A chief US privacy regulator said today (4 December) that European authorities barely forwarded her office any complaint cases about the Safe Harbour data sharing agreement during its 15-year run.
Julie Brill, commissioner at the Federal Trade Commission (FTC), told reporters during a visit to Brussels that the US agency – which she describes as the country’s ‘top privacy cop’ – only received information about a small fraction of citizens’ complaints from European data protection authorities (DPAs) about data handling under the agreement.
“When Safe Harbour was originally set up we were very hopeful that we’d be getting referrals from DPAs here in Europe,” she said.
“I think the grand total of the number of communications from DPAs about complaints about Safe Harbour was four in 15 years.”
Brill was unable to provide immediate details about the content of the four case referrals.
A spokesperson for the Isabelle Falque-Pierrotin, director of French data protection agency CNIL and current president of the Article 29 Working Party, the group representing privacy authorities in Europe, was not able to comment on Friday. The European Data Protection Supervisor’s office did not respond to a similar request.
Over 4,000 companies signed onto the Safe Harbour agreement, allowing them to transfer personal data from the EU to the US if they vouched for privacy standards on par with European rules.
The FTC was tasked with enforcing the agreement and took up 39 cases, including infringement charges against Google, Facebook and Myspace.
Safe Harbour was knocked down on 6 October by the European Court of Justice. ECJ judges cited US intelligence agencies’ access to personal data as grounds that European privacy standards were not upheld.
The European Commission and US government have been negotiating a new data sharing deal. EU Justice Commissioner Vera Jourova has said she wants an agreement by early February.
Brill told reporters that independent privacy researcher Chris Connolly sent the FTC a number of cases he thought were suspect.
“We examined very carefully what he told us and we brought appropriate cases that should have been brought,” Brill said.
“I don’t think that we passed on any cases that were appropriate cases to bring,” she added.
According to Brill, the FTC was not a soft enforcer of Safe Harbour violations.
“We have a lot of enforcement tools we’ve been using with respect to Safe Harbour. I think there has been room for improvement, as lots in the United States have recognised, to improve the administration of the program,” she said.
Brill described the ECJ’s strike against Safe Harbour as a “big loss for European citizens.”
Next Tuesday (8 November), Brill is meeting with the German national data protection supervisor and privacy authorities from Germany’s powerful states.
Following the ECJ verdict in October, the notoriously stringent German privacy watchdogs announced that they would halt data transfers to the US under alternative legal methods such as binding corporate rules and model contract clauses. The European Commission has held those up as means for companies to continue data transfers to the US.
Brill said she has previously been in touch with the group of German regulators.
The data protection authority in the German state of Schleswig-Holstein, widely regarded as Germany’s toughest privacy watchdog, told EurActiv her office sent all of its cases related to Safe Harbour to the FTC, though there were only a small number of them.
“We didn’t even receive a confirmation of receipt for some of the notifications, which we sent by post and email. In the cases where we did receive confirmation, we weren’t informed by the FTC about the progress of potential investigations and didn’t receive any response about the content,” said Marit Hansen, Schleswig-Holstein’s chief data protection regulator.
Hansen told EurActiv it makes sense for European data protection authorities to send the FTC complaints they receive, especially since there may be more in the future after the ECJ decision put Safe Harbour under the spotlight.
“I would like the FTC to give feedback on the cases we report or detailed responses to the referrals so that we could understand how they interpret the legal situation, especially the agreement that’s being negotiated now,” she added.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.