EU Commission Recommends 13 Improvements for US Safe Harbor Data Protection Program

The European Union (EU) Commission has reviewed the U.S. Safe Harbor data protection program on transfers of personal information to the United States and will either modify, suspend, or revoke its Safe Harbor decision by summer 2014 based on progress made on EU Commission’s 13 recommendations for improvements. The EU ‘Commission Communication to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU’ is available at http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf.

According to the news report ‘EU gives US Safe Harbor another chance’ on Privacylaws.com, the U.S. Federal Trade Commission (FTC) has brought ten enforcement actions against companies based on Safe Harbor violations since 2009 and believes approximately 10% of companies claiming Safe Harbor membership are not listed by the U.S. Department of Commerce as current members. EU Commission is concerned over the “lack of enforcement, general formulation of the principles, and the high reliance on self-certification” of the program and wants better transparency, redress, and enforcement mechanisms. The news report is available at http://www.privacylaws.com/Emails/Int_enews/.

On the basis of their report, the EU Commission has identified the following 13 recommendations:

Transparency

  • 1. Self-certified companies should publicly disclose their privacy policies. It is not sufficient for companies to provide the Department of Commerce with a description of their privacy policy. Privacy policies should be made publicly available on the companies’ websites, in clear and conspicuous language.
  • 2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbor website which lists all the ‘current’ members of the scheme. This will allow European data subjects to verify immediately, without additional searches whether a company is currently a member of the Safe Harbor. This would help increase the credibility of the scheme by reducing the possibilities for false claims of adherence to the Safe Harbor. The Department of Commerce has started in March 2013 to request this from companies, but the process should be intensified.
  • 3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services. Safe Harbor  allows onward transfers from Safe Harbor  self-certified companies to third parties acting as “agents”, for example to cloud service providers. According to our understanding, in such cases the Department of Commerce requires from self-certified companies to enter into a contract. However, when entering such a contract, a Safe Harbor company should also notify the Department of Commerce and be obliged to make public the privacy safeguards.
  • 4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme. The label “Not current” on the Department of Commerce list of Safe Harbor  members should be accompanied by a clear warning that a company is currently not fulfilling Safe Harbor  requirements. However, in the case of “Not current” the company is obliged to continue to apply the Safe Harbor requirements for the data that has been received under Safe Harbor.

Redress

  • 5. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel. This will allow European data subjects to contact immediately the ADR or EU panel in case of problems. Department of Commerce has started in March 2013 to request this from companies, but the process should be intensified.
  • 6. ADR should be readily available and affordable. Some ADR bodies in the Safe Harbor scheme continue to charge fees from individuals – which can be quite costly for an individual user – for the handling of the complaint ($ 200-250). By contrast, in Europe access to the Data Protection Panel foreseen for solving complaints under the Safe Harbor, is free.
  • 7. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints. This makes the dispute resolution an effective, trusted mechanism providing results. It should also be reiterated that publication of findings of non-compliance should be included within the range of mandatory sanctions of ADRs.

Enforcement

  • 8. Following the certification or recertification of companies under the Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
  • 9. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
  • 10. In case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
  • 11. False claims of Safe Harbor adherence should continue to be investigated. A company claiming on its website that it complies with the Safe Harbor requirements, but is not listed by the Department of Commerce as a ‘current’ member of the scheme, is misleading consumers and abusing their trust. False claims weaken the credibility of the system as a whole and therefore should be immediately removed from the companies’ websites.

Access by US Authorities

  • 12. Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
  • 13. It is important that the national security exception foreseen by the Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate.

Employment Screening Resources® (ESR) – a U.S. background check firm accredited by the National Association of Professional Background Screeners (NAPBS®) – complies with the U.S.-European Union (EU) Safe Harbor Framework and the U.S.-Switzerland Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Employment Screening Resources® (ESR) has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, please visit http://www.export.gov/safeharbor/. For more information about Employment Screening Resources® (ESR), visit http://www.esrcheck.com, call toll free 888.999.4474, or email sales@esrcheck.com.

About Employment Screening Resources® (ESR):

Founded by safe hiring expert Attorney Les Rosen in the San Francisco, CA-area in 1997, Employment Screening Resources® (ESR) – ‘The Background Check Authority®’– provides accurate and actionable information that empowers employers to make informed hiring decisions for the benefit of their organizations, employees, and the public. CEO Rosen literally wrote the book on background checks with “The Safe Hiring Manual” and ESR is accredited by The National Association of Professional Background Screeners (NAPBS), a distinction held by a small percent of screening firms. Employers choosing ESR know they have selected an agency meeting the highest industry standards. To learn more about ESR, visit http://www.esrcheck.com, call toll free 888.999.4474, or email sales@esrcheck.com.