Enforcement and Reform of the EU-US Safe Harbor Agreement

The Safe Harbor framework is a compromise agreement between two very different approaches to data protection and, as a result, it has many limitations. One of the main criticisms has been the lack of enforcement action against Safe Harbor members. The Safe Harbor is a self-regulatory scheme, so initial disputes are managed by the members themselves, or sometimes referred to third-party dispute resolution providers. However, the US Federal Trade Commission has been given a back-stop regulatory role for the Safe Harbor, and it has become the key enforcement agency for Safe Harbor compliance and unresolved disputes. This chapter examines the enforcement of Safe Harbor across the 15 years of its operation. There are four clear phases:

• 2000–2008, no action.
• 2009–2010, limited action on false claims
• 2011–2012, limited action on substantive non-compliance
• 2013–2015, new action on both false claims and non-compliance.

The chapter also examines some of the unique characteristics of Safe Harbor enforcement, including the multi-national, multi-stakeholder context of the Safe Harbor, the dominant role played by third party dispute resolution providers and certification schemes, and the reactive nature of enforcement by the FTC. The chapter concludes with an analysis of whether the impressive rhetoric on Safe Harbor claims is matched by the reality of Safe Harbor performance.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

• Get 10 units per month
• Download Article/Chapter or eBook
• 1 Unit = 1 Article or 1 Chapter
• Cancel anytime

Buy Now

eBook EUR 149.79 Price includes VAT (France)

Softcover Book EUR 189.89 Price includes VAT (France)

Hardcover Book EUR 189.89 Price includes VAT (France)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

Whitelisting and the Rule of Law: Legal Technologies and Governance in Contemporary Commercial Security

Private Security Companies and Shared Responsibility: The Turn to Multistakeholder Standard-Setting and Monitoring through Self-Regulation-‘Plus’

Data protection and the law enforcement directive: a procrustean bed across Europe?

Notes

Safe Harbor background information and official documentation is available at: http://www.export.gov/safeharbor/

European Parliament and the Council, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J.L. 281, 23 November 1995. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01995L0046-20031120&from=EN

See, for example, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Opinion 7/99 On the Level of Data Protection provided by the “Safe Harbor” Principles as published together with the Frequently Asked Questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Department of Commerce, Adopted on 3 December 1999. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1999/wp27en.pdf

European Commission, Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (2000/520/EC). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02000D0520-20000825&from=EN

Dhont, Jan, María Verónica Pérez Asinari and Prof. Dr. Yves Poullet, Safe Harbour Decision Implementation Study, with the assistance of Prof. Dr. Joel R. Reidenberg and Dr. Lee A. Bygrave, for the European Commission, Internal Market DG, 19 April 2004, p. 91. http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf

The other two reports in the series were: Connolly Chris, Trustmarks Struggle to Protect Privacy, Galexia, 2008b. http://www.galexia.com/public/research/assets/trustmarks_struggle_20080926/trustmarks_struggle_public-Coverage.html and Connolly, Chris, “Privacy White Lists: Don’t Be Fooled”, Privacy Laws and Business International, Issue 98, 2009, pp. 9–12. http://www.galexia.com/public/research/articles/research_articles-pa09.html

“The US Department of Commerce announced that it will review the privacy policies of participants in the Safe Harbor program to ensure that they clearly indicate adherence to the Safe Harbor Privacy Principles .” Department of Commerce, Presentation at Conference on Cross Border Data Flows , Data Protection and Privacy, Washington, November 2009, summarised at: http://www.jeitosa.com/wp-content/uploads/2010/12/HARRIS_-_DATA_PRIVACY_12-2009.pdf

These requirements are taken from the Safe Harbor Privacy Principles and FAQs. http://www.export.gov/safeharbor/

These sanction s are from Federal Trade Commission , A closer look at the Myspace Order: Part 2, 10 May 2012. https://www.ftc.gov/news-events/blogs/business-blog/2012/05/closer-look-myspace-order-part-2. Similar sanctions appear in all the key cases.

