EU data chiefs failed to report US privacy complaints
The US top privacy enforcer Jessica Rich on Wednesday (21 October) said EU national data protection authorities did little to help crack down on violations under Safe Harbour.
Rich is the bureau director at the US Federal Trade Commission (FTC).
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
The FTC oversaw Safe Harbour, an invalidated 15-year old scheme that was supposed to make sure US firms applied European privacy standards when dealing with the personal data of EU citizens.
Rich said European national data authorities were supposed to alert the FTC of any possible violations under the scheme but they seldom did.
“During the entire time we were enforcing the Safe Harbour, we had gotten only four referrals”, she told reporters in Brussels.
Rich said she had met and asked her European counterparts at various conferences to send the FTC complaints but her advice was not followed.
“The referral process was not working and at a certain point, we decided to start looking for Safe Harbour violations ourselves”, she said.
One independent study found hundreds of US firms had made false claims they belonged to self-certification scheme.
Rich said the FTC acted on some of them after being informed.
The FTC had filed 40 cases over the 15 years. All were settled out of court.
“We alleged a couple of years ago that Google violated its order and in fact it then paid a $22.5 million penalty”, she said.
Max Schrems
The European Court of Justice in Luxembourg earlier this month scrapped the pact following a lengthy legal battle between Facebook and Austrian privacy campaigner Max Schrems.
Schrems had initially filed a complaint with Ireland’s data protection commissioner but was told his case was “frivolous”. He then took it to Ireland's high court, which referred the case to Luxembourg.
Schrems had said Facebook, which has its international headquarters based in Dublin, could not guarantee the privacy of his data stored in the United States because of US-led mass surveillance.
The 29-year old PhD student told this website that it is an issue of European data protection authorities “not doing their jobs in all countries properly”.
“I just know that the Irish have a memorandum of understanding with the FTC so apparently they know each other and even there they were not able to refer my complaint”, he said.
Safe Harbour 2.0
Several thousand US firms, including giants like Apple, Facebook, Google, had signed up to Safe Harbour.
With the agreement now scrapped, many are faced with a legal dilemma on how transfer and process data from the EU.
Those who relied only on Safe Harbour will now have to use alternative transfer methods like model contractual clauses. Model contracts, which contain data protection provisions, have to be either approved by an EU data protection authority or the European Commission.
Meanwhile, the European commission and its US counterparts have spent the past two years negotiating a new Safe Harbour agreement.
The Brussels-executive had issued 13 recommendations for the US but the Americans refuse to budge on national security issues.
The FTC is negotiating the points related to commerce but Rich refrained from discussing the national security aspects of the talks.
Schrems, for his part, said he doubts a new Safe Harbour will change anything.
“If we find an agreement, it is very likely that the Safe Harbour will be challenged in the court again,” he said.
He is now looking at other companies alleged to have collaborated with the US National Security Agency in the lead up to the mass surveillance revelations in 2013 “just to see if we get cases rolling there”.
“This is not a bashing the US case, this is a mass surveillance issue", he said.