The LIBE Committee Wants To “Suspend” The Safe Harbor… Along With Thousands of EU Employee Salaries

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) released a draft report yesterday calling for the European Commission to suspend the US-EU Safe Harbor.  FPF has written an in-depth report analyzing the effectiveness of the current Safe Harbor regime and cautioning the European Commission not to revoke the agreement, which has been largely successful in safeguarding user privacy while promoting international data transfers.  We’ve yet to see the Committee’s actual draft, but we are nonetheless concerned that the Commission is so willing to suspend the framework, especially when it will mean that thousands of EU employees risk experiencing delays in getting their paychecks.

The Safe Harbor is a well-established mechanism for the transfer of data between the US and EU and is designed to streamline compliance requirements for US small businesses.  One of the most common types of data transferred from the EU to the US is human resources data – this is because many EU data subjects work for US companies in Europe.  In fact, FPF has searched through the Safe Harbor List and found that over 1,695 companies listed as “current” members use the Safe Harbor to process their human resources data.  That’s over 50% of all companies currently in the program.

If the Safe Harbor framework were suspended, EU citizens whose HR data is stored or handled in the US would be heavily burdened.  US companies who hire EU citizens would need to revert to model contracts, which are strict and expensive to implement (particularly for small businesses).  Inhibiting the flow of HR data between the US and EU could mean delays for EU citizens receiving their paychecks, or a decline in global hiring by US companies.

FPF urges the LIBE committee to consider our recommendations to improve the Safe Harbor framework rather than create additional burdens and expense for companies that employ EU residents.  These recommendations, which include Chris Connolly’s suggestion of appointing a “Safe Harbor Master,” adequately address EU concerns about user privacy while allowing US and EU businesses to continue growing.

Study Suggests Broad-Based Consumer Concerns about Privacy

An October study published by McGraw Hill Financial Global Institute cautions that consumers believe they are losing control of their online privacy.  The report from authors at J.D. Power suggests that a majority of consumers feel they have lost control over how their personal information is collected and used, suggesting a lack of consumer trust will be a critical issue for companies to manage.

The study also provides further evidence debunking the old canard that young people do not care about their privacy.  On the contrary, if young people’s concerns about privacy are lessened, this may be due to evidence to that younger consumers are taking direct actions to reduce their privacy risk.  According to the report, younger generational groups more frequently take advantage of social media settings and set their social networking to private than older consumers.  Additionally, nearly 30% of younger consumers “openly admit to providing false information on websites and apps.”

Worries about privacy and personal data management exist worldwide.  While over 80% of consumers in the U.S. say they have lost control over how personal information is collected and used, the study found that similarly high numbers of people in emerging economies like China and India are concerned about their privacy.

The entire report, entitled “Consumer Concerns about Data Privacy Rising: What Can Businesses Do?,” is available to read.

 

 

Tracking Do Not Track: New Ad Network Data Shows That 8 Percent Of Users Have DNT On

Getting Ready For Tracking Transparency Law to Kick In

Starting in 2014, California’s new law AB 370 requires all websites that collect personally identifying information to disclose in their privacy policies how they respond to browser Do Not Track signals.  FPF has launched AllAboutDNT as a resource for companies preparing to make a statement about DNT, providing a location to point consumers for more information.  The site includes instructions for activating the DNT header on a variety of devices as well as a list of companies with public commitments honoring DNT.

We are also releasing interesting data we recently received from Chitika, an online advertising network that honors browser DNT requests.  Chitika reports that its ad network delivers over four billion targeted ads each month to a network of over 300,000+ sites.  A sample of Chitika’s data shows that currently over 8 percent of users across all browsers are transmitting a DNT signal indicating a preference not to be tracked.

pie chart

chart 2

Browser  Share of sample

 DNT:1 signal ON

 Chrome

22%

2.06%

 Safari

13%

5.86%

 Firefox

12%

7.35%

 IE 6

6%

0.00%

 IE 8

13%

0.27%

 IE 9

5%

8.82%

 IE 10

8%

69.14%

 Android

8%

0.00%

 other

12%

1.97%

 Grand Total

100%

8.39%

This data is likely consistent with what an average ad network would see daily with respect to user implementation of DNT.  However, this data does not reflect what percentage of users have actually chosen to turn DNT on or off; determining that number is more complicated because the above statistics encompass browsers and versions for which DNT is unavailable, as well as browsers that have DNT on by default.  For instance, these numbers include users of IE 10, for which “Express” installations set the DNT setting on by default.  (Although 69% of IE 10 users have the DNT setting on, IE 10 users only make up 8% of the sample size.)  It’s also interesting that almost 31% of IE 10 users do not have DNT:1 on, which suggests that a surprising number have expressly adjusted the setting to allow tracking.  Additionally, the actual Firefox adoption rate of DNT is likely higher than 7.35%, because 10% of the Firefox data set uses Firefox 3, which does not have a built-in DNT feature.

For detailed statistics broken by browser version, please download this Excel file.

