Following the recent discoveries of U.S. intelligence surveillance in the European Union, the European Commission has committed to rebuild confidence in how data is protected when exchanged between the U.S. and the EU. One point of focus is the Safe Harbor certification, which most companies have in place when they recruit and exchange information on employees and prospective hires across the pond.
Whether you recruit internally in the European Union, use job boards or engage staffing firms, vendor management systems or managed service providers, a Safe Harbor agreement most likely has been put in place to allow the exchange of sensitive employee information legally. Recent events have resulted in the EU reviewing current Safe Harbor policies.
“Today, we put forward a clear agenda for how the U.S. can work with the EU to rebuild trust, and reassure EU citizens that their data will be protected,” said Cecilia Malmström, European Commissioner for Home Affairs. “Everyone from Internet users to authorities on both sides of the Atlantic stand to gain from cooperation, based on strong legal safeguards and trust that these safeguards will be respected."
To rebuild trust and preserve the Safe Harbor, the Commission has identified the following 13 recommendations:
2. Privacy policies of self-certified companies’ websites should always include a link to the U.S. Department of Commerce Safe Harbor website, which lists all the current members of the scheme. This will enable European data subjects to verify immediately, without additional searches, whether a company is currently a member of the Safe Harbor. This would help increase the credibility of the scheme by reducing the possibilities for false claims of adherence to the Safe Harbor. The Department of Commerce started to request this from companies in March 2013, but the process should be intensified.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services. Safe Harbor allows onward transfers from Safe Harbor self-certified companies to third parties acting as “agents,” e.g., cloud service providers. In such cases, the Department of Commerce requires self-certified companies to enter into a contract. However, when entering such a contract, a Safe Harbor company should also notify the Department of Commerce and be obliged to make public the privacy safeguards.
4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme. The label “Not current” on the Department of Commerce list of Safe Harbor members should be accompanied by a clear warning that a company is currently not fulfilling Safe Harbor requirements. However, in the case of "Not current" the company is obliged to continue to apply the Safe Harbor requirements for the data that has been received under Safe Harbor.
5. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel. This will allow European data subjects to contact immediately the ADR or EU panel in case of problems. Department of Commerce has started in March 2013 to request this from companies, but the process should be intensified.
6. ADR should be readily available and affordable. Some ADR bodies in the Safe Harbor scheme continue to charge fees from individuals — which can be quite costly for an individual user — for the handling of the complaint ($ 200 to $250). By contrast, in Europe access to the Data Protection Panel foreseen for solving complaints under the Safe Harbor, is free.
7. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints. This makes the dispute resolution an effective, trusted mechanism providing results. It should also be reiterated that publication of findings of non-compliance should be included within the range of mandatory sanctions of ADRs.
8. Following the certification or recertification of companies under the Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
9. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to a follow-up investigation after one year.
10. In case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
11. False claims of Safe Harbor adherence should continue to be investigated. A company claiming on its website that it complies with the Safe Harbor requirements, but is not listed by the Department of Commerce as a current member of the scheme, is misleading consumers and abusing their trust. False claims weaken the credibility of the system as a whole and therefore should be immediately removed from the companies’ websites.
Access by U.S. authorities
12. Privacy policies of self-certified companies should include information on the extent to which U.S. law allows public authorities to collect and process data transferred under the Safe Harbor. In particular, companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
13. It is important that the national security exception foreseen by the Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate.
The commission will follow up in the summer of 2014 to determine if progress has been made by U.S. companies. If not, there is a strong possibility Safe Harbor will not be approved and U.S. companies will have to look for other ways to exchange data safely and privately with the EU. If Safe Harbor does not continue, U.S. companies would need to look at other data transfer solutions, such as Binding Corporate Rules, legally binding commitments companies draw up regarding the transfer and processing of personal data outside the European Economic Area, according to Osborne Clarke, a law firm specializing in EU and U.S. employment. An overview by Osborne Clark of the potential withdrawal of the Safe Harbor scheme can be read here.