News Archives

Saturday, October 31, 2015

Safe Harbor: Open for Business or the Walking Dead?

Leaving the Safe Harbor website open and accessible, the US Department of Commerce has pledged to “continue to administer the Safe Harbor program, including processing submissions for self-certification” (see my October 12 post).  Brian Hengesbaugh, a former DOC attorney who helped negotiate the Safe Harbor framework, defends this decision, stating that the program remains “fully functional and operational,” since the Schrems judgment did not “repeal or otherwise dismantle” it.

How does this claim that Safe Harbor is still “fully functional and operational” in today’s post-Schrems world, stand up to scrutiny?  No one will dispute the DOC’s statement, made on the Safe Harbor home page, that the framework was developed in order to bridge differences in approaches to the protection of privacy between the US and the European Union and provide a streamlined and cost-effective means for U.S. organizations to comply with the Directive.  

However, how many of the following statements, found on the U.S.-EU Safe Harbor Overview page, are true today?

  • “The U.S.-EU Safe Harbor Framework….is an important way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities…”
  • “Self-certifying to the U.S.-EU Safe Harbor Framework will ensure that EU organizations know that your organization provides "adequate" privacy protection, as defined by the Directive.”
  • “Benefits for participating U.S. organizations include:

  • o   All 28 Member States of the European Union will be bound by the European Commission’s finding of “adequacy”;
    o   Participating organizations will be deemed to provide “adequate” privacy protection;
    o   Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted….and
    o   Compliance requirements are streamlined and cost-effective…”

    The answer is clear: although once true, all of these statements are false today, even though the DOC has declined to withdraw or modify them and they continue as the US government’s official definition and description of the program and its benefits.  If a program utterly fails to meet its main objectives, the raison d’etre for its existence, in what sense can it be said to be “fully functional and operational”?  Becky Richards and her colleagues at the DOC may continue going through the motions of reviewing and disposing of new self-certifications they receive, but pretending that this program, as we knew it, continues to be operational is a pure charade.

    At the same time, it would be a mistake to write off the DOC’s posture vis-à-vis Safe Harbor as merely delusional, because it is a charade with indefensible and harmful consequences.  Chief among these deleterious consequences are the following:

    1. Violating the privacy rights of data subjects by failing to provide adequate notice relating to safeguards for their data.  While data controllers bear the primary responsibility for providing notice to data subjects, the DOC has responsibility here as well as the developer of a program to protect the privacy of Europeans when their data is transferred to the US.  Millions of European consumers and employees have been informed, via privacy notices, policies and other means, that their personal data will be protected in the US under a framework approved by the European Commission.  Such data subjects, going to the DOC Safe Harbor website today, however, will at the most find on the home page a one-sentence, legalistic reference to the ruling of the CJEU and, in the News and Events section, statements of regret from the Secretary of Commerce and support for updating the Safe Harbor framework.  Meanwhile, 99% of the total text on the website remains unchanged and anyone clicking directly from a privacy policy or notice to an organizational listing will find no reference whatsoever to the CJEU ruling.  By stating that Safe Harbor will remain open for business and failing to state that data transfers can no longer be based upon Safe Harbor, the DOC is misleading data subjects.  This is an ironic, but also sad, development for a government that once contended that a robust notice-and-choice regime was superior to the comprehensive data protection approach of Europe.

    2. Complicity in ongoing violations of European data transfer requirements. Based upon available evidence, the DOC has failed to inform Safe Harbor organizations that the framework can no longer be used as a legal basis for data transfers.  Indeed, by stating that it will continue to administer the program and process self-certifications, the DOC is complicit with companies that either consciously choose to ignore European data transfer requirements or can plausibly claim that the DOC’s posture led them to believe that a de facto grace period permitted a business-as-usual response.  Where is the guidance to Safe Harbor companies on the legality of ongoing data transfers dependent upon the framework?  What responsible bridge development authority would tell drivers that although some court has found the center span of the bridge has fallen into the water, the bridge remains open and drivers may continue to pay their tolls and use it?

    3. Exposing many Safe Harbor organizations to DPA orders.  It is often overlooked that many organizations that joined Safe Harbor made a commitment to cooperate with, and abide by the advice of, DPAs, even including the open-ended possibility of being compelled to pay compensation to data subjects.  Such cooperation was mandatory if Safe Harbor covered transfers of HR data and voluntary with respect to other types of data.  By maintaining that Safe Harbor is an ongoing, operational program, the DOC has needlessly extended the otherwise expired authority of DPAs to order the deletion of data transferred under the framework, the payment of compensation to data subjects and whatever other measures are deemed appropriate.  Violation of such orders, which Safe Harbor requires be interpreted by European rather than US law, would be actionable by the FTC.  By contrast, had the DOC suspended the Safe Harbor program, these organizations could have treated the orders as having no authority and could continue to hold and use previously transferred data, avoiding FTC enforcement as long as they continue to apply the Safe Harbor Privacy Principles to their handling of the data.

    4.  Diminishing the chances of successfully achieving Safe Harbor 2.0.  Safe Harbor was built upon bi-lateral trust between the US and the EU, a trust gravely imperiled by Snowden’s revelations of NSA mass surveillance.  Trust is not restored by misleading European data subjects or by treating compliance by US companies with European data privacy requirements as a European problem. Trust is further eroded by downplaying the significance of a landmark ruling by Europe’s highest court and effectively saying “Here’s what we think of your court ruling:  we will carry on as usual.”  With dozens of independent European DPAs replacing the bureaucratic European Commission in the driver’s seat, such displays of unilateralism, which could easily be taken as arrogance, are profoundly misguided.  One would hope that the policy makers at the DOC, intent on building a new bridge with the EU, would pay attention to the message being sent to Europe by the Safe Harbor website.  

    1 comment:

    1. This is odd since I had posted text last night but only my name appears. Let's see if I can remember what I wrote. The ECJ, as you know, invalidated the European Commission's adequacy decision that gave legal effect to the Safe Harbor Framework. Thus, removing the legal basis upon which EU citizens' personal data is used for commercial purposes in the U.S. by Safe Harbor-certified entities. Safe Harbor only has value to the business community if it offers prospective members the ability to streamline their transatlantic data flows within the boundaries of the data protection directive's rules. Article 26 identifies that derogations that organizations may employ to comply with the directive's data protection provisions. That the Department of Commerce would continue Safe Harbor and not place a moratorium on the program pending the negotiations' outcome and continue misleading applicants whilst charging them the administrative fees that in the aggregate total more than a half million dollars annually is a bit unethical. And if the negotiations do not pass muster and remain outside the EU's data protection framework, what next? Safe Harbor ultimately exists because the adequacy finding of 2000 recognizes its ability to protect EU citizens. Now that the finding has been invalidated, renders Safe Harbor an administrative tool, which offers no credible value to its constituents. Safe Harbor was a bilateral agreement that was legally binding on the U.S. participants who self-certified to the program. Absent the other party, the EU and its DPAs, it is difficult to conceive of new members sharing the benefits of a streamlined data transfer mechanism. I was the director of the U.S.-EU Safe Harbor Framework from July 2006-October 2011 so I have some insight to the program and its history. Brian is wrong. Without the adequacy finding and member state acceptance, Safe Harbor has no legitimacy in the data protection space.