Safe Harbor under increased scrutiny

To help bridge the substantial differences in how user privacy is protected on the two sides of the Atlantic, the Safe Harbor was established to enable U.S. companies to lawfully transfer data without running afoul of EU data protection law. To make use of the Safe Harbor, companies voluntarily adhere to a set of principles, with oversight from the Federal Trade Commission (FTC), though to date enforcement of corporate policies and practices has been limited.

In the wake of the Snowden revelations and ongoing trade talks, European policy makers are (at last) seriously questioning how safe this Agreement really is.

While the deadline set by the European Commission to review the agreement is only weeks away, the U.S. Ambassador to the European Union said last week that the two parties haven’t reach an agreement quite yet. While there has been some positive movement to grant European users more remedies for privacy violations, a sea of unaddressed questions remain.

How unsafe is the Safe Harbor?

In the aftermath of the Snowden revelations, Justice Commissioner Viviane Reding stated that “the Safe Harbor agreement may not be so safe after all.” Referring to the impact of the NSA programs on the privacy of European citizens, Commissioner Reding expressed her concern that the Safe Harbor “could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones.”

Shortly after, Members of the European Parliament voted for the immediate suspension of the “Safe Harbor,” in its Inquiry Report on Electronic Mass Surveillance. The European Commission, which has the final say on this issue, instead decided to issue a list of 13 recommendations aimed at “making the Safe Harbor safer.”

However, while it is encouraging to see the Commission seeking better protection for European users, these recommendations do not comprehensively address the most problematic aspects of the agreement – such as its voluntary participation and lack of stringent enforcement of the rules.

Insufficient action

On the other side of the Atlantic, on Wednesday June 25, the Federal Trade Commission approved final orders that settle charges against 14 companies for falsely claiming to participate in the Safe Harbor. This is a major shift for the FTC, which has only taken enforcement actions against 10 other companies in total since the launch of Safe Harbor in 2000.

This action by the FTC is a clear indication that it wants to reassure its partners, mainly over the fact that the Safe Harbor enforcement will be monitored even though companies self-certify their participation in the agreement. But this sudden flexing of muscles could still be too weak to meet the rising challenge as the total number of false claims in 2013 was more than 400.

An additional challenge

Simultaneously, Safe Harbor is facing an additional challenge in a complaint brought by the Austrian campaign group Europe v Facebook, which is asking the Irish High Court if the company’s actions, particularly its participation in the NSA’s PRISM programme, are compatible with the EU Charter of Fundamental Rights (Facebook’s international headquarters are in Ireland).

During the examination of the case, the Irish Court stated that “the Snowden revelations may be thought to have exposed gaping holes in the contemporary U.S. data protection practice,” thereby questioning if the Safe Harbor Agreement is functioning as intended. The Irish High Court has referred this case to the Court of Justice of the EU (CJEU), which is expected to rule on this landmark case in the next 18 months; the case will then return to the Irish High Court for further adjudication.

Without the needed reforms, Safe Harbor is illegal under EU Law

While negotiations over Safe Harbor are ongoing, recent statements by U.S. officials do not inspire confidence that needed reforms will be adopted. In a recent interview, the U.S. Ambassador to the E.U. stated that an agreement on the recommendations of the Commission dealing with “national security exemption” has yet to be reached, and a few weeks before, a Commerce Department official claimed that even though the United States was open to making some changes to Safe Harbor, the Obama Administration was not willing to drastically overhaul the agreement. According to this official, the U.S. authorities would only be willing to implement some minor transparency improvements, adding that the requested reforms to improve redress and enforcement might be difficult to accomplish.

The proposed deadline for negotiations on the 13 recommendations is set for the end of this summer, however, given the difficulty and fragility of the Safe Harbor and data protection talks in general, delays can be expected.

Additionally, as the Commission has officially indicated how the Safe Harbor Agreement is not in line with European requirements to provide adequate protection of citizens’ privacy, the Commission cannot accept anything less than full compliance with the proposed reform measures. To do otherwise, would be to fail in its role as guardian of the Treaties and protector of EU citizens’ fundamental rights.

A symptom of the clashing views on data protection

The negotiations on Safe Harbor can be seen in a broader context of disagreements in the transatlantic dialogue on data protection. While Safe Harbor is certainly the most well known agreement, thanks to the Snowden revelations, there is growing public and institutional scrutiny on the vast array of data transfer agreements, including SWIFT (governing financial transactions) to Passenger Name Records. Many of these concerns have been addressed in the European Parliament’s Inquiry report, and we urge the new European Parliament to ensure the recommendations made in the adopted report are duly implemented. The Commission should be equally vigilant in ensuring that the proposed reforms to Safe Harbor are adequately implemented by the United States. Even then, significant privacy concerns for E.U. users will remain.

Stay tuned for more updates on the Safe Harbor Agreement and other privacy reforms!