Testimony on Privacy Policies before the California State Assembly

This morning, Jules Polonetsky, FPF’s Executive Director, will be speaking before the California State Assembly Joint Committee Hearing on Digital Privacy on the question of whether privacy policies adequately protect consumer privacy.  Jules’ testimony will note that “[p]rivacy policies are not useful for many consumers, but are essential accountability mechanisms. Consumers need to be able to rely on the design and user interface of a service to quickly grasp how data is being used.”

Jules will discuss a variety of different mechanisms that organizations can implement both to protect consumers and offer them value for their data.  FPF has proposed several ideas for places to start, such as (1) more transparency of algorithms, (2) treating data use like a feature, (3) advances in de-identification, (4) serious self-regulation and (5) effective privacy professionals.  Policymakers need to encourage creative approaches to addressing privacy challenges.

Read Jules’ full testimony here.

The US-EU Safe Harbor: An Analysis of the Framework's Effectiveness in Protecting Personal Privacy

This morning, the Future of Privacy Forum (FPF) released our report on the effectiveness of the U.S.-EU Safe Harbor program.  Our analysis, which we first announced in August, responds to recent recommendations by the European Commission and suggests a number of areas where the framework can be further strengthened.

An overview of key findings and recommendations found in the report are listed below:

Findings

    1. Suspending the Safe Harbor’s protections would weaken personal privacy protections for EU citizens.  Under the Safe Harbor, the FTC has the capacity to enforce against US companies on behalf of EU citizens, simplifying complex jurisdictional issues.  The Safe Harbor program also results in stronger investigatory and monitoring powers for the FTC.
    2. Alternatives to the Safe Harbor program as a mechanism of compliance with the EU Data Directive may not be feasible for all companies.  These alternative mechanisms, including express consent, model contracts, and binding corporate rules, are either too inflexible or too difficult to implement at scale for the wide variety of companies that rely on the Safe Harbor and provide less transparency for regulators about data flows.
    3. Eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.  The global economy, and particularly the transatlantic economy, will continue to rely on international data transfers, and when US-based companies are presented with a valid legal order from the US government for information, companies will be compelled to provide access to that data regardless of their membership in the Safe Harbor.
    4. Restricting the ease of data flows between the EU and US could have an extremely harmful effect on the trans-Atlantic economy.

Recommendations

 

With these reforms, as well as continued vigilance by regulators and compliance bodies, the Safe Harbor will become even more effective in safeguarding citizens’ commercial privacy rights.  FPF hopes this report will help advance constructive dialog about the Safe Harbor framework moving forward.

The full report is available to read here.  

Future of Privacy Forum Releases Report on the Effectiveness of the US-EU Safe Harbor Privacy Framework

For immediate release, December 11, 2013

Future of Privacy Forum Releases Report on the Effectiveness of the US-EU Safe Harbor Privacy Framework

Report Responds to EU Concerns, Finds the Safe Harbor Program Has Been Effective but Calls for Improvements to Strengthen Trans-Atlantic Privacy Protections

Washington, D.C. December 11, 2013 – The Future of Privacy Forum (FPF), a think tank that seeks to advance responsible data practices, released a report today detailing the effectiveness of the Safe Harbor agreement in protecting personal privacy.  It finds that the Safe Harbor largely has been successful in maintaining strong personal privacy protections for European citizens while allowing the free flow of data between the EU and US.  The report also cautions against the precipitous termination of the Safe Harbor, which has become a cornerstone of trans-Atlantic data transfers, and instead suggests a number of areas where the framework can be strengthened.

Christopher Wolf, Founder and Co-Chair of FPF, who is speaking in Brussels at privacy events this week, said: “This report shows that the Safe Harbor still is our best bet for protecting peoples’ data in a global economy.  By requiring companies to make commitments that can be enforced by the US Federal Trade Commission, EU citizens gain privacy protections in ways not possible without the Safe Harbor agreement.  We should continue to look for common-sense solutions to improve the agreement without upsetting the balance that has been the driver of the Safe Harbor’s success.”

Jules Polonetsky, Executive Director and Co-Chair of FPF said: “FPF has conducted an in-depth study of the Safe Harbor framework and its alternatives and the results are clear: the Safe Harbor framework is uniquely capable of harmonizing US and EU privacy concerns while encouraging trans-Atlantic data transfers.  Case studies, compliance interviews, and enforcement actions all show that the Safe Harbor is effectively enforced and that participants take heed of Safe Harbor responsibilities.  While improvements to the Safe Harbor can and should be made, our focus needs to remain on growing the program and covering more individuals and businesses with these privacy safeguards.”

To read the full report, click here.

An overview of key findings and recommendations found in the report are listed below.

Findings

Recommendations

 

With these reforms, as well as continued vigilance by regulators and compliance bodies, the Safe Harbor will become even more effective in safeguarding citizens’ commercial privacy rights.

For any questions, or to schedule an interview with Christopher Wolf or Jules Polonetsky, email: [email protected]