Whither Safe Harbor? While the United States has enacted several privacy laws to protect individuals personal data, more enforcement is necessary.

Transcription

1 ELECTRONIC DISCOVERY US/EU Data Protection Conflicts Whither Safe Harbor? By Nicole B. Boehler and Gretchen A. Ramos While the United States has enacted several privacy laws to protect individuals personal data, more enforcement is necessary. Litigants are increasingly faced with the insecurity that they face from the actual conflict that often arises between fulfilling discovery demands in litigation in the United States and European data protection principles. The defense of multinational corporations or even national entities with an international reach, such as those with customers outside of the United States, necessarily leads to the processing of personally identifiable information, often in conflict with European data protection laws. Multinational companies and U.S. companies doing business with companies in Europe similarly struggle with complying with more stringent European data protection principles. To address this issue, multiple mechanisms have been implemented to assist the data processor in achieving the compliant crossborder transfer of data. One such mechanism is the safe harbor regime, a bilateral arrangement between the United States and the European Union (EU). Although often criticized and more than once even declared dead, the safe harbor regime currently lives on. How long this will be the case remains to be seen. Regardless, we should expect a solution soon, and even today workable alternatives to Safe Harbor often exist. This article will briefly introduce the differing notions of data privacy and data protection in the United States and EU and the cross- border data transfers that give rise to the actual conflict. We will then provide an overview of the safe harbor regime, as well as a couple of further mechanisms for compliant cross- border data transfer. Next, we will examine the European Commission s December 2012 report, as well as recent events involving safe harbor. Finally, we will take a look at the effect of the recent events and the report and the effect that it might have on U.S. litigants, including offering alternatives to safe harbor. Notions of Privacy and Cross- Border Data Transfers Though based on common principles arising out of international accords such as the Nicole B. Boehler is a partner in the Böblingen, Germany, office of Carroll, Burdick & McDonough LLP. A member of DRI Europe, she is an American attorney who has successfully assisted clients in the defense of complex civil and criminal legal matters throughout the United States, Europe and Asia. Gretchen A. Ramos is a Certified Information Privacy Professional (CIPP/US), and litigation partner in the San Francisco office of Carroll Burdick & McDonough LLP. A member of the DRI Electronic Discovery Committee, she has nearly 20 years of experience advising companies on prelitigation strategy to position them favorably for litigation or to avoid litigation. 62 For The Defense April 2014

2 Organisation for Economic Co- operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 1980, or so-called Fair Information Practice Principles, which are codified in many U.S. laws, U.S. privacy law differs significantly from that of the European Union (EU), which leads to complications in the defense of litigation involving European companies or domestic entities doing business in or with the EU or its citizens. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organisation for Economic Co- operation and Development, oecd.org/internet/ieconomy/oecdguidelinesonthe protectionofprivacyandtransborderflowsofpersonal data.htm (last visited Feb. 27, 2014). See, e.g., Homeland Security Act of 2002: Critical Infrastructure Information Act (Critical Infrastructure Information Act of 2002 (CIIA)), Pub. L. No (Titles II and III), 116 Stat. 2135, (Nov. 25, 2002), codified at 6 U.S.C c, , , as amended. While U.S. privacy law can be seen as limiting harm to consumers and prohibiting certain government action, in the EU, privacy is upheld as a fundamental human right. The result is that EU privacy law is much more restrictive on the transfer of personal data generally and for use in U.S. litigation specifically. U.S. Data Privacy Most broadly, the U.S. privacy system is based on the general notion of protecting citizens from government action. Privacy protection in the United States can be seen as a negative right that obliges the government or sometimes others to refrain from taking actions that would violate certain constitutional rights. By definition, a constitutional right is only protected if it derives from the U.S. Constitution. You will find no direct mention of a right of privacy in the U.S. Constitution. U.S. Supreme Court jurisprudence also does not affirm a universal human right to privacy as such. Instead, reference initially was made to a penumbra where privacy is protected from governmental intrusion. Griswold v. Connecticut, 381 U.S. 479, 483 (1965). Since Griswold, the U.S. Supreme Court has continued to refrain from finding a universal right of privacy. In fact, until the most recent technological advances in data collection and handling, U.S. Supreme Court jurisprudence tended to shrink the penumbra rather than expand it. United States v. Jones, 132 S. Ct. 949 (2012). Without a universal human