Analyzing the Effectiveness of the US-EU Safe Harbor

Analyzing the Effectiveness of the US-EU Safe Harbor

This morning, the Future of Privacy Forum (FPF) released our report on the effectiveness of the U.S.-EU Safe Harbor program.  Our analysis, which we first announced in August, responds to recent recommendations by the European Commission and suggests a number of areas where the framework can be further strengthened.

An overview of key findings and recommendations found in the report are listed below:

Findings

  • Since its inception, the Safe Harbor has seen tremendous growth.  As of November 2013, over 4,000 companies have signed on to the Safe Harbor’s privacy requirements.
  • Companies spend considerable time monitoring and modifying their privacy practices to meet the requirements of the Safe Harbor agreement.
  • FPF research shows that the Safe Harbor is effectively enforced by the Federal Trade Commission (FTC) and third-party actors.  Despite a lack of complaints from European Data Protection Authorities, the FTC has used its power to investigate and bring actions against companies for misrepresenting their membership in the Safe Harbor, and against companies that have failed to comply with substantive Safe Harbor requirements.  Additionally, third-party dispute resolution providers such as TRUSTe and the Council of Better Business Bureaus handle complaints from EU citizens and are able to resolve many concerns without the need for legal action.
  • The consequences of the EU suspending the Safe Harbor would be extremely negative:
    1. Suspending the Safe Harbor’s protections would weaken personal privacy protections for EU citizens.  Under the Safe Harbor, the FTC has the capacity to enforce against US companies on behalf of EU citizens, simplifying complex jurisdictional issues.  The Safe Harbor program also results in stronger investigatory and monitoring powers for the FTC.
    2. Alternatives to the Safe Harbor program as a mechanism of compliance with the EU Data Directive may not be feasible for all companies.  These alternative mechanisms, including express consent, model contracts, and binding corporate rules, are either too inflexible or too difficult to implement at scale for the wide variety of companies that rely on the Safe Harbor and provide less transparency for regulators about data flows.
    3. Eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.  The global economy, and particularly the transatlantic economy, will continue to rely on international data transfers, and when US-based companies are presented with a valid legal order from the US government for information, companies will be compelled to provide access to that data regardless of their membership in the Safe Harbor.
    4. Restricting the ease of data flows between the EU and US could have an extremely harmful effect on the trans-Atlantic economy.

Recommendations

  • To encourage Safe Harbor membership, improved online tools should be developed to assist companies – particularly smaller ones – in determining whether they should self-certify to the Safe Harbor.  Additionally, more administrative resources should be allocated to the Department of Commerce for handling outreach and new member inquiries.
  • To improve compliance, a “Safe Harbor Master” should be appointed and housed in the Department of Commerce.  The Safe Harbor Master could help companies determine if it makes sense to join the Safe Harbor program given their actual data practices.   Once the company is a member, the Master could continue to monitor the company to make sure they are complying (e.g., reviewing policies to make sure they are accurate), issuing guidance to participants and, in cases of recalcitrance, referring targets to the FTC for enforcement.  The Master also could prepare annual reports for the EU and coordinate efforts between Department of Commerce and the FTC.
  • To bolster enforcement efforts, European Data Protection Authorities should do more to educate their citizens about the Safe Harbor program.  The amount and substance of information about the Safe Harbor varies widely among DPA websites.  For instance, in some cases, there is no reasonable way for an average EU citizen to find a basic complaint form.  Also, the Department of Commerce’s Safe Harbor website should be updated to better help individuals understand their rights.

 

With these reforms, as well as continued vigilance by regulators and compliance bodies, the Safe Harbor will become even more effective in safeguarding citizens’ commercial privacy rights.  FPF hopes this report will help advance constructive dialog about the Safe Harbor framework moving forward.

The full report is available to read here.  

Leave a Reply


Privacy Calendar

Oct
21
Tue
6:00 pm Consumer Action’s 43rd Annual Aw... @ Google
Consumer Action’s 43rd Annual Aw... @ Google
Oct 21 @ 6:00 pm – Oct 21 @ 8:00 pm
To mark its 43rd anniversary, Consumer Action’s Annual Awards Reception on October 21, 2014, will celebrate the theme of “Train the Trainer.” Through the power of individual and small group trainings, Consumer Action each year is[...]
Oct
24
Fri
9:00 am Web Privacy & Transparency Confe... @ Princeton University
Web Privacy & Transparency Confe... @ Princeton University
Oct 24 @ 9:00 am – 4:00 pm
On Friday, October 24, 2014, the Center for Information Technology Policy (CITP) at Princeton University is hosting a public conference on Web Privacy and Transparency. It will explore the quickly emerging area of computer science research that[...]
Oct
29
Wed
4:00 pm Big Data and Privacy: Navigating... @ Schulze Hall
Big Data and Privacy: Navigating... @ Schulze Hall
Oct 29 @ 4:00 pm – 7:00 pm
The rapid emergence of “big data” has created many benefits and risks for businesses today. As data is collected, stored, analyzed, and deployed for various business purposes, it is particularly important to develop responsible data[...]
Oct
30
Thu
9:00 am The Privacy Act @40: A Celebrati... @ Georgetown Law
The Privacy Act @40: A Celebrati... @ Georgetown Law
Oct 30 @ 9:00 am – 5:30 pm
The Privacy Act @40 A Celebration and Appraisal on the 40th Anniversary of the Privacy Act and the 1974 Amendments to the Freedom of Information Act October 30, 2014 Agenda 9 – 9:15 a.m. Welcome[...]
Nov
7
Fri
all-day George Washington Law Review 201... @ George Washington University Law School
George Washington Law Review 201... @ George Washington University Law School
Nov 7 – Nov 8 all-day
Save the date for the GW Law Review‘s Annual Symposium, The FTC at 100: Centennial Commemorations and Proposals for Progress, which will be held on Saturday, November 8, 2014, in Washington, DC. This year’s symposium, hosted in[...]
Nov
11
Tue
10:15 am You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
You Are Here: GPS Location Track... @ Mauna Lani Bay Hotel & Bungalows
Nov 11 @ 10:15 am
EFF Staff Attorney Hanni Fakhoury will present twice at the Oregon Criminal Defense Lawyers Association’s Annual Sunny Climate Seminar. He will give a presentation on government location tracking issues and then participate in a panel[...]
Nov
12
Wed
all-day PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
PCLOB Public Meeting on “Definin... @ Washington Marriott Hotel
Nov 12 all-day
The Privacy and Civil Liberties Oversight Board will conduct a public meeting with industry representatives, academics, technologists, government personnel, and members of the advocacy community, on the topic: “Defining Privacy.”   While the Board will[...]

View Calendar