In the midst of trans-Atlantic controversies about data protection highlighted by the U.S. government’s email snooping and Europe’s recent “right to be forgotten” case against Google, a group of privacy experts is attempting to iron out the differences between data protection standards in the United States and the European Union.Initiated by Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, the goal of the EU-US Privacy Bridge Project is to come up with “a practical, pragmatic and technological solution” to “bridge the gap between the data privacy regimes in the United States and European Union.” Composed of 20 privacy experts from the United States and the European Union, the group first met in April and will have four more sessions before publishing recommendations next year.
The project is not trying to change any laws on either side of the Atlantic. Instead, Kohnstamm wants the group to focus on the similarities between the two data regimes and build on those to create practical solutions to help companies comply with both privacy frameworks.
While the project has “soft support” from both the European Commission and the White House, Kohnstamm said there is no commitment from either side to formally endorse any of the group’s recommendations. “The European Union and the United States are completely free to ignore any of the proposals we make,” he said. “However, we can help politicians make the right decisions, and that is what we are hoping to do with this initiative.”
Differences in the approach to data privacy rights in the United States and Europe became apparent when the EU introduced its Data Protection Directive in 1998. Under these rules, companies are barred from moving personal data of citizens of EU member states out of the EU unless the destination country has appropriate laws in place to ensure data protection. U.S. companies only achieve this threshold through the Safe Harbor agreement, which came into effect in November 2000 and has seven data principles to which signatories must adhere. These include implementing security measures, notifying individuals how personal data will be used and allowing them access to that data.
However, the EU has had reservations about the agreement for years. Last November, the European Commission—the EU’s executive body—issued a damning report saying that there was little monitoring or effective enforcement of company compliance with the scheme by its regulator, the U.S. Federal Trade Commission (FTC). In January, the EU’s Justice Commissioner Viviane Reding, said that Safe Harbor would be suspended if the United States failed to take legislative action before the summer. Germany has already suspended data transfers under Safe Harbor by not renewing permissions for transfer to non-EU countries.
“There is a general sense that the provisions of the Safe Harbor agreement are not stringent enough to prevent security breaches and access to data originating in the EU,” said Helena Wootton, a partner and specialist in data protection at U.K. law firm Browne Jacobson.
Lawyers also warn that there are several differences between the United States and the European Union that may pose serious challenges for the Privacy Bridge plan. First, U.S. laws on data protection only apply to U.S. citizens, while EU data protection laws apply to any citizen in the world whose data is processed within the EU. Claims brought by EU citizens against U.S. companies are also generally heard in the United States, which means that “it is less likely that claims will be dealt with in accordance with EU interpretations and may perhaps be less stringently enforced,” Wootton said.
Further, Safe Harbor is a voluntary, opt-in program. Signatories are not audited and less than 5,000 companies have notified the U.S. Department of Commerce that they are in compliance. Safe Harbor also does not apply to financial services firms or telecom companies, which have their own regulations that cover data issues.
Jonathan Kirsop, partner in the commercial, outsourcing and technology group at law firm Stephenson Harwood, said that the project “will also need to assuage EU concerns about the wide and extensive remit of U.S. authorities to acquire data under the Patriot Act.” As a result, he said, “given the post-Snowden political atmosphere within the institutions of the EU—particularly the Parliament—and U.S. misgivings following the recent Google decision, this may be a difficult bridge to build.”
But there are signs that regulators on both sides of the Atlantic are improving their vigilance. In January 2014, in what was the biggest fine to date for a data breach within the EU, the Portuguese Data Protection Authority fined a mobile telecommunications operator €4.5 million for mishandling customer data.
Meanwhile, in the United States this June, the FTC settled its action against 14 companies—including American Apparel and the U.S. arm of law firm Baker Tilly—for falsely claiming to participate in the Safe Harbor agreement. The 14 settlement orders bar the respondent companies from “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization.”
The FTC’s recent enforcement actions may help assuage EU fears, particularly as the EU’s current data rules will be replaced by a new single data protection regulation (presently, each of the EU’s 28 members has implemented the rules in accordance with their own national framework) and will be revised to take into account new advances in technology.
The rules will be in effect by mid-2017 at the earliest and will not only cover EU companies, but any company processing data concerning EU citizens. For example, while it has no physical presence in the EU, Facebook would be covered because it holds data on EU citizens.
The draft legislation requires companies to get consent from consumers before capturing data, delete personal data when asked and build data protection safeguards into products and services. Organizations will also need to notify relevant authorities of any data breach within 72 hours. Penalties are extremely harsh, fining organizations up to €100 million, or 5% of their global turnover, whichever is higher, for serious breaches.
Data experts are divided, however, as to the extent of the perceived weaknesses surrounding the Safe Harbor program, and what benefits the Privacy Bridge Project will produce.
Robert Bond, partner and head of the data protection and information practice at U.K. law firm Speechly Bircham, does not believe that the existing mix of Safe Harbor and “model clauses” (standard contractual clauses approved by the European Commission to enable safe data transfer) needs to be replaced. “The system has been in place for nearly 14 years and has not caused any significant difficulties for companies or consumers,” he said.
Bond also does not think that the new plan is the best way to move forward. “The Privacy Bridge project is focused on data being transferred safely and securely between the European Union and the United States, but this is missing the point because, in reality, data moves all around the world,” he said. “Rather than just focusing on the European Union and the United States, there should be a greater focus on developing a set of global principles for data transfer, perhaps starting with inter-regional conventions regarding data principles and data sharing.”
Richard Kemp, principal at specialist IT and data protection law firm Kemp IT Law, said that the timing of the Privacy Bridge project is problematic. “The new EU regulation will be coming into force shortly after the group issues its report, so any recommendations are likely to be too late to implement or follow,” he said. “I’m also not sure how much political will there will be for the EU to push recommendations that may rub against its own regulation.”