On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework.
The six initiatives are:
- The European Parliament, Council, and Commission should work to adopt the Commission’s proposed data protection reform package in a timely manner. Specifically, the Commission would like to see EU negotiations on the reform package conclude by spring 2014.
- The EU-U.S. Safe Harbor framework, which facilitates commercial transfers of personal data from the EU to the United States, should be reformed to address what the Commission believes are shortcomings in Safe Harbor’s transparency and enforcement provisions.
- The data protection safeguards built into EU-U.S. law enforcement agreements should be strengthened.
- The United States should use existing Mutual Legal Assistance agreements to obtain data needed for criminal investigations.
- As the United States works to reform its surveillance laws, the safeguards available to U.S. citizens and residents should be extended to EU citizens living outside the United States.
- EU rules for protecting personal data should be promoted internationally. In particular, the Commission calls on the United States to adopt comprehensive privacy legislation and accede to the Council of Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (“Convention 108”). Convention 108 recognizes the individual right to privacy as fundamental and provides the underlying framework for the EU’s current Data Protection Directive.
In the remainder of this post, we look at what the Commission said about the EU’s proposed data protection regulation, the EU-U.S. Safe Harbor Framework, and reforming the U.S. privacy framework.
Adoption of the Data Protection Regulation
According to the Commission, the EU must adopt data protection reform soon to address fears of U.S. surveillance. The proposed regulation would explicitly extend application of EU data protection laws to all companies that offer goods and services to European consumers or monitor the behavior of European consumers. The geographical establishment of a company and its processing facilities would no longer determine whether EU data protection laws apply. The availability of substantial sanctions for violations of the regulation would foster compliance with EU data protection laws. The proposed regulation would provide clear rules and obligations for cloud service providers. Cloud providers would not be able to disclaim responsibility for transferring data to foreign authorities based on the theory that they are not the owners (or “controllers”) of the data.
Strengthening Safe Harbor
The EU-U.S. Safe Harbor framework is based on the commitments and self-certifications of participating companies. In 2000, the Commission adopted the Safe Harbor framework, believing that companies binding themselves to Safe Harbor commitments would provide adequate protections for the personal data of Europeans. In its strategy memo, the Commission notes that it has the authority to suspend or limit the scope of Safe Harbor if it determines that the framework no longer provides adequate protections. After examining the Safe Harbor framework in light of the recent revelations regarding U.S. surveillance practices, the Commission believes that the framework has several shortcomings.
The Commission notes that up to 10% of Safe-Harbor certified companies may not be living up to the requirements to post compliant privacy policies on their public websites. The Commission also points to statistics suggesting that 10% of companies claiming membership in Safe Harbor are not listed as current members on the official Safe Harbor list maintained by the U.S. Department of Commerce. The Department of Commerce’s reviews of Safe Harbor renewals, the Commission claims, tend to focus on the evaluation of formal requirements rather than investigations of actual practices. And the Commission believes that the Federal Trade Commission needs to take a more proactive role in investigating whether companies are living up to their Safe Harbor commitments.
To address its concerns, the Commission proposes 13 reforms for the Safe Harbor framework.
- Safe Harbor participants should publicly disclose their privacy policies.
- Those policies should always include links to the Department of Commerce’s Safe Harbor list of current members.
- Safe Harbor companies should publish the privacy conditions of all contracts with subcontractors.
- The Department of Commerce should maintain a list of companies that do not renew their Safe Harbor certification. This, the Commission believes, will address some concerns of false claims about Safe Harbor membership.
- Safe Harbor privacy policies should include links to dispute resolution bodies.
- Alternative dispute resolution mechanisms addressing Safe Harbor disputes should be affordable and readily available.
- The Department of Commerce should monitor the transparency and effectiveness of alternative dispute resolution bodies.
- A certain percentage of Safe-Harbor-certified companies should be subject to official compliance reviews every year.
- Safe Harbor participants found to not be in compliance should be reinvestigated the following year.
- The Department of Commerce should notify appropriate EU data protection authorities when there are concerns about a company’s compliance with Safe Harbor.
- False claims of Safe Harbor participation should continue to be investigated.
- The privacy policies of Safe Harbor participants should include disclosures about the extent to which U.S. law allows public authorities to access personal data.
- Safe Harbor’s national security exception should allow disclosures of personal data only as strictly necessary and proportionate to address national security concerns.
The Commission intends to discuss the alleged Safe Harbor shortcomings with U.S. authorities. The plan is to identify remedies by next summer and implement them as soon as possible. Once the remedies are in place, the Commission will conduct a comprehensive review of Safe Harbor. That review will involve open consultation with the EU Parliament and Council and discussions with U.S. authorities.
Reforming the U.S. Privacy Framework
The Commission declares that when the EU has adopted the proposed data protection regulation, it will expect the United States to also adopt a coherent and comprehensive set of data protection rules. Interoperability and self-regulation, the Commission states, is not enough. The current U.S. framework, in the Commission’s eyes, is “a maze of State laws offering varying degrees of security and certainty.” The Commission notes that the Obama Administration announced in 2012 that it would work with Congress to produce a Consumer Privacy Bill of Rights.
As it relates to national security and intelligence agencies’ access to information, the Commission memo recommends greater oversight and transparency for US surveillance programs, and advocates for the safeguards available to US citizens and residents to also be available to EU citizens.