Bryan Cunningham is an information security, privacy, and data protection lawyer, and a senior advisor of The Chertoff Group, a global security advisory firm that advises clients on cyber security. Formerly, he was a US civil servant, working for the CIA and serving as deputy legal advisor to national security advisor Condoleezza Rice.
“The ‘Safe Harbour’ agreement may not be so safe after all,” said European Union (EU) Justice Commissioner Viviane Reding, threatening to “review” the agreement, which helps insulate US companies from lawsuits for violations of EU privacy law. Harnessing European outrage over the US PRISM programme, Reding tied the government surveillance issue to the Safe Harbour agreement, asserting that Safe Harbour “allows data transfers from EU to US companies-although US data protection standards are lower than our European ones."
Meanwhile, Germany’s Commissioner for Data Protection and Information Freedom reportedly has urged Chancellor Merkel to suspend Safe Harbour in the wake of the NSA disclosures.
But scuttling Safe Harbour in retaliation for PRISM would be akin to throwing out the baby with the bathwater. It would destroy one of the most powerful tools in our government’s arsenal for enforcing EU privacy law with little chance of changing Washington’s intelligence collection methods for protecting our national security.
Safe Harbour is a voluntary framework, created by agreement between the US and the EU, intended to bridge the gap between EU standards for data protection and the perceived lack of similar US standards.
Safe Harbour is one method allowing US companies to transfer personal data of EU citizens to the US, but requires that companies self-certify to the US Department of Commerce that they meet EU requirements for privacy and protection of personal data. Google, Facebook, Microsoft, Amazon, and many other US companies are part of the “Safe Harbour” compliance program, enforced by the Federal Trade Commission (FTC).
In recent years, the FTC has swept EU privacy requirements under its “deceptive trade practices” authority to punish US companies that fail to live up to their self-certified compliance with Safe Harbour requirements. In cases, including against Myspace, Google and Facebook, the FTC successfully asserted that failures to live up to these self-certifications violate US law.
In one such recent case, the FTC sued Google over privacy violations related to “Google Buzz,” a Gmail social networking service launched in early 2010, alleging, among other violations of section 5(a) of the Federal Trade Commission Act, that the company inaccurately self-certified that it adhered to Safe Harbour requirements. In October 2011, Google agreed, in a consent Order with the FTC, that, among other things, it would “not misrepresent in any manner, expressly or by implication” the extent to which Google “is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in…the US-EU Safe Harbour Framework.” This Order further requires Google to establish and maintain a comprehensive internal privacy protection program and obtain biennial assessments by qualified, independent third-party privacy experts for the following 20 years.
Violations of this consent Order carry monetary penalties of up to $16,000 per violation. In addition, any violation of the 2011 Order could possibly void the settlement and reinstate potential liability for Google for the Google Buzz charges, as well as any potential new ones.
In short, FTC Consent Orders, such as this one with Google, come with sharp and powerful teeth, if the FTC chooses to bite. FTC enforcement of Safe Harbour is one of the few robust tools available to enforce violations of EU privacy laws by US companies.
Given the relative weakness of EU Member State privacy enforcement actions in recent years, the FTC may, in fact, be better positioned than the Europeans themselves to enforce EU privacy laws against US companies.
Prior to the PRISM revelations, a senior FTC official implored EU privacy regulators not to undo Safe Harbour, arguing that it provides a key jurisdictional “peg” for FTC enforcement of EU privacy principles against US companies. That official was right. It would be shortsighted and, ultimately, self-defeating for Europe to eliminate a powerful protection for EU citizens’ privacy in order to demonstrate Europe’s pique with America’s intelligence collection efforts.
For the US’s part, the FTC’s enforcement actions in coming months may well determine the ongoing viability of the Safe Harbour program. First, as demonstrated by Reding’s comments, US commitment to EU privacy rights, in the wake of PRISM, is being seriously questioned in Europe.
Strong FTC enforcement action against a US company for privacy violations would send a powerful signal that at least the FTC takes the privacy of Europeans seriously. Of course, Europeans might argue that FTC actions against a private company do not mitigate what they perceive as improper US spying on EU citizens. EU outrage over PRISM may seem to many Americans both inconsistent with the laws and actions of many European nations themselves, and somewhat feigned, given apparent EU Member State knowledge of, and/or involvement in, PRISM or other intelligence collection programs. Still, the anger in Europe over the programme is real.
Strong FTC action could blunt Reding’s threats to Safe Harbour, which is far less burdensome to US companies than other methods for complying with EU privacy requirements. More broadly, such action could begin to heal the transatlantic rift opened by PRISM."