The fallout from the NSA revelations continue to make the national headlines. But the impact isn’t simply limited to the government’s use of data. Last week, the Chairman of the Article 29 Working Party wrote to the Vice-President of the European Commission to express “great concern” about PRISM and related intelligence programs, including how these programs impact companies’ compliance with the U.S.-E.U. Safe Harbor Program. While the Safe Harbor does have a carve out for national security, the Article 29 Working Party “has doubts whether the seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary.” The letter goes on to remind Member States that they have authority to suspend data flows where there is substantial likelihood that the Safe Harbor principles are being violated.
This is only the latest in a growing group of voices in the E.U. to question whether the Safe Harbor is working. Germany’s data protection commissioner, for example, blogged that the United States data protection framework is lacking and that Safe Harbor “cannot compensate for these deficits.” And just last month, Vivian Reding, Vice-President of the European Commission, called the Safe Harbor “a loophole” that “may not be so safe after all,” and has requested a full review of the program by year-end.
The Safe Harbor has been criticized in the past. For example, one 2008 report found that a number of companies were falsely claiming to be in the Safe Harbor when they in fact had allowed their certifications to lapse. However, in the years since it was last seriously assessed, there have been a number of positive developments. The FTC has stepped up its enforcement efforts and settled a number of cases for Safe Harbor violations. And, the number of companies to sign up to the Safe Harbor has grown.
We think that, in light of these concerns, it may be time to take an objective look at the Safe Harbor program. As the European Commission undertakes its review, we should examine the current protections the Safe Harbor offers, as well as the compliance and enforcement efforts undertaken by both the E.U. and the U.S. Let’s see what is working, and what isn’t. And, if there are ways to make the Safe Harbor better, we should step up to the plate and offer solutions.