The NSA data surveillance revelations brought to light by Eric Snowden will likely bring about change to the EU-U.S. Safe Harbor Framework. The Framework, which allows U.S. companies to transfer personal data from the European Union provided that they self-certify as having met seven privacy principles required by the EU, has long had its opposition. Critics note that the framework excludes several industries which fall outside the Federal Trade Commission (FTC)’s or the Department of Transportation (DOT)’s jurisdiction, such as certain financial institutions and non-profit organizations, as well as others. Oversight of the Safe Harbor framework, which the FTC and DOT share joint responsibility for, has also been a point of concern as some critics have felt that the organzations’ lax enforcement of the program allowed companies to let their self-certifications lapse without notifying their customers. The revelation of the NSA spying program did nothing to build these critics’ confidence in the level of data protection offered by the Safe Harbor Framework.
On October 7, 2013, the European Parliament of Civil Liberties, Justice, and Home Affairs (LIBE) Committee held its sixth hearing to address the effect of the Safe Harbor program in light of the NSA surveillance revelations. While a couple of the speakers noted that the FTC had taken steps to improve its enforcement of the Framework, many speakers felt that these improvements did not go far enough and called for a suspension of the Safe Harbor program. This outcry could put pressure on the U.S. to increase compliance obligations of its more than 3,200 Safe Harbor participants. Additionally, the speakers called for a provision to be included in the Safe Harbor guidelines that would give EU data authorities the right to grant or deny the transfer of data when requested by a foreign legal system or administrative authority.
Suspension of the Safe Harbor Framework would make transferring data outside of the EU more time consuming and expensive for those companies currently enrolled in the program. However, punishing these private companies would likely have a severe negative impact on certain parts of the EU economy. So, I’d be surprised to see an outright suspension of the Safe Harbor Framework. Still, due to the gravity of these potential changes, this is definitely an area privacy professionals will be closely monitoring.