right to privacy, U.S. privacy law can instead be viewed as a patchwork of sometimes conflicting notions of what data is or is not accessible, by whom, and under what circumstances. Certain laws confer privacy rights in certain personal data, but the right to privacy is limited depending on the data and the circumstances. In addition, the American conception of data protection, rather than privacy, is that it is a trade issue, specifically an issue hindering trade, which deviates from the EU concept of it as a fundamental human right. In the United States, privacy regulation takes a self- regulatory approach: companies provide notices and make certain commitments about privacy and how data will be handled. If a company violates these commitments, the Federal Trade Commission (FTC) or another governmental agency may penalize the company. Generally, however, the FTC s power extends only to the selfcommitments that a company actually made so a data controller and data processor can determine how stringently it wants to protect privacy by moderating the promises that it makes to a data subject. In many instances, individuals may only opt out of certain uses of their data and often enjoy no right to limit the collection of data. In the United States, privacy legislation exists in certain industries but each industry s legislation is different, and many repositories of data simply are not regulated. When regulations do exist, the handling of data differs in the public and the private sectors, state and federal regimes, and particular industries. Each company or agency is charged with enforcing its own rules or guidelines. The U.S. privacy scheme generally assumes that data collection and use is not only acceptable but also beneficial. This leads to a regime of primarily voluntary guidelines and regulation only in documented cases of abuse. Enforcement in the United States generally depends on the initiation of action by a data subject rather than by a government official. This does not mean that EU data protection principles are wholly foreign to the United States. Most notably, certain healthcare data fall under strict EU-style privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA) regulatory rules. See generally 45 C.F.R. 160, 164, as amended, published at 78 Fed. Reg. at (Jan. 25, 2013). Recently, the FTC issued nonbinding data security guidelines, which Certain laws confer privacy rights in certain personal data, but the right to privacy is limited depending on the data and the circumstances. recommend the minimization of the collection of consumer personal identifiers, retention of data only as long as necessary for business purposes, and provision to access by consumers to the data stored. See Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Mar. 2012), ftc.gov/reports/protecting-consumer-privacyera-rapid-change-recommendations-businessespolicymakers (last visited Feb. 27, 2014). Although these are currently merely voluntary guidelines, heightened EU scrutiny and global awareness of data protection issues may help close the gap between the U.S. and EU data privacy regimes. European Data Protection In contrast, in Europe privacy is both recognized and codified as a basic human right. For example, Article 8 of the European Convention on Human Rights states: Everyone has the right to respect for his private and family life, his home and his correspondence. See Council of Europe, European Court of Human Rights, European Convention on Human Rights, pdf. Privacy is a fundamental right. Similarly, the right of an individual to data protection is also recognized as a fundamental right: Everyone has the right to the pro- For The Defense April

3 ELECTRONIC DISCOVERY tection of personal data concerning him or her. See European Union, Charter of Fundamental Rights of the European Union, art. 8, Dec. 7, 2000, OJ L C 364/01, (last visited Feb. 27, 2017); European Union, Treaty of Lisbon Amending the Treaty on European Union and the Treaty Establishing the European Community, art. 16, Dec. In Europe privacy is both recognized and codified as a basic human right , 2007/C 306/01, org/docid/476258d32.html (last visited Feb. 27, 2014). This makes data protection and privacy rights explicit elements of EU treaties and basic human rights. In many EU member states, the data protection and privacy rights have been confirmed and codified as fundamental rights in European and member state courts, as well as in European and national legislation. This divergent treatment of personal data from that of the United States derives not only from historical facts, but also from fundamental differences in the ways that Europeans view the role of government and notions of liberty. Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on data protection, governs. It not only offers protection from government action, but it denotes a duty of the state to protect individual privacy from other actors as well. It is the state that has an affirmative obligation to protect these privacy rights and to protect the data of its citizens. In the EU, human or fundamental rights including data privacy rights constitute so-called general principles of law that apply mandatorily even if they do not directly derive from a specific source of law. International Handelsgesellschaft v. Einfuhr- und Vorratsstelle für Getreide und Futtermittel [1970] ECR 1125, Case 11/70. Since data protection is a fundamental right, it is not viewed and cannot be dealt with solely as a trade issue. Formally, Directive 95/46/EC of October 24, 1995, governs data privacy in the EU. 64 For The Defense April 2014 The directive regulates personal data processing and the transport or export of data outside of the EU or more generally outside the European Economic Area. The directive broadly defines personal data as any information relating to an identified or identifiable natural person, which will often be included in many corporate records sought during litigation. If a particular individual can be identified in a particular document, whether by name, address, personnel number, or some other description relating to the individual, that document is governed by the directive and the national data privacy laws implementing the directive. Personal data may not be transferred to countries that do not afford an adequate level of protection, meaning the same level of protection offered in the EU. The United States generally does not offer an adequate level of protection. However, the European Commission has recognized the U.S. Department of Commerce safe harbor scheme as providing adequate protection. Directive 95/46/EC, historically deriving from recent national practices in Western European countries, particularly France and Germany, mandates a comprehensive national regulatory scheme enforced by a national data protection commissioner. It focuses on direct regulation of the collection and use of personal data, prohibiting excess data collection and restricting use to the original and stated purposes of the collection. Notification to the data protection authorities and to the data subject of the collection and use of the data are required at several stages. In the EU, the rules regarding individual consent for data collection, use, and disclosures are much stricter than in the United States, and much more affirmative consent is required. There is extensive regulation of all data processors the law is comprehensive rather than sector based. In Europe, data protection is granted even after a consumer has passed on the data, while in the United States, a company s understanding is that once a consumer has provided the information, it can do whatever it wants with it. In fact, the proposed EU General Data Protection Regulation released in January 2012 seeks to enhance data protection rights, proposing a right to be forgotten, and more explicit consent requirements for data processing. See European Commission, Proposal for a Regulation of the European Parliament and of the Council for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data, COM (2012) 11 final (Jan. 25, 2012), (then follow download hyperlink) (last visited Feb. 27, 2014). The Conflict Given these fundamentally different approaches to privacy and data protection, both sides of the Atlantic share a great skepticism about the other, especially following recent spying revelations. Many in the United States view the EU approach as unreasonable, smothering innovation, and stifling useful information flow. Many in the EU view the U.S. approach as unprincipled, inimical to individual dignity, and essentially the equivalent of hardly any regulation at all. In the United States, the right to privacy is openly balanced with other goals, including the need for the information by others than the data subject. See, e.g., 15 U.S. Code 1681b(a)(3)(F) (2012) (FCRA). And although the EU privacy rules are decidedly clear and straightforward, giving an EU citizen confidence in the sanctity of his or her data, enforcement is often ineffectual at best and nonexistent at worst. See Thorben Burghardt et al., A Study on the Lack of Enforcement of Data Protection Acts, in Next Generation Society Technological and Legal Issues (Alexander B. Sideris & Charalampos Z. Patrikakis eds. Springer Berlin Heidelberg, 2010), electronic version for purchase at chapter/ / _1. This lack of enforcement necessarily leads U.S. courts to dismiss data protection claims when it comes to the production of information in U.S. litigation. See, e.g., Accessdata Corp. v. ALSTE Tech. GbmH, 2010 WL (D. Utah Jan. 21, 2010). The actual conflict arises in transfers of personal data by multinational companies with locations in Europe and the United States when the U.S. company does not provide adequate protection of the personally identifiable information, in classical discovery under the FRCP when defending litigation in the United States or when the target of a Hague Evidence Convention Pro-

4 ceeding or of a nonparty subpoena issued according to 28 U.S.C (2013). The routine processing and transfer of documents and electronically stored information (ESI) in U.S. litigation may well constitute a violation of European data protection laws for you and your clients. The EU has recognized this and in 2009 published the Working Document 1/2009 on pre-trial discovery for cross- border civil litigation, adopted on February 11, The Article 29 Working Party, made up of EU member state data protection authorities, which developed this working document, opined as follows: The working party sees the need for reconciling the requirements of the U.S. litigation rules and the EU data protection provisions. It acknowledges that the Directive does not prevent transfers for litigation purposes and that there are often conflicting demands on companies carrying on international