Printer Friendly


In 2000, the EU and the US came up with a solution to a problem that had arisen due to their different legal frameworks on protecting personal data in the commercial sector. The EU-US Safe Harbour agreement was hailed by many for enabling US companies to continue to transfer data from the EU to the US if they pledged to adhere to the principles enshrined in the EU's Data Protection Directive (95/46/EC). But the accord had its critics, who were unhappy that it relied so heavily on the goodwill of companies, with weak enforcement provisions. Safe Harbour is coming under renewed spotlight as lawmakers in the EU and US consider whether to update their data privacy rules in light of new developments in the digital world, such as the advent of social networking websites and mobile technologies that allow people's movements to be tracked.

Justice Commissioner Viviane Reding has called Safe Harbour "a good starting point," adding "we should build on it". According to Marc Rotenberg, executive director of the Electronic Privacy Information Centre (EPIC), a Washington-based data privacy advocacy group, "the agreement has helped to raise awareness among US firms of EU data privacy principles. But the problem with it is lack of enforcement. With Safe Harbour, individuals' legal rights have been exchanged for a quasi policy document that lacks legal effect". To date, the agreement has not led to a single interruption in the flow of personal data from the EU to the US nor has any company been fined for breaching its provisions. An official from the US Department of Commerce, which manages the agreement, believes that such criticism is "somewhat misplaced" as it fails to take into account the many strict sector-specific data protection laws that exist in the US. The official admits, however, that the exclusion ofanumerous sectors from Safe Harbour -anotably financial services - has raised concerns in the EU.


At present, 2,850 US companies have signed up to Safe Harbour. Their identities can be publicly viewed via the Commerce Department's online Safe Harbour portal. The companies are provided with a 64-page guidebook on how to comply with the EU's data privacy regime. Companies that sign up pay a registration fee of US$200 plus an annual reaffirmation fee of US$100 to keep their certification current. Participation remains voluntary. The Commerce Department does not verify if companies comply with their commitments, leaving this task to the US Federal Trade Commission (FTC) and the Department of Transportation (DoT). The first action taken against a company for not complying did not occur untilanearly a decade after the agreement was signed. In October 2009, the FTC settled charges with six companies that falsely claimed they held current certifications for Safe Harbour compliance. But the sanction imposed by the FTC - it prohibited them from making such misrepresentations again - was little more than a slap on the wrist.

There are signs that the FTC is getting more stringent on enforcement. In March 2011, it took action against Google for breaching Safe Harbour when it launched its social networking site, Google Buzz. Google falsely claimed that it adhered to Safe Harbour, the FTC found, even though it was violating the agreement's provisions on notice and choice. The FTC acted after thousands of consumers complained about Google having publicly disclosed their e-mail contacts. It made Google implement a comprehensive privacy program, which was a first. The DoT has so far not taken an enforcement case.


It is not clear what impact a revamp of the EU and US data privacy legal frameworks would have on Safe Harbour. According to the Commerce Department official, "we have been assured by the European Commission that Safe Harbour will not be affected by changes in the Data Protection Directive". The official adds, however, that they do have concerns about US firms lacking the clarity they need should new terms like privacy by design' and right to be forgotten' be introduced without their precise meaning being spelled out. A Commission proposal is due to be unveiled in early 2012.

Meanwhile, the US Congress is considering several bills that could move the US from its current sector-based system to a more comprehensive framework. If this happens, Washington could ask the Commission to adopt a so-called adequacy finding on the US data privacy framework, which would permit an automatic free flow of personal data from the EU to the US. This could effectively render Safe Harbour obsolete. But there is no guarantee that the Commission would adopt such a finding even if Congress does enact comprehensive data privacy legislation. Moreover, with the Obama administration not yet strongly pushing these bills and some Republicans on Capitol Hill opposing them on the grounds that they will stifle innovation in the digital environment, their passage looks far from certain.

Safe Harbour principles

Companies that sign up to Safe Harbour agree to adhere to these principles:

- Individuals must be told for what purpose their data were collected and who will have their data

- An opt-in' must be given to permit forward transfer to third parties of sensitive' data, such as that revealing a person's health, race or religion

- For onward transfer of the data to a third party to take place, that third party must also adhere to Safe Harbour

- The company must protect the data from loss, misuse or alteration

- The data must only be used for the purpose for which they were collected

- The individual must have access to the data and be able to correct them

- In case of disputes, the individual must have recourse to an appeals mechanism
COPYRIGHT 2011 Europolitics
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2011 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:European Report
Date:Oct 3, 2011

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |