The US-EU Safe Harbor has been back in the news recently as Germany's data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook's reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post.
Established in 1998, the Safe Harbor program provides a mechanism by which companies can publicly represent that they have established internal controls that provide an adequate level of protection, thereby permitting transfers of personal information from the EU to the US. (EU data protection law provides that - with limited exceptions - personal data can be transferred outside the European Economic Area only if an adequate level of protection is ensured, and the US is not among the countries whose laws the EU Commission has identified as providing adequate protection.)
Although there have been critics of the Safe Harbor program since its inception (particularly around issues of transparency and dispute resolution), criticism has been at an all-time high since the disclosure in 2013 of the U.S. National Security Agency's surveillance activities. In response to these widespread concerns, the EU Commission issued a report in November 2013 setting forth 13 specific recommendations aimed at promoting transparency, ensuring effective dispute resolution and enforcement, and limiting access to personal information by U.S. authorities. Notable recommendations include:
Notify the Department of Commerce regarding contracts with subcontractors, including cloud computing services, that will involve the transfer of personal data and make publicly available information regarding the privacy safeguards that are included in such contracts; Addressing affordability concerns with respect to alternative dispute resolution mechanisms and increased monitoring of ADR providers; Random audits by US authorities to ensure companies are in compliance with their privacy policies and investigation of false claims of Safe Harbor compliance; and Inclusion in privacy policies of information regarding the extent to which US law would allow US authorities to access data transferred under the Safe Harbor...