Within the span of two days, both the Federal Trade Commission (FTC) and the U.S. Department of Justice announced initiatives meant to assuage the European Union’s concerns over trans-Atlantic data flows and to secure Europe’s future commitment to the U.S.-EU Safe Harbor initiative.
On June 25, 2014, the FTC approved final orders that settled charges with 14 companies that had falsely claimed their participation in the U.S.-EU Safe Harbor program. Under the terms of their settlements, each of the 14 companies is prohibited from further misrepresenting its participation in any privacy or data security scheme, including Safe Harbor.
One day before the FTC’s announcement, U.S. Attorney General Eric Holder announced in Athens that the Obama administration would ask Congress to enact legislation granting EU citizens the right to bring claims in U.S. courts under U.S. privacy laws if they believe their personal data had been misused. This measure is intended to resolve one of the major sticking points in the broader negotiations for the Data Protection Umbrella Agreement, a framework with the EU to enhance anti-terrorism efforts by providing U.S. law enforcement authorities access to the personal data of individuals living in Europe. However, EU Vice President and Commissioner for Justice, Viviane Reding, was quick to point out that the U.S.’s intent to introduce legislation is not enough to resolve this issue: “Words only matter if put into law. We are waiting for the legislative step.”
The announcements by the FTC and Attorney General Holder are seen as active attempts to rebuild the EU’s trust in trans-Atlantic data flows and to ensure the EU’s further commitment to the Safe Harbor program, both of which had been badly shaken in the wake of the Edward Snowden leaks last year. In October 2013 Commissioner Reding gave the U.S. a 13-point list of “recommendations” to improve the Safe Harbor scheme and to restore Europe’s faith that the U.S. is earnestly fulfilling its responsibilities under the initiative. The EU’s recommendations address issues of transparency, redress through alternative dispute resolution (ADR), enforcement, and the degree to which data from Europe is accessible by U.S. authorities.
Commissioner Reding has previously said that whether “Safe Harbor can be safe again” and avoid further action from the European Parliament depends on the U.S.’s attention to and implementation of the EU’s recommendations by this summer. Otherwise, she will need to discuss the future of Safe Harbor with the Parliament, which has discussed scrapping Safe Harbor altogether.
In addition to criticism from the European Parliament and several European data protection authorities, the Safe Harbor Framework faces a legal challenge on the basis of violations of fundamental privacy rights. On June 18, 2014, the Irish High Court referred to the European Court of Justice (CJEU) several questions around the legality of the Safe Harbor Framework in a case involving the Irish data protection authority, Facebook Ireland and the NSA’s PRISM program (Schrems v Data Protection Commissioner). While a decision from the CJEU will not be issued for some time, the pending legal review puts additional pressure on negotiators for the European Commission and the U.S. government to strengthen the Framework in order to preserve it as a mechanism for international data transfers.