on threats to revoke or suspend the Safe Harbor Framework, transferring personal data from the EU to the U.S. may become significantly more difficult for many U.S. businesses.