Privacy and Security TidBits

U.S. – EU Safe Harbor Framework News and Views

In 2000, the EU and the U.S. agreed on the Safe Harbor Framework as a means to ensure adequate protection for personal data, transferred from the EU to be processed by U.S. companies.

At the recent EU Conference on Privacy and Protection of Personal Data, held in Washington DC,  the last panel took the opportunity for taking stock and discussing the way forward for this agreement. In this session, businesses and regulators presented their views and experiences with the U.S.-EU Safe Harbor Framework.

Francoise Le Bail, Director-General for Justice, European Commission, started by reassuring all stakeholders that the current reform in EU Data Protection Law would not put the Safe Harbor Framework at risk as one of accepted ways for adequate transfer of personal data between the EU and the US, as was mentioned in the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson.
“In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”.

The panelists considered the framework to be mostly a success story, with 3,000 US companies currently enrolled in the program, 50% of which are small and medium enterprises, but most agreed that the system could use some improvement.

David Smith of the British Data Protection Authority, the ICO, recounted the “absolutely awful” birth of the framework, the difficult young years and the current maturing into a working instrument for data protection interoperability between the US and the EU. “The mistrust is gone, as we believe the US is acting in good faith.” He did concede though, that a larger amount of audits would ensure better effective compliance by all companies.

Michelle O’Neill, of the Department of Commerce, added that in order to ensure better compliance, the supervising  departments needed more resources.

She announced that her department is currently discussing the expansion of the Safe Harbor Framework to non-profit organizations.

Hugh Stevenson, of the Federal Trade Commission, stressed the importance of enforcement and awareness raising in order to make compliance the norm, but deplored the lack of resources to achieve that goal. He appealed for more international enforcement cooperation as well.

Jan Philipp Albrecht, Member of the European Parliament, concurred that Safe Harbor was performing well but was in need of improvement on the compliance front. He suggested the granting of individual rights of action for consumers in order to ensure better compliance by the Safe Harbor certified companies. Currently, enforcement of Safe Harbor rests with the FTC, under section 5 of the FTC Act, which prohibits “unfair and deceptive trade practices”.

Nuala Kelly O’Connor, Senior Counsel – Information Governance & Privacy at General Electric, advocated for more global privacy interoperability, in addition to Safe Harbor, which is limited to the EU – US transfer of personal data.

For a complete overview of this panel, please watch this 4 Gigabyte HD video, which I taped and uploaded on my YouTube Channel EdiscoveryMap.

Moderator: Armgard von Reden, Lecturer at SRH and Quadriga University, Berlin
Participants, from left to right:
• Françoise Le Bail, Director-General for Justice, European Commission
• Michelle o’Neill, Deputy Under Secretary for International Trade,
US Department of Commerce
• Jan Philipp Albrecht, Member of the European Parliament
• David Smith, Deputy Information Commissioner, United Kingdom
• Hugh Stevenson, Deputy Director for International Consumer Protection, Federal Trade Commission
• Nuala O’Connor-Kelly, Senior Counsel – Information Governance & Privacy, General Electric