FTC Commissioner Julie Brill delivered remarks at the IAPP Data Protection Congress in Brussels today along with one the EU’s Commissioners, Constantijn van Orange-Nassau. Commissioner Brill acknowledged some of the criticism being leveled at the U.S.-EU Safe Harbor Data Protection process in light of revelations from the Edward Snowden-NSA so-called spying scandal. Snowden’s disclosures included copies of PowerPoint presentation slides identifying the NSA’s PRISM program, which program reportedly allowed the NSA to gain access to the private communications of users of nine popular Internet services (including Google, Yahoo!, Facebook, Microsoft and others). The Safe Harbor framework is supposed to allow for the transfer of such personal data in compliance with the EU Data Protection Directive. The FTC is responsible for compliance enforcement, once an entity self-reports to the U.S. Department of Commerce.
As a result of the revelations, certain EU principals began to question the efficacy of the terms of transferring data between U.S. and EU entities, via the Safe Harbor program. See remarks from Vice President Reding as of July 2013:
–“PRISM has been a wake-up call. The data protection reform is Europe’s answer.”
–“The Safe Harbour agreement may not be so safe after all.”
Now, Commissioner Brill acknowledges the issue and responds, in part:
–“[Safe Harbor is a] very effective tool for protecting the privacy of EU consumers … the FTC has vigorously enforced the Safe Harbor.”
–“We’ve taken the initiative to look for Safe Harbor violations in every single privacy and data security investigation we conduct. That’s how we discovered the Safe Harbor violations of Facebook, Google and Myspace.”
–“[Safe Harbor has]received its share of criticism in large part due to revelations about government surveillance. There’s no doubt that has created tensions in the transatlantic partnership.”
Commissioner Brill likewise took to Twitter to drive home the point: “Safe Harbor is strong – can help make it strong; increase transparency; make ADR more affordable; strengthen accountability #dpcongress”
See article at:
Her EU colleague took the opportunity to outline what should be the focus for these cross-Atlantic partnerships: 1) a standard commitment to Privacy by Design; 2) any Big Data applications that might put fundamental rights at risk should have a privacy impact assessment required; 3) consent is a cornerstone of data protection; and, 4) there needs to be a commitment to de-identification.