European Commission, Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM (2013) 847 final, Brussels, 27 November 2013. http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf

European Commission, “EU-U.S. Justice Ministerial in Athens: Vice-President Reding welcomes U.S. announcement on data protection umbrella agreement”, Statement 14/208, 25/06/2014. http://ec.europa.eu/commission_2010-2014/reding/multimedia/news/2014/06/20140625_en.htm

Department of Commerce, “Key Points Concerning the Benefits, Oversight, and Enforcement of Safe Harbor”, December 2013. http://www.export.gov/static/Safe%20Harbor%20Key%20Points%2012-2013_Latest_eg_main_068867.pdf

Grande, Allison, “EU-US Safe Harbor Members Warned Over Arbitrator’s New Fee”, Law360, New York, 5 June 2014 (subscription required). http://www.law360.com/articles/545209/eu-us-safe-harbor-members-warned-over-arbitrator-s-new-fee

Federal Trade Commission , In the Matter of True Ultimate Standards Everywhere, Inc., a corporation d/b/a TRUSTe, Inc. – Agreement Containing Consent Order, 18 March 2015. https://www.ftc.gov/enforcement/cases-proceedings/132-3219/true-ultimate-standards-everywhere-inc-truste-matter

Federal Trade Commission , “TRUSTe Settles FTC Charges it Deceived Consumers Through Its Privacy Seal Program – Company Failed to Conduct Annual Recertifications, Facilitated Misrepresentation as Non-Profit”, Media Release, 17 November 2014. http://www.ftc.gov/news-events/press-releases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its

Hunton & Williams and the US Chamber of Commerce, Business Without Borders, The Importance of Cross-Border Data Transfers to Global Prosperity, Washington 2014, p. 21. https://www.uschamber.com/sites/default/files/documents/files/021384_BusinessWOBorders_final.pdf

European Commission, “EU-U.S. Justice Ministerial in Athens: Vice-President Reding welcomes U.S. announcement on data protection umbrella agreement”, Statement 14/208, 25 June 2014. http://ec.europa.eu/commission_2010-2014/reding/multimedia/news/2014/06/20140625_en.htm.

Schrems v Data Protection Commissioner, Irish High Court, June 2014, Unofficial transcript at: http://www.europe-v-facebook.org/hcj.pdf

