US tech giants should look beyond 'Safe Harbour' certification to win EU businesses' trust on privacy, says expert

Out-Law News | 28 Nov 2013 | 5:32 pm | 4 min. read

US technology companies that provide data processing and storage services should look beyond adherence to the EU-US 'Safe Habour' framework if they want to improve businesses' trust on data privacy issues, an expert has said.

Data protection law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that the quality of suppliers' information governance will become an important differentiator for attracting contracts with EU businesses. Such a strategy cannot overcome the tension between US and EU laws but building that trust remains essential for US service providers seeking EU business, he said.

Dautlich also said that EU businesses can mitigate some of the risks around data privacy by "engaging in the boring, but necessary process of categorising the data they hold" so as only to share some categories of data with suppliers.

"This categorisation can be done at systems level," Dautlich said. "That way, for example, businesses that do not use their email systems for, say, conducting business that is regulated can feel confident in outsourcing their email service provision to a cloud provider, whilst those that do regulated work via email may want to reconsider using a cloud supplier. This obviously brings disadvantages for some, due to the advantages cloud services can present businesses in relation to cost and convenience of their IT infrastructure."

Dautlich was commenting after the European Commission published a report which cited "deficiencies in transparency and enforcement" in how the EU-US Safe Harbour framework works (21-page / 445KB PDF). The Safe Harbour agreement enables US companies to self-certify their compliance with EU data protection standards, allowing them to transfer personal data from the EU to the US. The report follows a review the Commission undertook into the framework following news leaked earlier this summer about the alleged surveillance activities of the US' National Security Agency (NSA).

In its report the Commission outlined a number of recommendations that the Commission wants US companies benefiting from the Safe Harbour deal to adopt to address the "serious questions" that have been raised by the US' surveillance of data held by US companies, including Google and Microsoft.

Dautlich said that there remains an inherent tension for companies based in the US or with US owners seeking to comply with EU data protection standards and at the same time with US laws that require them to provide access to data they store. The US Patriot Act in particular gives US law enforcement agencies the right, subject to certain conditions, to obtain information on individuals from US "electronic communication service providers" without those individuals' knowledge or consent.

In light of the revelations about 'Prism' and subsequent leaks about surveillance activities undertaken by the US' National Security Agency (NSA), Dautlich said that US technology companies face a challenge in rebuilding trust in the way they handle data. He said those businesses, which often provide cloud services to EU businesses, will not be able to completely reconcile concerns about how laws such as the Patriot Act affect data privacy but advised them to consider alternative legal mechanisms to the Safe Harbour framework to demonstrate their commitment to data protection.

"The revelations about the NSA and Prism crystallised years of concern held by EU companies about the privacy of their data held by US suppliers," Dautlich said. "Any vendor that can demonstrate high quality information governance has a great opportunity in light of this. This can be achieved through the combined use of legal mechanisms such as 'BCRs' but can also be shaped by the information they present to the market in terms of building public confidence and trustin their service."

BCRs, or binding corporate rules, are legally-binding commitments companies draw up over the transfer and processing of personal data outside of the European Economic Area with their company or group of companies. They are subject to approval and scrutiny by data protection authorities and confer that adequate data protection is in place. Data processors are now able to put BCRs in place to facilitate data transfers from the EU after EU privacy watchdogs backed a new framework for that purpose earlier this year.

The benefit of BCRs for processors is the additional trust EU data controllers can have that EU regulators are comfortable with those processors' privacy policies and practices, Dautlich said.

EU data protection laws prevent companies from sending personal data outside of the EEA unless "adequate protections" have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection.

The US has not been designated as providing adequate data protection. However, the European Commission and US Department of Commerce's Safe Harbour agreement sets seven principles of data protection broadly equivalent to standards set under the EU Data Protection Directive and allows US companies that adhere to those principles and self-certifies compliance to them to transfer personal data from the EU to US.

The European Commission made 13 recommendations on how to address concerns about the Safe Harbour framework, which 3,246 companies are currently signed up to.

Among its recommendations, the Commission said the US businesses subject to the agreement should "publish privacy conditions of any contracts they conclude with subcontractors" and facilitate "readily available and affordable" access to alternative dispute resolution for EU citizens so that they can raise and settle complaints they have on privacy issues. The Commission also said that there should a procedure for testing some Safe Harbour scheme members' privacy policies to ensure "effective compliance".

In addition, the Commission recommended measures designed to address issues around US intelligence gathering.

"Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour," the Commission recommended. "In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements. It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate."