What You Should Know About the Changing U.S.-EU Safe Harbor Agreement
Client Alert | 2 min read | 05.05.14
The July 2000 Safe Harbor agreement between the United States and Europe concerning cross-border data flows is one of the key regulatory structures governing how organizations can collect, store, move, and use the massive amount of personal data generated in our interconnected world. Fourteen years after its inception, the agreement is under increasing strain from the rapid pace of technological innovation, high-profile breaches of consumer data, and the continued fallout from the Edward Snowden revelations. The EU and U.S. are in the process of updating the original agreement to reflect these new concerns. The implications for organization data operations and privacy policies could be significant, creating new regulatory structures and demanding new procedures and safeguards.
With this in mind, Crowell & Moring would like to provide our clients with regular updates on the negotiations, and how emerging policies might affect current practices. You are receiving this e-mail as an existing client of the firm that participates in the Safe Harbor program; as such we thought you might be interested in receiving these updates. If you would like to opt out from future Safe Harbor communications, please click here.
Why and How Is Safe Harbor Changing?
The U.S. and Europe have evolved different conceptions of privacy for a host of regulatory, political, legal, and consumer expectation issues. These differences were exacerbated by the revelations of former NSA contractor Edward Snowden. Those revelations, combined with EU-U.S. trade negotiations, rapid changes in technology, and (EU) citizens' expectations have led to a reassessment of the program.
In November 2013, the European Commission put forward 13 separate recommendations to promote "the continuity of data protection rights of Europeans when their data is transferred to the US." Among the recommendations raised by the Commission is greater transparency requiring companies to disclose privacy policies not only to federal regulators, but also to the public at large, and the Department of Commerce to become more active in publicly flagging companies that are not in full compliance with the agreement.
A second subset of the recommendations seeks to make redress and enforcement easier for aggrieved Europeans by allowing better access to alternative dispute resolution bodies and proposing suspensions for noncomplying organizations, inspections of self-certifying companies, and aggressively investigating false claims of adherence to the Safe Harbor.
Finally, the Commission wants the national security exception in the Safe Harbor to be narrowly drawn and that companies provide information as to when and how they respond to requests from law enforcement and national security agencies.
In March, the European Parliament issued a resolution to suspend the Safe Harbor agreement due to the Snowden revelations. Though nonbinding, the resolution adds political pressure on the Commission to strengthen Safe Harbor regulations. The resolution was followed by the release of additional recommendations from the Article 29 Data Protection Working Party to the Commission for inclusion in the ongoing negotiations between the EU and U.S. However, the Article 29 Working Party also recommended the suspension of the Safe Harbor program if the current negotiations do not lead to a positive outcome. It is important for our clients participating in the Safe Harbor program to be informed about potential changes to allow time to adopt measures to ensure continued EU-U.S. cross-border data processing operations. Where appropriate, we will also link this to the ongoing discussions about the new general EU data protection framework.
Insights
Client Alert | 3 min read | 12.13.24
New FTC Telemarketing Sales Rule Amendments
The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR.
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1