And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills.
12. Privacy policies of self certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the safe harbor. In particular, companies should be encouraged indicating the privacy policies when they apply exceptions to the principles to meet national security, public interest, or law enforcement requirements.
Similar to earlier requirements around privacy policy disclosures, this recommendation has already been implemented by at least one Trustmark within its privacy certification programs. Consequently, this would not be a difficult recommendation to implement.
13. It is important that the national security exception for seen by the safe harbor decision is used only to an extent that is strictly necessary or proportionate.
As has often been commented on, the metes and bounds of national security or other intelligence actions is really not subject to the safe harbor agreement. It is this recommendation which will likely be the most difficult to fully implement. On one hand, this is a good thing as the recommendation is not intrinsic to the safe harbor in and of itself. On the other hand, due to the political and security motivations of the nation state, this will be the most challenging recommendation to implement in a meaningful way.
All in all, most of the recommendations provided by the memo which are directly related to the administration of the safe harbor framework should not be difficult implement. While not all safe harbor participants use Trustmark’s as an independent verification mechanism, the fact that such a mechanism exists, and its availability to businesses across all sizes and complexities of business, should demonstrate that those recommendations which are not already in place can easily be put in place. The more challenging recommendations to implement will be those which require changes in government resource allocation, or national security policy. Unfortunately, neither of those issues are within the ambit of the safe harbor framework itself. These are much larger issues, and can only be addressed outside of the scope of a safe harbor negotiation.