business in the different jurisdictions with the company feeling obliged to transfer the information required in the foreign litigation process. However where data controllers seek to transfer personal data for litigation purposes there must be compliance with certain data protection requirements. Data Protection Working Party, Working Document 1/2009 on Pre-Trial Discovery for Cross Border Civil Litigation, WP 158 (EC) (Nov ), policies/privacy/workinggroup/wpdocs/2009_ en.htm (then follow download hyperlink) (last visited Feb. 27, 2014). Litigants often simply rely on the Safe Harbor Framework negotiated by the U.S. Department of Commerce and recognized in 2000 by the European Commission, but strict compliance is uncertain. Safe Harbor: A Brief History of a Controversial Mechanism for Cross-Border Transfer of Information to the United States In acknowledging the OECD Guidelines, both the United States and the most dataprotectionist EU countries subscribed to voluntary basic personal data protection principles, which included many of the elements of what became the EU Data Protection Directive. Although recognized by the U.S. government in the 1980s, U.S. businesses and the U.S. safe harbor negotiators later objected. These common elements were the requirements that personal data held by a company be made available to the data subject, that only the minimum amounts of data, necessary for the stated purpose they were collected, be held, and that data flows to other countries or companies not compliant with the guidelines be prohibited. In any case, few U.S. companies ever endorsed the OECD Guidelines. Between the United States and EU, no significant disagreement exists about the Fair Information Practice Principles, the basic backbone of privacy protection around the world. Safe Harbor Framework Directive 95/46/EC, in effect since October 1998, prohibits the transfer of personal identifying information to countries that do not meet the EU adequacy standards for data protection. To bridge these differences and to provide a streamlined and cost- effective means for U.S. organizations to satisfy the data protection directive s adequacy requirement, the U.S. Department of Commerce in consultation with the European Commission developed a Safe Harbor Framework. The U.S.-EU Safe Harbor Framework, which was approved by the EU Commission in 2000, was established so that U.S. organizations could avoid facing prosecution by EU member state authorities under EU member state privacy laws. The United States and the EU agreed to the Safe Harbor Privacy Principles undergirding the framework even though U.S. law would not change. The private companies that signed up to have their names added to a Safe Harbor List would adhere to the rules set out by the EU. Thus, by self- certifying to the Safe Harbor Framework companies are supposed to be providing adequate privacy protection, as partly defined by and adhering to seven privacy principles similar to those found in Directive 95/46/EC. The European Union Is Contemplating Revoking or Reforming the Safe Harbor Arrangement In the last six months, in two separate reports, the EU has indicated its dissatisfaction with EU-U.S. safe harbor arrangement. These concerns have intensified with the National Security Agency (NSA) surveillance- related disclosures in the fall of 2013 and have increased the EU s desire to pass the draft EU General Data Protection Regulations and to incorporate the safe harbor arrangement into the mix. In fact, the EU recently announced that it hopes to have the new privacy regulations adopted by the end of While some fear that this new focus may be the beginning of the end of the Safe Harbor Framework self- certification program, others see this as a sign that the EU is willing to work with the United States to improve its enforcement of the privacy provisions of the program. Time will tell whether the United States and the EU can work out their differences on these issues. In the meantime, given the significant effect that the proposed changes would have on how U.S. and multinational companies conduct business and defend themselves in litigation, companies should stay abreast of these developments. Furthermore, given the increased interest in these issues, wise Safe Harbor Frameworkcertified companies would review their current privacy procedures to ensure that they comply with the seven principles, but they should also begin to consider their options if certification is no longer an option. European Commission Report In November 2013, the European Commission published an analysis of the Safe Harbor arrangement, entitled Commission Communication to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU. See Communication from the Commission to the European Parliament and the Council, COM (2013) 847 Final (Nov. 27, 2013), files/com_2013_847_en.pdf. The report notes that in the last four years, the FTC has brought only 10 enforcement actions based on safe harbor violations. Consequently, the EU Commission seeks improved transparency, redress, and enforcement mechanisms for the Safe Harbor Framework. The report concludes that the current program is not effective because companies that are self- certified are not complying with the Safe Harbor Principles and the program is not actively enforced. For The Defense April

