With the US due to update its Safe Harbour rules this Summer, European consumers might assume their data is well protected, even when transferred to America from within the EU. But, as David Reed discovers, things are not quite as safe as they seem.
At the time of writing, elections for the European Parliament had just been concluded. Like other right-wing gains in Europe, they have delivered a sizeable rump of UKIP MEPs into the Parliament, all of whom will be agitating not just for legal reform, but also for an eventual UK referendum on leaving the European Union altogether.
Whatever your political persuasion, there are a number of reasons to doubt that this would be a wise move. Guaranteeing fundamental human rights is one area that sits at the heart of the EU project (and it has been decisions taken by the European Court of Human Rights that have so often aggravated politicians on the right).
Before leaping in to agree with this view, remember that data protection is one of those core rights. So strongly has the EU felt that its citizens need proper protection of their privacy and personal information, that in 2000 it established the Safe Harbour principles covering data transfers between the EU and the United States, where levels of data protection were lower than those in Europe. With the growth of data and the emergence of cloud-based services, more data is being transferred beyond EU borders, making the Safe Harbour principles more important than ever.
If you still doubt the commitment of the EU to ensuring your basic rights are not violated, then consider the statement made by European Commission vice-president Viviane Reding in January: “Let me put it simply: we kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy, the US will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended.”
This dispute over the way Safe Harbour had been implemented on the American side even threatened to overshadow major transatlantic trade agreements that are in the process of being negotiated. Reding’s concerns had been given fuel by the Edward Snowden revelations showing how the NSA and GCHQ had worked together to access data on European citizens with little or no regulator oversight.
Reding laid out a set of data protection principles which she argued ought to become the gold standard for the world and said national security arguments should only be used sparingly as a reason for breaching them. Her concerns about the existing arrangements were hardly trivial - in a report drawn up by the EC in November 2013, US adherence to the principles was criticised for a lack of transparency and shortcomings in enforcement.
Examples of the problems it found were failures to make privacy policies publicly available or in a consumer-friendly form. This runs counter to the principle of notice - telling data subjects why their data is needed and what will happen to it. The report also found evidence of false claims of Safe Harbour adherence, with around 10 per cent of companies that claim to be members of the scheme not appearing on the US Department of Commerce list (which has itself been criticised for laxity and used as evidence of poor commitment to data protection by the US).
Given the self-certification procedure offered to US businesses, the Commission objected to the lack of evaluation of actual practice, with many companies paying little more than lip service to the Safe Harbour standards. It called for stronger enforcement by the Federal Trade Commission (FTC).
It was also clear in the report that the Commission expected to see action in the wake of Snowden. “The large scale access by intelligence agencies to data transferred to the US by Safe Harbour certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data in transferred to the US,” it said. A suite of recommendations were made to draw American practice up to the benchmark that had been set in Europe.
For sceptics in the UK and the US alike, it would have been easy to assume that this was little more than posturing by the Commission which would not lead to any shift in behaviour. Remarkably, this has not been the case. Undoubtedly driven by a desire to conclude the Transatlantic Trade and Investment Partnership worth €750 billion, a joint statement was issued by the EU-US Summit in March 2014 which had the backing of president of the European Council Herman Van Rompuy, president of the European Commission Jose Manuel Barroso and US president Barack Obama.
It stated that, “we are committed to strengthening the Safe Harbour Framework in a comprehensive manner by Summer 2014, to ensure data protection and enable trade through increased transparency, effective enforcement and legal certainty when data is transferred for commercial purposes.”
Actions to back up those words had already started to be taken. In early March, the FTC signed a memorandum of understanding with the UK’s Information Commissioner’s Office promoting increased co-operation and communication to protect consumer privacy. “As consumer data increasingly crosses borders, the FTC needs to be able to work with privacy enforcers around the globe in investigating potential violations of law,” FTC Chairwoman Edith Ramirez said. “This arrangement with our UK counterpart will help us co-operate on privacy investigations more effectively.”
Information Commissioner Christopher Graham said: “The processing of personal information does not stop and start at the national border. In the digital age, national regulators must increasingly work together to protect the rights of consumers. The signing of today’s memorandum of understanding with the Federal Trade Commission is a demonstration of our commitment towards working with our international partners and can only be to the benefit of people in the United States and the United Kingdom.”
As part of this project, the FTC is also working with EU and Asia-Pacific data protection officials to map the requirements of the APEC Cross Border Privacy Rules (CBPRs) and EU Binding Corporate Rules (BCRs). The document, jointly designed by APEC officials and the EU’s Article 29 Data Protection Working Party, is designed to be a practical reference tool for companies that seek “double certification” under these APEC and EU systems and shows the substantial overlap between the two.
BCRs are the ultimate level of protection which can be created for data that is transferred out of the EU. So copper-bottomed are they that the number of organisations which have put them in place can be counted in the dozens. That compares to over 3,000 US businesses which have self-certificated to Safe Harbour standards (even allowing for false claiming or weak implementation).
That is one reason why expectations are high that America will come good on its promise - it needs to if human rights are to be transferred along with the data. David Smith, deputy Information Commissioner, kept the pressure on at the Infosecurity Europe 2014 conference in May where he said: “One of the biggest problems is the element of self-attestation because, in its current form, the system provides no way of checking or verifying that companies are abiding by the rules”.
But that pressure is not all one-sided. Somewhat surprisingly, the House of Lords European Union Committee recently wrote a letter of recommendation for the UK Ministry of Justice which suggested the ICO needed to check its homework first before marking anybody else’s. “We invite the ICO to tell us what efforts it makes to ensure US companies operating in the UK claiming adherence to Safe Harbour do in fact comply with the scheme, and to consider whether this work could be strengthened,” it wrote.
The Committee recognised that there are weaknesses in the framework, especially the problem of self-certification, but brushed aside the European Parliament’s suggestion that negotiation of the TTIP should be suspended until the US puts its house in order. In fact, the letter underlines the importance of the existing mechanism. “We recognise that, despite some weaknesses, the Safe Harbour arrangements offer clear benefits to citizens and businesses on both sides of the Atlantic,” the Committee wrote.
Understanding where these competing views about the future of the arrangement will lead to is not easy, especially as the US has given no clear timetable for its response. To make matters even more complicated, the UK Government is having its own UKIP moment in response to the proposals for a Data Protection Regulation.
Back in July 2012, William Hague announced a “Balance of Competencies Review” looking at the tensions between UK and EU law makers. This has now reached the realm of data protection with an open consultation process running until July. The Ministry of Justice states: “The Call for Evidence is structured around a series of questions which consider the impact of the EU’s overarching information rights competence, its advantages and disadvantages for the UK and what future challenges and opportunities there are in respect of information rights.”
Starting with the European elections, followed by the US Safe Harbour response and then the outcome of the MoJ consultation, it could be a long, hot summer for data protection.