References

• Brill, Julie, “At the Crossroads”, Keynote Speech at the IAPP Europe Data Protection Congress, Brussels, 11 December 2013. http://www.ftc.gov/sites/default/files/documents/public_statements/crossroads-keynote-address-iapp-europe-data-protection-congress/131211iappkeynote.pdf
• Connolly, Chris, Safe Harbor: Fact or Fiction?, Galexia, 2008a. http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fiction_2008/print-index.html
• Connolly Chris, Trustmarks Struggle to Protect Privacy, Galexia, 2008b. http://www.galexia.com/public/research/assets/trustmarks_struggle_20080926/trustmarks_struggle_public-Coverage.html
• Connolly, Chris, “Privacy White Lists: Don’t Be Fooled”, Privacy Laws and Business International, Issue 98, 2009. http://www.galexia.com/public/research/articles/research_articles-pa09.html
• Department of Commerce, Presentation at Conference on Cross Border Data Flows, Data Protection and Privacy, Washington, November 2009, summarised at: http://www.jeitosa.com/wp-content/uploads/2010/12/HARRIS_-_DATA_PRIVACY_12-2009.pdf
• Department of Commerce, “Key Points Concerning the Benefits, Oversight, and Enforcement of Safe Harbor”, December 2013. http://www.export.gov/static/Safe%20Harbor%20Key%20Points%2012-2013_Latest_eg_main_068867.pdf
• Dhont, Jan, María Verónica Pérez Asinari and Prof. Dr. Yves Poullet, Safe Harbour Decision Implementation Study, with the assistance of Prof. Dr. Joel R. Reidenberg and Dr. Lee A. Bygrave, for the European Commission, Internal Market DG, 19 April 2004. http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf
• European Commission, Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (2000/520/EC). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:02000D0520-20000825&from=EN
• European Commission, The application of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles, 13 February 2002. http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/sec-2002-196/sec-2002-196_en.pdf
• European Commission, The implementation of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles, 20 October 2004. http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf
• European Commission, Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, COM (2013) 847 final, Brussels, 27 November 2013. http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf
• European Commission, “EU-U.S. Justice Ministerial in Athens: Vice-President Reding welcomes U.S. announcement on data protection umbrella agreement”, Statement 14/208, 25 June 2014. http://ec.europa.eu/commission_2010-2014/reding/multimedia/news/2014/06/20140625_en.htm
• European Parliament and the Council, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J.L. 281, 23 November 1995. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:01995L0046-20031120&from=EN
• Federal Trade Commission, Directors Desk LL, 19 January 2010. https://www.ftc.gov/enforcement/cases-proceedings/0923140/directors-desk-ll
• Federal Trade Commission, A closer look at the Myspace Order: Part 2, 10 May 2012. https://www.ftc.gov/news-events/blogs/business-blog/2012/05/closer-look-myspace-order-part-2
• Federal Trade Commission, Privacy Enforcement and Safe Harbor: Comments of FTC Staff to European Commission Review of the U.S.-EU Safe Harbor Framework, 12 November 2013. http://www.ftc.gov/sites/default/files/documents/public_statements/privacy-enforcement-safe-harbor-comments-ftc-staff-european-commission-review-u.s.eu-safe-harbor-framework/131112europeancommissionsafeharbor.pdf
• Federal Trade Commission, “TRUSTe Settles FTC Charges it Deceived Consumers Through Its Privacy Seal Program – Company Failed to Conduct Annual Recertifications, Facilitated Misrepresentation as Non-Profit”, Media Release, 17 November 2014. http://www.ftc.gov/news-events/press-releases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its
• Federal Trade Commission, In the Matter of True Ultimate Standards Everywhere, Inc., a corporation d/b/a TRUSTe, Inc. – Agreement Containing Consent Order, 18 March 2015. https://www.ftc.gov/enforcement/cases-proceedings/132-3219/true-ultimate-standards-everywhere-inc-truste-matter
• FTC v. Javian Karnani and Balls of Kryptonite, 2009. http://www.ftc.gov/sites/default/files/documents/cases/2009/08/090806karnanitro.pdf
• Future of Privacy Forum (FPF), The US EU Safe Harbor Framework, December 2012. http://www.futureofprivacy.org/wp-content/uploads/FPF-Safe-Harbor-Report.pdf
• Grande, Allison, “EU-US Safe Harbor Members Warned Over Arbitrator’s New Fee”, Law 360, New York, 5 June 2014 (subscription required). http://www.law360.com/articles/545209/eu-us-safe-harbor-members-warned-over-arbitrator-s-new-fee
• Hunton & Williams and the US Chamber of Commerce, Business Without Borders, The Importance of Cross-Border Data Transfers to Global Prosperity, Washington 2014. https://www.uschamber.com/sites/default/files/documents/files/021384_BusinessWOBorders_final.pdf
• Schrems v Data Protection Commissioner, Irish High Court, June 2014, Unofficial transcript at: http://www.europe-v-facebook.org/hcj.pdf
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, Opinion 7/99 On the Level of Data Protection provided by the “Safe Harbor” Principles as published together with the Frequently Asked Questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Department of Commerce, Adopted on 3 December 1999. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1999/wp27en.pdf

Author information

Authors and Affiliations

1. Galexia, Sydney, NSW, Australia Chris Connolly & Peter van Dijk

1. Chris Connolly