EC Details Conditions for Repairing Relations Over Privacy Abuses, But Lawmaker, Civil Society Not Buying

The EC issued a strategy paper on trans-Atlantic data flows that sets out the challenges and risks following the evaluation of U.S. intelligence collection programs (http://bit.ly/1fIPXsL), and an analysis of how safe harbor is working (bit.ly/IorNGe). The commission also reported on the findings of the EU-U.S. joint data protection working party created in July by Attorney General Eric Holder. It also reviewed the workings of the Terrorist Finance Tracking Program (TFTP) and Passenger Name Record (PNR) pacts, finding no problems with them. Concern in Europe about revelations on U.S. spying from ex-National Security Agency contractor Edward Snowden have led the European Parliament and other bodies on the continent to rebuke the U.S. (CD Oct 24 p10).

Several actions are needed to restore trust, the EC said: (1) Quick approval of EU data protection reform legislation. (2) Making safe harbor safer. (3) Boosting data protection safeguards in the law enforcement arena by completing talks with the U.S. on an “umbrella agreement” for transfers and processing of data in police and judicial matters. (4) Using existing mutual legal assistance and sectoral EU-U.S. accords such as PNR and TFTP whenever data transfers are required for law enforcement purposes. (5) Addressing European concerns in U.S. reform of national security agencies’ activities by giving EU citizens the same safeguards as Americans have. (6) Requiring the U.S. to sign on to the Council of Europe convention for the protection of individuals with regard to automatic processing of personal data. The EC also stressed that “standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership” treaty.

The safe harbor analysis found there are now 3,246 certified companies involved, mostly U.S.-based. It found many problems with compliance and enforcement. Many companies don’t make privacy policies available in a consumer-friendly and readily readable form, and about 10 percent of businesses claiming to be members of the arrangement aren’t, it said. The U.S. Department of Commerce has since March made it mandatory for safe harbor companies with public websites to make their privacy policies for customer/user data readily available on the site, and has started notifying companies that failed to provide links to the Commerce website or information about independent dispute resolution providers. But the process must be accelerated to ensure that all fully certified companies meet requirements by March, it said. The EC also said Commerce has been lax in ensuring that companies provide required information on their websites and in not showing on its site enterprises that have been dropped from safe harbor. It urged Commerce and the FTC to do more to combat false claims of safe harbor compliance.

Commerce thinks safe harbor “helps to support one of the world’s largest economic relationships, accounting for nearly” $1 trillion “in goods and services trade, and supporting millions of jobs on both sides of the Atlantic,” said a department spokeswoman by email. Commerce welcomes EC’s report and looks “forward to engaging with the Commission further to discuss their recommendations about the Framework’s operation,” she said. “We are optimistic that our dialogue with the Commission will yield positive outcomes."

FTC Chairwoman Edith Ramirez defended the agency’s safe harbor enforcement efforts, saying they provided “important privacy protections” for Europeans. “We have brought enforcement actions against 10 companies, including Google, Facebook and MySpace, resulting in orders protecting consumers worldwide, millions of them in Europe,” she said in an email. “We currently have more nonpublic investigations underway.” Ramirez said the FTC is committed to working with the EU to improve “enforcement cooperation."

The Software and Information Industry Association expressed concern that the safe harbor framework was being swept up into the government surveillance issues. The report is “an important step” for intergovernmental dialogue, “but we are concerned about the suggestion that restrictions on data collection and use by commercial entities should be a part of a response to concerns about government surveillance,” said David LeDuc, SIIA senior director-public policy. LeDuc called it “a mistake to hold hostage the crucial Safe Harbor framework.” Any changes to the agreement “should stand or fall on their own merit and not be looked at as substitute response to concerns about government surveillance,” he said.

Sen. Chris Murphy, D-Conn., struck a similar tone after Tuesday meetings with EU officials, including EU Justice Commissioner Viviane Reding, who’s heading the safe harbor review (http://bit.ly/1bSUWjI). “We have work to do, both in the United States and with our European partners,” Murphy said at a news conference Tuesday. “We believe, though, that we can have these conversations about how to change surveillance practices without suspending current agreements in effect with our European partners or cutting off debate on future agreements."

Weak transparency and enforcement are causing European businesses to worry about competitiveness, the EC said. “When a European company competes with a US company operating under Safe Harbour, but in practice not applying its principles, the European company is at a competitive disadvantage.” The FTC’s jurisdiction covers unfair or deceptive acts or practices in or affecting commerce, but not in the telecom sector, it said. With the growing convergence of technologies and services, however, many direct competitors of European telcos in the information and communication technology sector are safe harbor members, creating an uneven playing field for European operators, it said.

All companies involved in NSA’s Prism program appear to be safe harbor-certified, the EC said. That has made the system one of the conduits through which access is given to U.S. intelligence agencies to collect data initially processed in the EU, it said. While the exceptional processing of personal data for national security, public interest or law enforcement is permitted under safe harbor, the EC said “the large scale access by intelligence agencies to data transferred to the US in the context of commercial transactions was not foreseeable at the time of adopting” the agreement. The analysis made 13 recommendations, centered around transparency, redress for individuals, enforcement and access to personal data by U.S. authorities.

The EC report “should have found that [the] entire Safe Harbor scheme is inadequate because it assumes there is ‘adequacy’ in how the U.S. protects privacy compared to Europe,” said Center for Digital Democracy Executive Director Jeff Chester in an email to us. Unlike Europe, the U.S. has no single data protection law, and lax FTC oversight has contributed to growing commercial surveillance conducted by its online industry, he said. Until the U.S. enacts privacy laws in line with the EU approach, there should be no safe harbor, he said. “Given the strong opposition of the data collection lobby (Google, Facebook, etc.), it is unlikely there will be any legislation soon,” leaving Americans and Europeans unprotected, he said. The EC should acknowledge that the FTC’s ability to prevent NSA-like data-gathering practices by Google and other major U.S. companies in the EU “is practically non-existent,” he added. Google, Microsoft and Facebook didn’t respond to requests for comment on the EC document.

Safe harbor “is riddled with problems,” said European Consumer Organisation Director General Monique Goyens. It claims to reassure EU and U.S. consumers when their personal information is exchanged for commercial purposes, “but it has now been shown to retain only a fig-leaf of credibility,” she said in a statement. The EC recommendations are welcome on many of the issues, but allowing companies to self-certify “is unjustifiable and remains inexplicably outside the review,” she said. It’s hard to see the purpose of proceeding without tackling such a basic flaw, “and perhaps the time has come to put the Safe Harbour agreement to one side and move on,” she said.

The EC’s “reassuring conclusions about TFTP and EU-US PNR agreements are totally unfounded,” said MEP Sophie In ’t Veld, of the Alliance of Liberals and Democrats for Europe and the Netherlands. She accused the EC of not carrying out a proper investigation, and of basing its conclusions solely on American reassurances. Wednesday’s policy statements, coming just months before Parliament’s terms ends, are “tantamount to a whitewash” and won’t allow meaningful time for legislative debate, she said. Parliament has repeatedly called for review or termination of safe harbor, she said.