Data Protection Officials Call for Safe Harbor Revamp, Tougher Privacy Rules to Counter U.S. Surveillance
It’s clear that the Safe Harbor agreement for transfer of personal data doesn’t offer any protection against mass U.S. surveillance of Europeans’ telephone and Internet traffic and that the European Commission should be directed to suspend it until changes are made, the author of an upcoming European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee report on the spying said Monday. Data protection officials from Germany, France and the European Data Protection Supervisor, however, all said Safe Harbor needs to be reworked rather than scuttled but, more importantly, a new data protection regulation must be approved as quickly as possible. But rapporteur Claude Moraes, of the Socialists and Democrats and U.K., said at session six of the LIBE probe that Safe Harbor is useless against the U.S. Patriot Act and Foreign Intelligence Surveillance Act (FISA). Committee members criticized Justice, Fundamental Rights and Citizenship Commissioner Viviane Reding for not appearing at the hearing.
The EC said in 2000 that Safe Harbor principles issued by the U.S. Department of Commerce offer an adequate level of protection for Europeans’ personal data, a LIBE background statement said. Transfers to organizations that haven’t self-certified adherence to Safe Harbor take place under other mechanisms such as standard contractual clauses and binding corporate rules (BCRs) for transfers made within multinational groups, it said. But spying allegations against the National Security Agency and others indicate that many private companies are required to pass massive amounts of data to U.S. intelligence services, said LIBE Chairman Juan Fernando López Aguilar, of the Socialists and Democrats and Spain. The question is whether the tools for transfer of personal data meet the requirements of EU law, he said.
López Aguilar said the panel was disappointed by Reding’s decision not to attend the hearing. The EC announced recently that its report assessing Safe Harbor would be made available this fall, but has now delayed it until December, he said. He asked Reding to present the document at the Dec. 9 LIBE meeting. Reding didn’t attend because she’s at Justice and Home Affairs Council meetings in Luxembourg, her spokeswoman told us. “Yesterday [Monday] she was fighting for strong data protection rules,” the spokeswoman said. The Safe Harbor analysis “will be presented before the end of the year,” she said.
Data protection officials said Safe Harbor shouldn’t be thrown out. U.S. spying is an “existential challenge to our fundamental rights and liberties,” and Europeans “must be prepared to draw a line in the sand,” said European Data Protection Supervisor Peter Hustinx. Without stronger safeguards, the EU could consider suspending data transfers to the U.S. or it could use the situation to its advantage by, for example, passing stronger data protection rules that cover all companies that do business in Europe, he said. Safe Harbor “has been controversial from the beginning,” but has now picked up momentum and covers a substantial part of commercial privacy, he said. Most issues have been settled but the troublesome matter of insufficient oversight remains, he said. The agreement itself allows for compliance to be limited to meet national security or law enforcement needs, but that is only in exceptional cases, not the mass data vacuuming going on now, he said.
Hustinx urged lawmakers not to throw out Safe Harbor without investigating its scope for improvement. It’s wise to “keep all options open,” he said. EU privacy law must be beefed up to deal with Facebook, Apple, Microsoft and other U.S. companies caught in the middle, he said. But data protection authorities also need a way to gauge the adequacy of non-EU countries’ privacy protections, he said.
The revelations in the Prism case “set off a shock wave in France,” said Isabelle Falque-Pierrotin, president of data protection authority CNIL (Commission nationale de l'informatique et des libertés). The general feeling was that “a red line had been crossed,” and that fighting terrorism couldn’t justify blanket surveillance of ordinary citizens, she said. The question is whether current contractual arrangements for international data exchanges can protect European citizens, she said.
Data protection authorities are analyzing two scenarios to determine whether existing international transfer tools are adequate, said Falque-Pierrotin. Where data are collected in Europe by a major Internet player and then sought by U.S. authorities, contract tools such as standard clauses and BCRs don’t help because they apply only to private entities, not governments, she said. Contract tools can work in the second scenario, where data are collected in Europe, sent to the U.S. and requested by the U.S., but any further transfers of the data are subject to requirements of proportionality, the need to notify data subjects that their information is being passed on, and the restriction on not giving the information to others for purposes incompatible with the original reason for its collection, she said. BCRs and standard contract provisions aren’t enough to allow public authorities to obtain huge amounts of people’s data, she said.
There may be growing interest in the idea of a sovereign European cloud to cut down on exposure of data to non-EU countries, said Falque-Pierrotin. CNIL’s view is that several Safe Harbor requirements are inadequate to deal with cloud services, she said. She approached the FTC to establish in which cases it had ensured that Safe Harbor rules had been enforced but the agency’s response wasn’t all that helpful, she said. With a cloud that’s 100-percent European, FISA won’t apply and U.S. agencies won’t have access to the data, she said. The issue is whether a business is subject to U.S. law, she said. If it’s not, there’s no justification for American authorities to request access to information, she said.
German data protection watchdogs are exploring whether to suspend some data transfers to the U.S. on a case-by-case basis, said Imke Sommer, who chairs the Conference of German Federal and State Data Protection Commissioners, and is commissioner for data protection and freedom of information for the Free Hanseatic City of Bremen, which is a German state. German companies seem very interested in ending the mass surveillance of citizens, and privacy officials will use every means available, including the “weak” Safe Harbor agreement, to achieve that, she said. Even with tougher data protection rules, Safe Harbor or something like it is needed to deal with data transfers to non-EU parties, she said.
The FTC’s handling of Safe Harbor came in for sharp criticism from Christopher Connolly, a privacy advocate and researcher for Australian consultancy Galexia. He listed the top concerns surrounding the scheme. One is that many companies that claim to be Safe Harbor members are lying, he said. Where such claims are false, there’s no data protection, he said.
Last month, Galexia found 427 businesses were making false claims about Safe Harbor membership, Connolly said. He had earlier given a list of 200 noncompliant companies to the FTC, which acted against only six, he said. That was just enough enforcement to take the pressure off, he said. Stakeholders have unrealistic hopes about FTC enforcement of Safe Harbor breaches, he said.
Regarding national security surveillance, Connolly said Safe Harbor doesn’t cover many of the organizations targeted by the U.S., such as telecom companies. The agreement has a national security limitation that allows a specific provision to be added to privacy policies for national security purposes but this limitation needs clarification, he said. Consumers tend to think disclosures will only be made in restricted cases, not in mass data collections, he said. Another issue with Safe Harbor is that the dispute resolution mechanisms provided for European consumers are chosen by U.S. companies, and many involve charges of thousands of dollars to file claims, he said. These mechanisms are inappropriate to deal with data disclosures to intelligence or law enforcement agencies, he said. A revised Safe Harbor agreement could require disputes to be resolved in Europe by European data protection authorities, he said. It’s “dangerous” to rely on Safe Harbor to manage any aspect of the national security issues Europe now faces, Connolly said. The next LIBE hearing on mass surveillance is scheduled for Oct. 14.