The Plain Truth About Safe Harbor
The stance adopted by the European Commission in the report on the functioning of Safe Harbor published today was probably one of the worst kept secrets of the privacy world. It was patently obvious to anyone close enough to the controversy around the ability of Safe Harbor to live up to the expectations of EU policymakers and regulators that the European Commission would be critical about it but would stop short of delivering a fatal blow to the scheme.
So as expected, the commission's report unequivocally reveals some deficiencies that are seen as unfair for both U.S. companies which properly apply the scheme and European companies that simply comply with EU data protection law. The toughest criticism is directed at the simple fact that, because the self-certification process does not involve any kind of regulatory scrutiny—compared, say, to the BCR authorisation process—about 10 percent of companies claiming to meet the Safe Harbor standards are actually making false claims. It is mainly the false claims issue that seems to impact on the credibility of the whole scheme.
Interestingly, the commercial implications of this unfairness appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating in the EU. In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker and seems content with the existing language which allows access to data "to the extent necessary" to meet national, security, public interest or law enforcement requirements. This does not mean that the tension between EU data protection and access to data by non-EU public authorities is resolved, but it takes this issue away from the Safe Harbor discussions.
All in all, the tone and content of the commission's position is fairly measured and reflects the ongoing dialogue between the EU and the U.S. around international data flows, adequate privacy safeguards and common democratic interests. In the short term, this means that Safe Harbor will survive pretty much unscathed. In the longer term, this may even be the beginning of real interoperability of privacy approaches.
About the Author
Eduardo Ustaran, CIPP/E, is a dually qualified English solicitor and Spanish abogado based in London and an internationally recognised expert in privacy and data protection law. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK and is ranked as a leading individual for data protection by Chambers UK. Ustaran is also the author of The Future of Privacy, a book aimed at reshaping the global debate around data and privacy. Ustaran advises on the impact of EU data privacy law on the operational activities of all types of organisations and has assisted data protection regulators from different countries to align their positions and interpretation of the law. He is editor of Data Protection Law & Policy and a member of the panel of experts of DataGuidance. Ustaran is co-author of E-Privacy and Online Data Protection and of the Law Society’s Data Protection Handbook.