Government Surveillance Exception Remains Big Hurdle in Safe Harbor Negotiations, Say EU Officials

Those tentative agreements have been negotiated since November, when the European Commission (EC) issued a report on trans-Atlantic data flows with a set of safe harbor recommendations to enhance transparency, curb government snooping, allow easier individual redress and create stronger enforcement (bit.ly/IorNGe) (CD Nov 29 p7). The negotiations are “not concessions we have made but rather improvements on the program that we were able to come together on,” said Ted Dean, deputy assistant secretary for services at the Department of Commerce’s International Trade Administration, which administers the safe harbor program. The first 11 recommendations cover all categories except government surveillance, which represents “probably 50 percent” of the negotiations, said Paul Nemitz, of the EC directorate-general for justice, and a main negotiator on safe harbor. “It’s the big elephant in the room.”

"The negotiations we are in are absolutely key,” said Francois Rivasseau, deputy head of delegation for the delegation of the EU to the U.S. He said 3,246 companies participate in safe harbor, but recent polling shows more than half of Europeans are hesitant to work with any U.S. cloud-based service provider, potentially sucking tens of billions of dollars from both economies. “There is a need to maintain the possibility of exchange of data without barriers,” he said. And the sooner the better, Rivasseau said, because agreement on safe harbor among the new EC -- to be set in the coming months -- will be difficult. The earlier “we can conclude negotiations,” he said, “the safer” safe harbor will be.

"The U.S. government has to make up its mind on what’s important,” Nemitz said. “The purpose of the safe harbor has been put into question by the [National Security Agency],” he said. The final, and most debated, EC recommendation reads: “It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.” The two sides still need to explicitly define what the U.S. thinks is “necessary or proportionate,” Nemitz said. “It is not Europe which has challenged the viability and success of safe harbor."

"We're working hard on this,” said Commerce’s Dean. In addition to the ongoing negotiations, the White House issued Presidential Policy Directive 28, which was uniquely internationally focused for a domestic policy agenda, Dean said. EU officials did say at Tuesday’s event did say it was “heartening” to see the extension of U.S. protections for “personal information” to non-U.S. persons in the directive (http://1.usa.gov/1dvRGOY).

The U.S. has stepped up safe harbor enforcement because of the EC recommendations. In January, February and May, the FTC revealed settlements with companies spanning numerous industries for falsely claiming compliance with the safe harbor program. Before 2014, the FTC had brought only one safe harbor enforcement action since the agreement took effect in 2000.

Online advertising-based businesses are “well advised to hear the bells ringing” in Europe, said Nemitz. “Those that make money by advertising and stripping people of their privacy,” he said, “will not make money any more because the trust issue is in the room.” Privacy is becoming “a business differentiator,” he said. Dean cautioned that a company with an advertising business model “can subscribe to the principles that are in safe harbor,” with its compliance procedures and the FTC as “cop on the beat.” Dean allowed, “there’s a valuable conversation to have” about online advertising business models. But “we can still finish safe harbor before those conversations are concluded,” he said.