Giving bite to the EU-U.S. data privacy safe harbor: model solutions for effective enforcement.

• Author: Leathers, Daniel R.

In 1998, the European Union (EU) and the United States (U.S.) set out on an ambitious project to develop a program by which U.S.-based companies could conform to the strict EU data privacy directive when transferring EU citizens' data. In effect, the program sought to reconcile EU and U.S. privacy laws when a U.S.-based company used or transferred EU citizens' data. After two years of negotiations, the U.S. and the EU finalized a program now commonly known as the EU-U.S. Safe Harbor.

Yet, since the Safe Harbor's inception, the program has been subject to heavy criticism from privacy advocates and an EU oversight committee. The heaviest criticism is levied against the Safe Harbor's inadequate internal and external enforcement mechanisms.

This Note proposes several improvements and modifications to the Safe Harbor's enforcement mechanisms, while acknowledging and addressing various U.S. law impediments.

1. INTRODUCTION II. DIFFERING APPROACHES TO PRIVACY REGULATION AND ENFORCEMENT MECHANISMS III. GENESIS OF THE PROBLEM: EU-U.S. DATA PRIVACY SAFE HARBOR PROGRAM A. EU Data Transfers to Non-EU Nations B. The Safe Harbor C. Government Data Protection Enforcement Mechanisms IV. THE GOOGLE-DOUBLE CLICK MERGER: A CASE STUDY IN THE EUROPEAN UNION'S DETERIORATING TRUST IN THE U.S. PRIVACY REGULATORY SCHEME A. Google's Significant Collected Data B. Initial European Union Concerns with Google's Data Retention Practices C. The Google-DoubleClick Merger D. Future EU Regulation of Google, Search Engines, and Behavioral Advertising E. Significance of European Union and Federal Trade Commission Differences V. SAFE HARBOR ENFORCEMENT LIMITATIONS AND PROPOSED SOLUTIONS A. Initial Registration Oversight by the U.S. Department of Commerce B. The Enforcement Principle C. Government Agency Enforcement through the Federal Trade Commission VI. CONCLUSION I. INTRODUCTION

   Privacy no longer can mean anonymity ... it should mean that government and businesses properly safeguards people's private communications and financial information.

   --Donald Kerr, Principal Deputy Director of U.S. National Intelligence (1)

   Everyday millions people in the European Union access websites owned and operated in the United States. (2) They upload personal photos, log into bank accounts, make payments with credit cards, and input search inquiries. Massive amounts of data leave the control of consumers, and, more importantly, the jurisdictional reach of the European Union.

   In 1998, the European Union (EU) and the United States (U.S.) set out on an ambitious project to develop a program by which U.S.-based multinational companies and data processors (Companies) could conform to the strict EU data privacy directive (Data Directive) when transferring EU member-state citizens' (EU Citizens) data. (3) In effect, the program sought to reconcile EU and U.S. privacy laws when a Company used EU Citizens' data within the U.S. or transferred EU Citizens' data to or from the U.S. After two years of negotiations, (4) the U.S. (5) and the EU (6) finalized the program and in the Safe Harbor Agreement (Safe Harbor) in late July 2000.

   Yet, since the Safe Harbor's inception, the program has been subject to heavy criticism from privacy advocates (7) and an EU oversight committee. (8) The heaviest criticism is levied against the Safe Harbor's inadequate internal and external enforcement mechanisms. The Safe Harbor designates the Federal Trade Commission (FTC) as the primary external enforcement arm of the program, but as of 2004, the FTC had not prosecuted a single Company for violating the Safe Harbor's protection of EU Citizens' privacy rights. (9)

   The lack of enforcement has left citizens of EU member states, who ordinarily rely on enforcement by national privacy agencies, (10) to become their own police agents and report Safe Harbor violations on their own. (11) For example, a data breach at a Company could lead to thousands of stolen identities. Within the United States, data breach notification laws vary widely; (12) and worse, under the Safe Harbor, a Company has no requirement to notify affected EU Citizens. An EU Citizens' data could be lost or sold and the end effects would be obvious to the EU Citizen, but it would be impossible to pinpoint the Company that was the source of the data breach. Without knowing which Company was victimized, an EU Citizen would be prevented from utilizing any of the Safe Harbor's enforcement protections. (13)

