Revised Safe Harbor Pact May not Stave Off European Probes, Rotenberg Predicts
Even if the U.S. and EU update their safe harbor agreement by Jan. 31 when European data protection authorities have said (see 1510160030) they'll begin enforcement action, there's no guarantee countries on the continent won't start investigations, said Electronic Privacy Information Center President Marc Rotenberg. He spoke to reporters after Tuesday's joint hearing of House Commerce subcommittees on Commerce and Communications. The hearing, as expected (see 1511020052), focused on the uncertainty that U.S. businesses face after the European Court of Justice (ECJ) in early October nullified the 15-year agreement designed to safeguard data transmitted across the Atlantic.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
"I don’t think people fully understand where things are right now," Rotenberg told reporters. "There's even more chaos than folks recognize." At the hearing, witnesses and subcommittee members noted that the Department of Commerce and European Commission have agreed in principle to a revised safe harbor agreement. More than 4,400 U.S. companies use safe harbor, and the transatlantic trade is valued at nearly $1 trillion a year. While the Article 29 Working Party, the advisory group of data protection authorities, asked the authorities to give the negotiations a few months to find a resolution, Rotenberg said it has "no ability to prevent a privacy official in Germany or Italy or Spain or elsewhere from bringing an investigation. And there's an indication already among several German data protection authorities that they plan to bring an enforcement action."
Even if safe harbor 2.0 is adopted, Rotenberg said it can "easily be challenged by any of the data protection officials in Europe," calling it a temporary solution subject to review by all European member states. "That's not a good position for business to be in," he added. "I'm sure they want more certainty than that."
BSA | The Software Alliance CEO Victoria Espinel said a revised agreement would be a short-term step and a more sustainable global framework is needed. She said a person's level of data protection should be the same around the world and it should also remove any legal uncertainty for them. Both she and John Murphy, U.S. Chamber of Commerce senior vice president-international policy, said small businesses can't afford to meet a patchwork of regulations, and alternative solutions such as binding corporate rules are too expensive. Murphy said it costs about $1 million and 18 months to develop such rules, which is beyond the reach of many small businesses.
Chairman Greg Walden, R-Ore., asked whether other countries are questioning their own safe harbor agreements. Rotenberg said Canada, Japan and South Korea are also looking at their agreements, but it’s not just a matter of trade policy. Espinel said some countries have put trade barriers in place to restrict movement of data and that's why there's a larger issue of setting up a global framework for safe data protection.
Rep. Jan Schakowsky, D-Ill., asked Rotenberg what stronger privacy protections should be included in the revised safe harbor agreement. He said it’s a difficult question, even though the EC presented 13 specific recommendations, which span transparency, redress and enforcement. But he said neither the Commerce Department nor the FTC has the legal authority to restrict mass surveillance and that's a deal breaker for the Europeans.
Murphy said the ECJ ruling didn't account for the Freedom Act passage and Redress Act introduction. He said the ruling itself was more process related and didn't provide a road map. Several lawmakers, mainly Republicans, said several European nations such as the U.K. and France also have questionable surveillance and privacy practices. The House passed the Redress Act last month (see 1510210014), drawing cheers from U.S. industry.
But the USA Freedom and Judicial Redress acts don't go far enough to satisfy European concerns, said Rotenberg. The Freedom Act changes the way intelligence agencies do surveillance and collect data, and applies only in the U.S., he said, while the Redress Act allows European citizens and others to ask that U.S. agencies correct inaccuracies in their data and verify it hasn't been improperly disclosed, among other actions. Rotenberg said Congress should pass the Obama administration-backed Consumer Privacy Bill of Rights, revise the Privacy Act, establish an independent data protection agency and ratify the International Privacy Convention, which would help relieve European concerns.
During the hearing, Rep. Mike Pompeo, R-Kan., asked Murphy about Rotenberg's assertion that trans-Atlantic data transfers were never safe. Murphy replied he didn't think that was the case, prompting Pompeo to respond that that "kind of hyperbole" from privacy advocates like Rotenberg led European officials to have "no backbone." He then asked Rotenberg whether U.S. and non-U.S. persons should be treated the same with respect to Section 702 of the Foreign Intelligence Surveillance Act, which authorizes surveillance of communications transmitted through the U.S. that includes at least one non-American. Rotenberg said there should be no distinction between U.S. and non-U.S. persons. Pompeo said there's always a "wrinkle" for nations when providing security for their people.