Industry-funded privacy group disputes European criticism of Safe Harbor Framework


A U.S. industry-funded privacy association is disputing some main points of a European Commission report on the U.S.-E.U. Safe Harbor Framework.

The executive branch of the European Union in November released a report criticizing implementation of the framework, which allows American companies to attest they meet the union's data protection requirements and so legally process Europeans' data.

A main thrust of the report is that revelations of massive American intelligence surveillance may have undermined any protections to Europeans' data the framework is meant to achieve. Although the framework allows national security and law enforcement requirements to trump privacy principles enforcement, the report states that the large scale of NSA data storage may go beyond the scope of the national security exemption.

That criticism in unfounded, says the Future of Privacy Forum in a December paper. The framework is meant as a privacy protection mechanism within a commercial context only, says the Washington, D.C.-based organization, which counts among its supporters companies with a vested interest in the framework, such as Google, Facebook and Microsoft.

"It should come as no surprise then that the Safe Harbor specifically provides exceptions to the Safe Harbor's privacy principles 'to the extent necessary to meet national security, public interest, or law enforcement requirements,'" the paper says.

Moreover, its elimination--as some members of the European Parliament, including German Green Party representative and proposed general data protection regulation rapporteur Jan Philipp Albrecht have called for--wouldn't prevent the U.S. government from accessing Europeans' data, the paper adds.

It also finds fault with European implementation of the directive, stating that an informal panel established by national data protection authorities (an official office created by existing EU regulation) to investigate and resolve individual complaints against violations of the framework by companies lacks a clear method for public interaction. "Information about the panel's existence is relegated to several documents available on the EC's page," the report says, noting that it has no website and that "it seems unclear how European citizens can interact" with it.

A Federal Trade Commission official told report authors that the agency has received only four complains from the panel. The report lauds the FTC, noting that it has pursued on its own initiative enforcement actions against American companies violating the Safe Harbor Framework, including Google and Facebook.

The report recommends creating the position of "Safe Harbor Master" within the International Trade Administration to assist U.S. companies wishing to join the framework and to monitor for compliance. However, it opposes a European suggestion that a certain percentage of certified companies should be subject to annual compliance investigations, stating that it would create an unreasonable burden on businesses and lead to "abusive 'fishing expeditions' into the privacy practices of thousands of U.S. businesses."

For more:
- download the FPF report, "The US-EU Safe Harbor; An Analysis of the Framework's Effectiveness in Protecting Personal Privacy" (.pdf)

Related Articles:
European Commission calls for U.S. to repair broken trust over data flows
International trade tensions foreseen in differing legal regimes over government surveillance
European Parliament votes in non-binding resolution to suspend Terrorist Finance Tracking Program