Recently, there’s been a debate in some circles in Europe about whether the agreements that cover data flows between the US and Europe - and in particular the US-EU Safe Harbor Agreement - provide adequate privacy protections.
One of the triggers of the debate is that it is possible for the US government (and European governments) to access certain types of data via their law enforcement agencies. We agree that this kind of access to data merits serious discussion and more transparency - which is why we’ve been publishing details of law enforcement requests made to us for one and a half years now. But the reality is that the challenges around law enforcement require new, transatlantic answers, and so we applaud the efforts currently being made by the EU and the US.
At the same time, it’s important to remember that the US-EU Safe Harbor Agreement - which guides Google’s daily business operations, as well as those of more than 2,500 other US companies that also offer services in Europe - is a robust and highly successful privacy framework that has benefited consumers and our economies over many years. We've designed our privacy policies around it. We've also been subject to a Safe Harbor enforcement action and agreed to a consent decree with the FTC relating to the launch of Buzz which will guide our privacy practices for 20 years.
Here's how we describe Safe Harbor in our privacy policies:
"Google adheres to the US Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program ."
"Google regularly reviews its compliance with this Privacy Policy. When we receive formal written complaints, it is Google’s policy to contact the complaining user regarding his or her concerns. We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that cannot be resolved between Google and an individual."
Technically, the Safe Harbor framework is designed to ensure that companies can transfer personal data from the European Union to the US, while ensuring that the data remains protected according to seven core EU-like privacy principles. In practice, for us, Safe Harbor means our users in both Europe and the US can be sure they’re getting not just the same level of service, but also the same level of privacy protection.
As a reminder, the world’s major privacy frameworks have all had dual goals: protecting privacy and facilitating cross-border flows of data - and the economic, social and cultural benefits they enable. Both goals are at the heart of both the OECD Privacy Guidelines and the EU Data Protection Directive . And the same applies for the US-EU Safe Harbor Agreement,
Before Safe Harbor, there were very limited mechanisms for the transfer of personal data from the EU to the US. On the Internet, such transfers - in both directions - are ubiquitous and instantaneous. Before Safe Harbor, people could wonder whether there was an adequate legal basis for all those transfers.
Today, as a long-term privacy practitioner, I cannot think of a single international privacy framework that has done more to raise the standards of privacy practices by US companies over the last decade than Safe Harbor. It's hard to drive compliance in the face of dozens of contradictory privacy regimes, with overlapping jurisdiction and conflicting applicable laws. It's far more practical to rely on Safe Harbor, with one comprehensible, consistent framework for protecting privacy, and to create a compliance program to back it up, as the European Commission noted in a letter sent to the United States government.
In fact, Safe Harbor has become the global framework by which many multinationals organize their global privacy compliance efforts, extending its reach far beyond the narrow explicit confines of data transfers from Europe to the US. Or as Damon Greer, the US government official currently responsible for Safe Harbor, recently put it in an eloquent rebuttal of the critiques of the program, “safe harbour has been a resounding success … facilitating the recognition by US business that privacy is a critical factor to success in the global marketplace.”
Speaking from experience, we couldn’t agree more.
Posted byPeter Fleischer, Global Privacy Counsel
In fact, the Safe Harbor framework does not provide appropriate data protection according to EU standards. Any organization can declare to adhere to it without any certification by a neutral third party. How should an EU citizen or small company be able to enforce their rights in US courts? Does the FTC take complaints of data protection violations in other languages then English - if it accepts complaints at all? What about all the non English speaking EU citizens?
ReplyDeleteWhat is the value of the Safe Harbor framework if a self-declared participant such as Facebook blatantly ignores EU data protection standards on an ongoing basis?
Does this apply also to Google Apps Engine?
ReplyDeleteMeaning can ISVs hosting their apps on GAE claim their
data is also safe-Harbor protected?