Future of Privacy Forum Releases Report on the Effectiveness of the US-EU Safe Harbor Privacy Framework

Future of Privacy Forum Releases Report on the Effectiveness of the US-EU Safe Harbor Privacy Framework

For immediate release, December 11, 2013

Future of Privacy Forum Releases Report on the Effectiveness of the US-EU Safe Harbor Privacy Framework

Report Responds to EU Concerns, Finds the Safe Harbor Program Has Been Effective but Calls for Improvements to Strengthen Trans-Atlantic Privacy Protections

Washington, D.C. December 11, 2013 – The Future of Privacy Forum (FPF), a think tank that seeks to advance responsible data practices, released a report today detailing the effectiveness of the Safe Harbor agreement in protecting personal privacy.  It finds that the Safe Harbor largely has been successful in maintaining strong personal privacy protections for European citizens while allowing the free flow of data between the EU and US.  The report also cautions against the precipitous termination of the Safe Harbor, which has become a cornerstone of trans-Atlantic data transfers, and instead suggests a number of areas where the framework can be strengthened.

Christopher Wolf, Founder and Co-Chair of FPF, who is speaking in Brussels at privacy events this week, said: “This report shows that the Safe Harbor still is our best bet for protecting peoples’ data in a global economy.  By requiring companies to make commitments that can be enforced by the US Federal Trade Commission, EU citizens gain privacy protections in ways not possible without the Safe Harbor agreement.  We should continue to look for common-sense solutions to improve the agreement without upsetting the balance that has been the driver of the Safe Harbor’s success.”

Jules Polonetsky, Executive Director and Co-Chair of FPF said: “FPF has conducted an in-depth study of the Safe Harbor framework and its alternatives and the results are clear: the Safe Harbor framework is uniquely capable of harmonizing US and EU privacy concerns while encouraging trans-Atlantic data transfers.  Case studies, compliance interviews, and enforcement actions all show that the Safe Harbor is effectively enforced and that participants take heed of Safe Harbor responsibilities.  While improvements to the Safe Harbor can and should be made, our focus needs to remain on growing the program and covering more individuals and businesses with these privacy safeguards.”

To read the full report, click here.

An overview of key findings and recommendations found in the report are listed below.

Findings

  • Since its inception, the Safe Harbor has seen tremendous growth.  As of November 2013, over 4,000 companies have signed on to the Safe Harbor’s privacy requirements.
  • Companies spend considerable time monitoring and modifying their privacy practices to meet the requirements of the Safe Harbor agreement.
  • FPF research shows that the Safe Harbor is effectively enforced by the Federal Trade Commission (FTC) and third-party actors.  Despite a lack of complaints from European Data Protection Authorities, the FTC has used its power to investigate and bring actions against companies for misrepresenting their membership in the Safe Harbor, and against companies that have failed to comply with substantive Safe Harbor requirements.  Additionally, third-party dispute resolution providers such as TRUSTe and the Council of Better Business Bureaus handle complaints from EU citizens and are able to resolve many concerns without the need for legal action.
  • The consequences of the EU suspending the Safe Harbor would be extremely negative.
    • First, suspending the Safe Harbor’s protections would weaken personal privacy protections for EU citizens.  Under the Safe Harbor, the FTC has the capacity to enforce against US companies on behalf of EU citizens, simplifying complex jurisdictional issues.  The Safe Harbor program also results in stronger investigatory and monitoring powers for the FTC.
    • Second, alternatives to the Safe Harbor program as a mechanism of compliance with the EU Data Directive may not be feasible for all companies.  These alternative mechanisms, including express consent, model contracts, and binding corporate rules, are either too inflexible or too difficult to implement at scale for the wide variety of companies that rely on the Safe Harbor and provide less transparency for regulators about data flows.
    • Third, eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.  The global economy, and particularly the transatlantic economy, will continue to rely on international data transfers, and when US-based companies are presented with a valid legal order from the US government for information, companies will be compelled to provide access to that data regardless of their membership in the Safe Harbor.
    • Finally, restricting the ease of data flows between the EU and US could have an extremely harmful effect on the trans-Atlantic economy.

