Professor Joel R. Reidenberg, Fordham University School of Law
Privacy Laws & Business, pp. 9, 26 (February 2002)
The European Commission has just released a Staff Working Paper on the implementation of the US-EU Safe Harbor Agreement that strives to avoid a privacy dispute with the United States in the aftermath of 9-11. While 9-11 focuses attention on government access to personal data, Safe Harbor addresses a different set of issues. The Safe Harbor Agreement itself was an attempt to solve the obvious legal conflict between the principles in the European Directive and the lack of rules and standards in the United States for the treatment of European personal data by US companies. The political hope was that Safe Harbor would create a substitute for missing US legal protections for European data. Because the European Parliament was critical of the acceptance of a prospective arrangement, the Commission committed to an assessment of the agreement’s implementation. This resulting Staff Paper tries to put a positive spin on the first 18 months of Safe Harbor, but clearly illustrates that compliance with the arrangement falls short of the expected level of data protection.
The Staff Paper looked at the implementation by US companies of the Safe Harbor principles based on an independent consultant's study of "visible compliance" as of June 2001 and on information gathered by the Commission. The Commission also had responses from the US Department of Commerce. On the positive side, the report emphasized that Safe Harbor simplifies data exports to the United States, that few complaints have been filed thusfar, and that various dispute resolution groups in the US might meet the requirements of the Safe Harbor. The report also praised the US Department of Commerce for its efforts to develop compliance workbooks for US companies and the Federal Trade Commission for its responsiveness to the European Commission.
Nevertheless, the reported compliance deficiencies were significant. First, only a trivial number of US companies were participating in the Safe Harbor (129 organizations as of December 2001) and only a few of those companies were major corporations engaged in international data flows.
Second, the Staff Paper noted that "a substantial number" of participating companies failed to provide the required transparency. This failure shows that corporate compliance with one of the most basic principles of the Safe Harbor was seriously lacking. US companies are not accustomed to describe publicly their data processing practices. The significant level of non-transparency suggests that these participants are trying to create an appearance of data protection and that they do not foresee any real consequences for deficiencies.
Third, and equally troubling, the Staff Paper observed that fewer than 50% of the participating companies complied with all of the required Safe Harbor principles. While the report attributes some of the non-compliance to “teething problems,” this extraordinary failure rate calls into question the very legitimacy of the current agreement as a substitute for missing legal protection.
Lastly, the validity of the entire Safe Harbor arrangement rests on the commitment by the U.S. Federal Trade Commission to bring enforcement actions against breaching participants. The Staff Paper notes an assertion by the FTC that the lack of transparency would be actionable as an “unfair and deceptive trade practice.” But, despite the transparency failures and the widespread omissions in privacy policies, the Staff Paper also shows that no company has been pursued for making a false self-certification to the US Department of Commerce. Indeed, there is no support in American law for the dubious assertion by the FTC that it has enforcement powers against companies that fail to make certain privacy statements for their European data. While the Staff Paper is optimistic with respect to private dispute settlement mechanisms such as BBBOnline, the FTC’s role remains a clear and important weakness in the enforcement mechanism.
Rather than demand that the United States prosecute companies for these fundamental implementation deficiencies or challenge the continued existence of Safe Harbor, the Staff Paper chose only to identify these issues and to stress the European Commission’s continued desire to work with the US government for future compliance. In effect, the Staff Paper reflects a significant political decision by the European Commission to avoid confrontation with the US over privacy issues at this juncture and to avoid revisiting the question of “adequacy.” With the continuing threat of terrorism and the public focus on security, this choice defers a renewed debate on trans-Atlantic private sector data processing.
As the Staff Paper reveals, the Safe Harbor has inherent flaws and weaknesses that are not likely to disappear easily. US companies remain reluctant to join Safe Harbor. The implementation deficiencies show that strict compliance is elusive. At the same time, FTC sanctions for non-compliance are doubtful and private dispute settlements are still hypothetical. These fundamental issues will persist while Safe Harbor is used as a substitute for missing legal protections in the United States.
In the interim, however, the strategy may to some extent improve US data protection for the treatment by US companies of European data. The Department of Commerce has, for example, modified the self-certification form in a way that partially implements FAQ 6 on human resources data. The European Commission’s approach also gives US companies a second chance to try to implement the Safe Harbor principles. Companies, however, are at risk if they continue to fail to implement properly Safe Harbor. The Staff Report notes specifically that only through “vigilance and enforcement action” can Safe Harbor be “credible and serve its purpose.” Companies already participating and those contemplating participation clearly have much work to do for satisfactory compliance. In addition, the response at the Member State level by the data protection supervisory authorities may not be as forgiving as this preliminary assessment by the European Commission. In any case, the European Commission is still required to make a full re-evaluation of Safe Harbor next year as mandated by Commission Decision 520/2000/EC.