Ohlhausen Asks for EU Help on Safe Harbor
The FTC is a “vigilant” enforcer of the U.S.-EU data privacy safe harbor agreement, “however, we cannot do it alone,” said Commissioner Maureen Ohlhausen at the Cloud Computing Conference Wednesday (http://1.usa.gov/1lnW7QP). Under the safe harbor -- a data privacy compliance program allowing companies to transfer consumer data across jurisdictions -- EU member states can refer companies for noncompliance to the FTC. But during the agreement’s 14 years, “we have received only a few safe harbor referrals from member states,” Ohlhausen said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
FTC officials are meeting with European Commission representatives this week “to further discuss these issues,” Ohlhausen said. U.S. and EU officials have been working through negotiations of the safe harbor framework since the European Commission (EC) released a set of 13 recommendations it had for improving it. Tuesday, delegates from the EC and U.S. Department of Commerce said the groups had come to tentative agreements on 11 of the 13 recommendations, with the national security exceptions remaining the big sticking point (CD June 11 p14). The FTC has also “reviewed” the EC’s recommendations, Ohlhausen said, and will discuss “appropriate improvements” during its meetings with EC officials this week.
"It’s a smart move to involve the EU to the greatest extent possible,” Clark Hill intellectual property lawyer Jennifer Woods told us. But Woods was “skeptical” that FTC pressure would necessarily increase referrals. It would likely come down to EU member states’ individual data authorities to make the referrals, she said. “It doesn’t seem to be a real priority for them,” she said, citing the preeminence of national security surveillance concerns. The FTC has brought safe harbor enforcement actions against 24 companies since the framework’s 2000 inception; 14 actions were in 2014.
"We believe that authorities in EU member states have a critical role to play in monitoring and reporting possible safe harbor violations,” Ohlhausen said. The rapid growth of cloud computing only heightens the necessity of a closer U.S.-EU relationship, Ohlhausen said, citing Cisco estimates that global cloud Internet traffic will increase 4.5-fold between 2012 and 2017. “Given the international scope of cloud computing, cross-border cooperation on Safe Harbor and other privacy cases is essential to combat global challenges."
Dorsey & Whitney privacy lawyer Melissa Krasnow wondered if the speech was also a signal to U.S. cloud computing companies. Ohlhausen said “all major U.S. cloud service providers” participated in the safe harbor program. “Will there be an EU Safe Harbor enforcement action involving a U.S. cloud service provider?” Krasnow asked via email.
Woods was struck by Ohlhausen’s global tenor and tech focus. “Ohlhausen has been increasingly involved in a lot of the real cutting-edge, tech-based issues,” Woods said, noting Ohlhausen’s vocal role in the ongoing net neutrality debate. “I wonder if this is maybe her making her foray into this arena as well."
Safe harbor is becoming an increasingly pressing issue for the FTC, Woods and Krasnow agreed. Krasnow pointed to European Justice Commissioner Viviane Reding’s comment that the U.S. must address each of the EC’s “13 point to-do list” by this summer (http://bit.ly/1l9FS5q). In her speech Wednesday, Ohlhausen seemed to be reaching out to the EC to say, “Help us if there’s someone who’s really messing this up,” Woods said. The FTC’s 2014 enforcement actions have all involved “technical” violations -- letting a safe harbor certification lapse -- rather than “substantive” violations -- disobeying EU data privacy laws. If there are substantive violations out there, “the EU could be in a better place to know this,” Woods said. “We stand ready to act on referrals as they come in,” Ohlhausen said.