On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency (NSA) surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.
The sixth hearing of the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee Inquiry on Electronic Mass Surveillance of EU Citizens in Strasbourg, France focused on the impact of the NSA’s surveillance programs on cross-border transfers of personal data outside of Europe. Current EU law prohibits the transfer of personal data to the United States unless certain steps are taken to legitimize the transfer. One of these approved mechanisms is the Safe Harbor Framework, through which U.S. businesses commit to treat the personal data of EU residents in accordance with seven EU-style Safe Harbor privacy principles. If a company’s certification is inaccurate, it is subject to penalties enforced by the U.S. Federal Trade Commission (FTC) or Department of Transportation (DOT). Over 3,200 U.S. companies self-certify that they are in compliance with the Safe Harbor Framework.
In light of the NSA surveillance, however, all speakers at the Inquiry hearing agreed that the Safe Harbor no longer provides EU individuals with proper notice of protections surrounding the transfer of personal data, and therefore is no longer functioning properly. And highlighting the meeting was the statement of rapporteur Claude Moraes, tasked to draft the final Inquiry report, who announced at the end of the hearing that the report would recommend the suspension of the Safe Harbor Framework.
Other speakers at the hearing included:
- Christopher Connolly, a director of Galexia, an Australian internet law and privacy consulting company, and author of a scathing 2008 report on Safe Harbor
- Dr. Imke Sommer, Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen, Germany
- Peter Hustinx, the European Data Protection Supervisor
- Isabelle Falque-Pierrotin, president of the CNIL, the French data protection authority
The speakers’ preliminary comments revolved around the absence of the European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding, who previously had made statements questioning the viability of Safe Harbor. After that discussion, the speakers discussed Safe Harbor.
Connolly most strongly denounced the current Safe Harbor Framework. Among other things, he criticized Safe Harbor for excluding certain industry sectors (certain financial institutions, telecommunication common carriers, labor associations, non-profit organizations, agricultural co-operatives, and meat processing facilities cannot be part of the Safe Harbor as they are not subject to the FTC’s or DOT’s jurisdiction), for companies letting their Safe Harbor certifications lapse and not warning their customers, and for an alleged lack of enforcement by the FTC and DOT.
Sommer and Hustinx were a little more positive about the Safe Harbor, and even though they noted deficiencies in the Framework, Hustinx commented that the FTC has already taken substantial steps to improve enforcement.
Falque-Pierrotin mainly focused on the impact that data transfers through the Safe Harbor mechanism or through Binding Corporate Rules (BCRs) could have on individuals. She critiqued that the Safe Harbor and BCRs are tools which are entirely conceived for the private sector and thus not adapted to government requests for data transfers. She then called for the implementation of a European or national “sovereign cloud” to reduce accessibility of personal data, finally suggesting that an international agreement be drafted in Europe so as to resist the “hegemony” of the United States.
Although the speakers continued the drumbeat for the repeal or modification of Safe Harbor, it would require greater, politically risky action by the Commission to completely de-legitimize the Framework. Still, if the LIBE Committee Inquiry’s report indeed recommends the suspension of Safe Harbor, there will be pressure on the United States to re-open Safe Harbor negotiations, possibly increasing the compliance obligations of Safe Harbor participants.
The speakers also called for the inclusion in the currently debated draft EU General Data Protection Regulation of a strong provision that would grant EU data protection authorities the power to allow or deny personal data transfers when requested by a foreign judiciary or administrative authority. This issue has come under increased scrutiny of late, with many in Europe arguing that personal data should not be transferred to the U.S. even in response to a legally binding court order or law enforcement request.
To watch the video of the LIBE Committee Inquiry hearing, click here.
The next Inquiry hearing is scheduled for next Monday, 14 October and will focus on the question of whether the reported mass surveillance activities would, if confirmed, be in violation of law, whether at international, Council of Europe, EU, or, or national level.