   Various U.S. failures to protect privacy, such as the Google-Double Click merger case study addressed in Part IV, have led to a deterioration of trust between EU and U.S. enforcement agencies. (14) The EU views the U.S. and Companies as failing to adhere to the intent of the Safe Harbor. (15) Nevertheless, it should be of little surprise to EU regulators that Companies and U.S. agencies do not take the Safe Harbor seriously. The Safe Harbor, which is self-regulatory in nature, fails to obligate enforcement and establishes oversight in U.S. agencies that are unaccountable to the citizens whose data flows they are supposed to protect. Together, the Safe Harbor's internal enforcement mechanisms and U.S. agency enforcement--through the FTC--fail to provide the guarantee of a complete investigation, which is what EU laws secure. In summation, the Safe Harbor is a poor attempt to reconcile the differences between U.S. and EU privacy regulatory efforts.

   This Note proposes several improvements and modifications to the Safe Harbor. These adjustments will better reconcile EU and U.S. privacy laws through effective Safe Harbor enforcement mechanisms, while acknowledging and addressing various U.S. law impediments. Therefore, this Note engages in a statutory analysis that seeks to strengthen the current law for the benefit of U.S. and EU citizens alike; however, this Note does not address the far-reaching implications of a "right to privacy." (16) Part II analyzes the differing approaches to privacy regulation between the U.S. and the EU and suggests that these differences are roadblocks to effective privacy regulation cooperation. Part III explains the details of the Safe Harbor program and its enforcement mechanisms. Part IV compares the level of regulatory scrutiny the U.S. and the EU applied to the Google-Double Click merger and suggests the differing approaches are evidence of the EU's deteriorating trust in the U.S. privacy self-regulatory scheme. Part V outlines criticisms of the Safe Harbor's limited enforcement mechanisms, recommends several solutions, and responds to potential criticisms.

2. DIFFERING APPROACHES TO PRIVACY REGULATION AND ENFORCEMENT MECHANISMS

   U.S. regulation of governmental collection and use of personal data are confined to the limited categories enumerated in federal statutes. (17) U.S. regulation of private data collection is often called "sectoral" because only a few federal statutes regulate specific industries in limited circumstances. (18) This leaves vast, unregulated gaps in the protection of data collected by private parties in the U.S. (19) What Joel Reidenberg observed in 1995, remains true today:

   Despite the growth of the Information Society, the United States has resisted all calls for omnibus or comprehensive legal rules for fair information practice in the private sector. Legal rules have developed on an ad hoc, targeted basis, while industry has elaborated voluntary norms and practices for particular problems. Over the years, there has been an almost zealous adherence to this ideal of narrowly targeted standards. (20) The U.S. "sectoral" approach to privacy regulation, therefore, views statutes as a means to the end of privacy protection. For example, U.S. privacy legislation protecting medical and banking records is a means towards the end purpose of preventing possible abuse of the information.

   In contrast, in the EU, regulation of the use, transfer, and processing of private data about identifiable persons is covered in sweeping "omnibus" data statutes. (21) EU member states officially recognized the danger of private data collection as early as 1981. (22) More recently, in 1995, the EU enacted the Data Directive, (23) which regulates the exchange and transfer of any private data, including handwritten and oral communications. (24) In contrast to the U.S. "sectoral" approach to privacy, the EU "omnibus" approach to privacy regulation views privacy as an ends with respect to its inherent nature; the EU views privacy as a protected state-of-being that is representative of individual autonomy. (25)

   In the U.S., the vast majority of privacy regulation is enforced through private civil suits. (26) These suits must be initiated, researched, and litigated all at the expense of the plaintiff. Under the Data Directive, however, member state data protection authorities (Data Protection Authorities)

   have direct power to inspect private data processors and begin administrative proceedings against potential violators, which may result in fines or injunctions. (27) Therefore, under the Data Directive, individuals whose privacy may have been violated are not forced to bear a heavy monetary burden in order to pursue their cases. The Safe Harbor sought to reconcile these differences.

   III GENESIS OF THE PROBLEM: EU-U.S. DATA PRIVACY SAFE HARBOR PROGRAM

   1. EU Data Transfers to Non-EU Nations

      The Data Directive specifically prohibits sending personal data to any country without a "level of data protection" considered "adequate" by EU standards. (28) The determination of adequacy of foreign data protection involves the weighing of several non-exclusive factors, including the nature of that data, the purpose for processing, the duration of processing, the destination country's laws on data privacy, and the security measures in place at the destination country. (29) Based on these factors, the EU has designated only three major non-EU countries' protections as adequate. (30) The EU has never viewed U.S...