Recommendations

  • To encourage Safe Harbor membership, improved online tools should be developed to assist companies – particularly smaller ones – in determining whether they should self-certify to the Safe Harbor.  Additionally, more administrative resources should be allocated to the Department of Commerce for handling outreach and new member inquiries.
  • To improve compliance, a “Safe Harbor Master” should be appointed and housed in the Department of Commerce.  The Safe Harbor Master could help companies determine if it makes sense to join the Safe Harbor program given their actual data practices.   Once the company is a member, the Master could continue to monitor the company to make sure they are complying (e.g., reviewing policies to make sure they are accurate), issuing guidance to participants and, in cases of recalcitrance, referring targets to the FTC for enforcement.  The Master also could prepare annual reports for the EU and coordinate efforts between Department of Commerce and the FTC.
  • To bolster enforcement efforts, European Data Protection Authorities should do more to educate their citizens about the Safe Harbor program.  The amount and substance of information about the Safe Harbor varies widely among DPA websites.  For instance, in some cases, there is no reasonable way for an average EU citizen to find a basic complaint form.  Also, the Department of Commerce’s Safe Harbor website should be updated to better help individuals understand their rights.

 

With these reforms, as well as continued vigilance by regulators and compliance bodies, the Safe Harbor will become even more effective in safeguarding citizens’ commercial privacy rights.

For any questions, or to schedule an interview with Christopher Wolf or Jules Polonetsky, email: Media@FutureofPrivacy.org

Leave a Reply


Privacy Calendar

Sep
15
Mon
all-day NIST Privacy Engineering Workshop @ San Jose Marriott
NIST Privacy Engineering Workshop @ San Jose Marriott
Sep 15 – Sep 16 all-day
Privacy is a challenging subject that spans a number of domains, including law, policy and technology. Notwithstanding numerous sets of principles, including the foundational Fair Information Practice Principles (FIPPs), that seek to address the handling[...]
Sep
17
Wed
all-day IAPP Privacy Academy and CSA Con... @ San Jose Convention Center
IAPP Privacy Academy and CSA Con... @ San Jose Convention Center
Sep 17 – Sep 19 all-day
This fall, the International Association of Privacy Professionals (IAPP) and Cloud Security Alliance (CSA) are bringing together the IAPP Privacy Academy and the CSA Congress under one roof, giving you access to even more valuable[...]
Sep
19
Fri
The NSA, Privacy and the Global ... @ Georgetown Law Center
The NSA, Privacy and the Global ... @ Georgetown Law Center
Sep 19 @ 1:15 pm – 2:45 pm
WHAT The NSA, Privacy and the Global Internet: Perspectives on Executive Order 12333 WHEN Friday, September 19, 2014 1:15 – 2:45 p.m. WHERE Georgetown University Law Center McDonough Hall, Room 200 600 New Jersey Avenue,[...]
Sep
23
Tue
Mapping Issues with the Web: An ... @ Tow Center for Digital Journalism/Columbia Journalism School
Mapping Issues with the Web: An ... @ Tow Center for Digital Journalism/Columbia Journalism School
Sep 23 @ 5:00 pm – 6:30 pm
On the occasion of Bruno Latour’s visit to Columbia University, this presentation will show participants how to operationalize his seminal Actor-Network Theory using digital data and methods in the service of social and cultural research.
Sep
26
Fri
Yale Day of Data @ Yale University
Yale Day of Data @ Yale University
Sep 26 @ 8:30 am – 5:00 pm
This day-long event will focus on data science and partnerships across industry, academia, and government initiatives. The day will also include presentations by eight Yale faculty and researchers on issues specific to research data management,[...]
Oct
11
Sat
City by Numbers: Big Data and th... @ Pratt Institute
City by Numbers: Big Data and th... @ Pratt Institute
Oct 11 @ 9:30 am – 6:00 pm
Big Data—the exponential growth and availability of information—is one of the defining phenomena of our time. It affects us all on different levels – with far-reaching social, environmental, and governmental significance. To help make sense[...]
Oct
21
Tue
Consumer Action’s 43rd Annual Aw... @ Google
Consumer Action’s 43rd Annual Aw... @ Google
Oct 21 @ 6:00 pm – Oct 21 @ 8:00 pm
To mark its 43rd anniversary, Consumer Action’s Annual Awards Reception on October 21, 2014, will celebrate the theme of “Train the Trainer.” Through the power of individual and small group trainings, Consumer Action each year is[...]

View Calendar