Update on Safe Harbor: Commissioner Jourova’s remarks on the state of the framework talks

The closely watched Safe Harbor talks to craft new privacy rules for transatlantic data flows between the US and the EU have resulted in some preliminary signals today, although a final outcome is still pending. Commissioner Jourova, speaking before the Committee on Civil Liberties, Justice, and Home Affairs, said that the talks had not yet produced an agreement. The Commissioner admitted the talks had been difficult, but also said they were worth the effort. Questions still abound as to whether or not a deal can be finalized.

Beyond the core issue of how national security surveillance would be handled, other key points of interest emerged from Commissioner Jourova’s speech. One was that a new Safe Harbor agreement would not be static, rather, the agreement would be subject to ongoing monitoring, including by the European Data Protection Authorities (DPAs). WPF published a Safe Harbor Report in 2010 that was highly critical of the lack of follow up and monitoring of the first iteration of the Safe Harbor agreement, with an update in 2011. If a new SH agreement is reached, this would be a much-needed improvement.

Another key point in Commissioner Jourova’s talk was how Safe Harbor complaints against companies would be handled in the case of alleged privacy violations. From Jourova’s comments:

“We are working on an arrangement that ensures that any individual complaint is resolved, one way or the other: 

  •  Ideally, and as shown by experience, the complaint will be resolved by the company itself.
  •  If not, the citizen can use alternative dispute resolution, which would now be free of charge.
  •  The citizen can also go to the Data Protection Authority, who can channel complaints to the U.S. Department of Commerce of Federal Trade Commission.
  •  However, there may be unresolved complaints on issues that may not be taken up by the Federal Trade Commission. (The FTC looks at strategic issues, rather than individual complaint-handling).
  •  Therefore, we are working on a “last resort” mechanism to ensure that all complaints are resolved through a binding an enforceable decision.
  •  This is essential for a new arrangement, given that the right to legal remedy is enshrined in our Charter of Fundamental Rights.

Let me also stress that European Data Protection Authorities must have an active role in the new arrangement. They are the guardian of individuals’ right to protection of personal data under the Charter. The DPAs must have the possibility to refer complaints – whether it is on commercial aspects or on national security – and to uphold the rights of Europeans when their data is transferred to the EU.” 

The issues regarding setting up a mechanism that apparently goes beyond FTC handling is intriguing, and hints at tremendous underlying complexity. This “last resort” mechanism is of particular interest to WPF, as the first iteration of Safe Harbor was notably weak in this area. If a deal is reached, this “last resort” mechanism could set a potentially important precedent in business best practices in handling consumer privacy complaints. If a deal is struck, we suspect that this mechanism will end up becoming quite important.

Of course, the most important underlying news here is that a deal was not struck. There is disagreement aplenty as to whether or not a deal will be forthcoming, with views abounding on the possibilities. The only thing left to companies — and consumers — is to wait this process out.

–Pam Dixon

Related Documents:

Read the full text of Commissioner Jourova’s Feb. 1, 2016 comments (Link, one page)

Read WPF’s 2010 report on the EU-US Safe Harbor Framework (PDF, 22 pages,)

Read WPF’s 2011 Self-Regulation report (PDF, 29 pages, )