Commerce and International Privacy Activities: Recent Safe Harbor Developments
Report home | Read the report (PDF) | Previous section | Next section
The shortcomings of the Safe Harbor Framework have come to the attention of some data protection authorities in Europe. In April 2010, the Düsseldorfer Kreis, a working group comprised of the 16 German federal state data protection authorities with authority over the private sector, adopted a resolution applicable to those who export data from Germany to US organizations that self-certified compliance with the Safe Harbor Framework. The resolution tells German data exporters that they must verify whether a self-certified data importer in the US complies with the Safe Harbor requirements.
A German exporter of personal data must now obtain evidence that a Safe-Harbor-self- certification exists and that the Safe Harbor principles are complied with. In addition, an exporter has to obtain evidence showing how the importing company fulfils its Safe Harbor duties to provide notice to the individuals affected by the data processing. A certification more than seven years old is considered invalid. The exporter must also document the assessment and provide proof if requester by a data protection authority. [47]
Essentially, the action by the German state data protection authorities rejects in significant part the Safe Harbor Framework, particularly the self-certification as it appears on the Department of Commerce website. The Düsseldorfer Kreis makes this clear when it states that the reason for its action is because “comprehensive control of US-American companies’ self-certifications by supervisory authorities in Europe and in the US is not guaranteed…” [48]
As a result, German data exporters must act on their own to make sure that a US organization complies with the requirements. The effect is to significantly diminish the utility of the Department of Commerce’s Safe Harbor website the Department’s reporting of Safe Harbor certification. If data exporters must verify compliance with Safe Harbor with the organization claiming to be in compliance, then the Commerce Department’s role in the Safe Harbor process is undermined or eliminated.
In June 2010, Thilo Weichert, the Data Protection and Privacy Commissioner for the German State of Schleswig-Holstein, went further. Noting the findings of the 2008 Study (discussed earlier in this paper) and the lack of any response by the US and the EU thereafter, the Commissioner called for immediate termination of the Safe Harbor agreement. [49] Recognizing a lack of “courage” for termination, the Commissioner alternatively called on the EU to demand from the US short-term positive evidence concerning enforcement of the safe harbor principles.” [50]
The actions in Germany regarding Safe Harbor came despite the first enforcement actions brought by the Federal Trade Commission. The FTC has a principal role in enforcing compliance with the Safe Harbor Framework by those who promised to comply. In October 2009, the Commission obtained consent decrees that prohibited six companies from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. There was no penalty imposed on the six companies for their failure to comply and no attempt to determine the consequence of the failure for consumers who were supposedly protected by the misrepresentation. [51] It is not clear why the Commission took action against these six companies after many years of inaction on Safe Harbor noncompliance.
It appears that the long-standing failures of the Department of Commerce to oversee and control participation by US organizations in the Safe Harbor Framework have undermined the credibility and value of the program. [52] It remains to be seen if there will be further rejections of Safe Harbor certifications by other EU national data protection authorities. The substantive and credibility shortcomings of the Safe Harbor Framework have increased the need for reliance on other, more expensive, mechanisms that support the export of data outside the European Union. These mechanisms including contracts and binding corporate rules.
______________________________
Endnotes
[47] Supreme Supervisory Authorities for Data Protection in the Nonpublic Sector (Germany), Examination of the Data Importer’s Self-Certification According to the Safe-Harbor-Agreement by the Company Exporting Data (revised version of Aug. 23, 2010), available at <http://www.datenschutz- berlin.de/attachments/710/Resolution_DuesseldorfCircle_28_04_2010EN.pdf?1285316129>.
[48] Id.
[49] Press Release, 10th Anniversary of Safe Harbor – Many Reasons to Act, But None to Celebrate (June 23, 2010), available at <https://www.datenschutzzentrum.de/presse/20100723-safe-harbor_en.htm>.
[50] Id.
[51] Press Release, FTC Settles with Six Companies Claiming to Comply with International Privacy Framework (Oct. 6, 2010), available at <http://www.ftc.gov/opa/2009/10/safeharbor.shtm>.
[52] The shortcomings of the Federal Trade Commission in the Safe Harbor program are beyond the scope of this report.
Roadmap: The US Department of Commerce and International Privacy Activities – Indifference and Neglect: Recent Safe Harbor Developments