5 ELECTRONIC DISCOVERY Between the United States and EU, no significant disagreement exists about the Fair Information Practice Principles, the basic backbone of privacy protection around the world. In the 19-page report, the European Commission recommends that the European Commission Safe Harbor Decision originally approving the arrangement between the EU and the United States be revised, suspended, or revoked by the summer of 2014 unless improvements are made. Below is a brief description of the report s 13 recommendations for improving Safe Harbor Framework effectiveness: 1. Self-certified companies should publicly disclose their privacy policies. 2. Privacy policies of self- certified companies websites should always include a link to the U.S. Department of Commerce Safe Harbor website. 3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services. A safe harbor- certified company should also notify the U.S. Department of Commerce and be obliged to make public the privacy safeguards. 4. The U.S. Department of Commerce website clearly should flag all companies that are not current members of the scheme with the label not current. 5. The privacy policies on companies websites should include a link to the alternative dispute resolution (ADR) provider and EU panel. 6. ADR should be readily available and affordable. 7. The U.S. Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information 66 For The Defense April 2014 they provide concerning the procedure they use and the follow-up they give to complaints, and findings of noncompliance should be publicized. 8. Following the certification or recertification under the Safe Harbor Framework, a certain percentage of these companies should be subject to ex officio investigations of the actual compliance of their privacy policies. 9. Whenever there has been a finding of non- compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year. 10. In case of doubts about a company s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority (DPA). 11. False claims of Safe Harbor Privacy Principles adherence should continue to be investigated. A company claiming it complies with safe harbor scheme requirements, but not listed by the U.S. Department of Commerce as a member of the scheme, misleads consumers. 12. Self-certified companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Safe Harbor Privacy Principles to meet national security, public interest, or law enforcement requirements. 13. It is important that the national security exception foreseen by the European Commission Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate. It is anticipated that by this summer steps will be identified to fix these issues; however, given several European countries are extremely displeased with recently disclosed U.S. surveillance methods and the disregard for privacy, this is by no means a fait accompli. Along with the relevant U.S. authorities, the European Commission, the EU Parliament, and the Council of the European Union, will be involved in attempting to resolve these issues. European Parliament Civil Liberties Draft Report While many perceived the EU Commission s November 2013 report as a positive sign, the European Parliament Civil Liberties, Justice and Home Affairs Committee (LIBE) draft report on the NSA surveillance program and those of EU member states, leaked in January 2014, caused many to be concerned about the future of the safe harbor arrangement. See Draft Report of European Parliament Committee on Civil Liberties, Justice and Home Affairs on the U.S. NSA Surveillance Programme [and Surveillance Bodies in Various Member States], 2013/2188 (INI) (Jan. 8, 2014). The LIBE report seeks immediate suspension of data transfers from the EU to the United States, calls for the end of the safe harbor program, and seeks the negotiation of more stringent data transfer rules to replace the current safe harbor program. The report also outlines some aggressive recommendations that if implemented, would severely restrict data transfers between the EU and the United States. The report summarizes the LIBE s sixmonth investigation of data transfers between the EU and the United States under the Safe Harbor Framework, and follows several meetings and public hearings held by the LIBE. LIBE concludes that trust with the United States has deteriorated, and to rebuild trust, a comprehensive plan must be put in place. While much of the report relates to government surveillance issues, the Safe Harbor Framework is also addressed, and the report echoes many of the points articulated in the EU Commission s November 2013 report, but it presents a stronger position regarding the perceived inadequacies of the Safe Harbor Framework. Specifically, the report concludes the Safe Harbor Framework does not adequately protect EU citizens and that transfers of personal data should only occur under standard contractual clauses or binding corporate rules. The draft report seeks for the EU Commission to immediately suspend data flows to any company that is self- certified under the Safe Harbor Framework. Concern about companies failure to encrypt information and communications, which allows interception of information, are points of concern identified by LIBE. LIBE also recommends that the EU continue discussions with the United States on an agreement that would provide EU citizens with an enforceable judicial remedy in the United States against U.S. companies that violate the data transfer rules in relation to their personal data.

6 On January 22, 2014, after the LIBE draft report was leaked, the FTC announced settlements with a dozen companies in relation to safe harbor enforcement actions. This is only the second time that the FTC has pursued such enforcement actions since the arrangement s implementation in Many view the FTC announcement as a response to the EU s growing concerns. However, the FTC s action should put other Safe Harbor Framework-certified companies on notice that future enforcement actions are likely on the horizon, and they should now check to ensure they are in compliance. A Future Without Safe Harbor Is Possible While the convenience of Safe Harbor Framework-certification cannot be denied, there are several other methods that U.S. companies can use to transfer personal data lawfully from the EU and the European Economic Area (EEA). As noted, the EU Data Protection Directive 95/46/ EC allows a company to transfer personal data from the EU to a country that does not belong to the EU if and only if that country provides adequate protection for such data, or one of a limited number of specific exemptions under Article 26 of the Data Protection Directive 95/46/EC applies. Standard Contractual Clauses Many U.S. companies and multinational companies use one of the three sets of standard contractual clauses (SCCs) approved by the European Commission in their data transfer agreement with each European company with which they do business rather than rely on Safe Harbor Framework certification. In May 2010, the European Commission adopted a new set of SCCs governing the transfer of personal data to countries such as the United States that are viewed as not providing adequate protection for the transfer of personal data. See Commission Decision 2010/87/EU, 2010 O.J. (L 39) 5 6, 11 (EU). The SCCs adopted govern transfers of personal data from data controllers to data processors, and the transfer of personal data to a non-eu subprocessor that receives and processes the personal data for the data controllers and data processors. U.S. and multinational companies incorporating the SCCs in their data transfer agreements must be cognizant of countryspecific procedures that might create additional provisions beyond the model clauses. For example, under German law, the model clauses adopted by the European Commission are not adequate for transferring personal data from Germany to the United States. To effect such a transfer, the SCCs must be amended by additional clauses regarding the purpose and extent of the processing, the length of the project, the data subjects, the type of data being transferred and processed, and the elimination and blocking of data. Adhering to the applicable laws adds another layer of complexity. Moreover, if a U.S. company has a business relationship with hundreds of EU companies, all of which involve the transfer of personal data, drafting the agreements with the SCCs will be extremely time-consuming. Binding Corporate Rules Other multinational companies have turned to using binding corporate rules (BCRs). The EU Article 29 Working Party developed BCRs for multinational organizations to use in transferring personal data throughout an organization and to companies outside the EU. Many multinational companies favor BCRs because with one document, rather than many separate data transfer agreements incorporating SCCs, data transfers are allowed between the companies globally; whereas, Safe Harbor Framework certification applies only to data transferred to the United States. While referred to as binding corporate rules, typically compliance requires a set of policies or procedures filed with a data protection authority (DPA) in the EU designated as the lead authority. Criteria for determining the lead authority are outlined in the Working Party papers. There is an application form to be completed and submitted to the lead authority. Once the lead authority finds a company s BCRs acceptable, it circulates them to the other DPAs in Europe that must also provide authorization. Finally, if a company is not Safe Harbor Framework certified, does not have a data transfer agreement in place that contains SCCs and other necessary provisions, depending upon the countries involved, and does not have BCRs in place, the only way that it will be able to transfer personal data is by obtaining the informed consent of each person whose personal data it seeks to transfer from the EU to the United States. Obviously, for companies transferring and processing the personal data of millions of individuals, this is impossible. Conclusion Fourteen years ago, the EU and United States adopted the safe harbor arrangement so that companies involved in transatlantic business could easily share personal information while protecting individuals privacy. There is still a need for such a mechanism. Recent revelations regarding the NSA Prism surveillance program is an understandable concern for the EU, and the current Safe Harbor Framework certification program may be in need of improvement; however, this does not mean the program should cease. Rather it is time for the United States to enforce the requirements of Safe Harbor Framework certification better, and strict penalties should be imposed when companies are not compliant. While the United States has enacted several privacy laws to protect individuals personal data, more enforcement is necessary. Only when the United States views privacy as an individual right as the EU does will it force companies to take the necessary steps to protect such data as they proclaim to do in receiving Safe Harbor Framework certification. Given the grave consequences that suspension or revocation of the Safe Harbor Framework program could have on the U.S. and European economies, and in litigation involving the transfer of personal data from the EU to the United States, it seems likely the United States will take privacy compliance in relation to Safe Harbor certification more seriously in the immediate future. But even if the European Commission revokes the Safe Harbor Decision, there still will be ways for companies to transfer personal data; however, the process will be costly. Hopefully, the EU threats to revoke the Safe Harbor Decision will not come to fruition, but instead will make the United States take notice and be more stringent in enforcing its privacy and data security policies and laws. For The Defense April