Safe Harbor May Be Controversial in the European Union, But It Is Still the Law
By Damon Greer
Amid the rancor erupting from the subnational data protection authorities and the German federal data protection authority over Edward Snowden’s revelations about the National Security Agency’s PRISM program and Internet interceptions, Safe Harbor has become a target for retribution. Jan Albrecht, the rapporteur for the EU’s once-and-future data protection regulation that promises to offer prescriptive measures to protect data and perhaps stifle innovation, called for Safe Harbor’s demise following entering into force of the regulation. The Article 29 Working Party opines that Safe Harbor may not provide the degree of protection—and really never did—that was expected when the European Parliament, the European Council and the European Commission (EC) approved the adequacy finding in July 2000. Still, one fact remains salient to the debate over the future or past of Safe Harbor as a legitimate tool for cross-border data transfers to the United States. The framework is legally binding on all member states in the EU and the three EEA countries, Norway, Iceland and Lichtenstein. No individual body may opt out of the agreement.
In the U.S., any organization that certifies compliance to the framework—Safe Harbor privacy principles and FAQs—is legally bound to adhere to its public commitments. Compliance is assured by third-party dispute-resolution bodies that include the European Union’s dispute resolution body—set up by the commission and the Working Party—and the Federal Trade Commission and the Department of Transportation’s Office of General Counsel.
Safe Harbor was negotiated to meet the cross-border data-transfer requirements of the EU’s Data Protection Directive, 95/46/EC, and to permit uninterrupted flows of personal data to the U.S. for commercial purposes. Safe Harbor is not perfect. It does not cover all sectors of the U.S. economy. Financial services and telecommunications are noted for their absence from the framework’s scope. In the early years of Safe Harbor’s existence, membership growth was tortuously slow—in 2004, only 440 companies were members—and enforcement was perceived by the commission and the Working Party to be nonexistent. Today, more than 4,000 are members, and 70 new applications are received each month. Acceleration began in 2007 and continues in part because of a heightened awareness of the importance of privacy globally among the business community and the concomitant need that governmental bodies recognize among their citizens to protect what is viewed as a fundamental right by many.
With the advent of the EU-U.S. Free Trade negotiations, it is certain that the draft regulation that updates and replaces the 1995 directive will be critical to the success of the negotiations. Is it a non-tariff trade barrier that singles out U.S. global companies or is it a measure that should be broadly recognized globally as a meaningful tool to protect fundamental rights? I can tell you the U.S. side will view a more prescriptive regulation as a non-tariff trade barrier, which, with tariffs averaging only three percent on goods exported to the U.S., will be more critical to negotiations than in lowering tariffs further.
When I served as director of the EU-U.S. and Swiss Safe Harbor Frameworks, in a meeting with Jacob Kohnstamm in 2010 in Brussels, I had proposed expanding the Safe Harbor principles to include accountability and purpose limitation as a means of making the framework more compatible with the discussions of what to include in the new regulation or directive. I also suggested that we could jointly fund a third-party study to ascertain what level of compliance is actually achieved by those entities that had "self-certified" to the Safe Harbor principles. I would note that no official EC implementation review has been completed or published since the 2004 review was released. In December 2010, we were informed by the secretariat to the Working Party that a draft implementation review had been completed and was awaiting internal approval before it would be shared with us and then released, hopefully in February 2011. It never was approved. In May 2011, the director general for justice met with senior level commerce officials to discuss, inter alia, Safe Harbor. At the meeting, the director general for justice presented an “unofficial” copy of the review’s executive summary, which indicated that the program was functioning well but improvements could be made in several areas including transatlantic communications. At that time, it was expected that the review would be released that autumn. It was not.
On the U.S. side, policy leaders led by the NTIA and White House were opposed to any discussions on modernizing Safe Harbor, and the legal community inferentially welcomed new rules because they would eventually lead to new business—notwithstanding the effectiveness of new data protection regulations in affording enhanced protection to EU citizens or how the new rules would be implemented and enforced.
The NSA’s domestic intelligence surveillance programs are linked irrevocably to the country’s security. Safe Harbor is a framework designed to protect EU citizens’ personal data that is legitimately collected by organizations for processing and use in the United States. Data controllers in Europe that collaborate with Safe Harbor-certified entities have legal obligations to their clients before engaging in any cross border transfer activity. It makes no difference if they use standard contractual clauses, binding corporate rules, Safe Harbor or any of the derogations in Article 26 of the directive, their fiduciary responsibilities are clear, as the Working Party has made abundantly clear over the years.
The distain the EU data protection community has for Safe Harbor today is not so much attributed to concern over citizens’ fundamental rights as it is over the dominance U.S. multinationals have of the high technology sector in Europe and the U.S. Our legal framework is not theirs, they do not understand ours, or choose not to listen when our system is explained and belittle the efforts made by all parties to achieve compromises between the U.S. and the EU.
The EU's practice of awarding adequacy seemingly based only on a national data protection law coupled with an independent data protection enforcement authority does not extend practical protection to other nations' citizens uniformly. The EU model does not work for every nation in the world. I sometimes wonder at the naïveté of the legal community when they view data protection rules in Russia and China as a sign of those countries' efforts to join the global data protection community.
Next year, the EU will hold parliamentary elections. Next June, the mandate to reform the data protection directive will expire if no progress to solving the myriad differences is achieved. It remains to be seen which direction the EU will follow if this scenario plays out.
Damon Greer served as the director of the EU-U.S. and Swiss Safe Harbor Frameworks from July 2006 through September 2011. He negotiated the U.S.-Swiss Safe Harbor Framework, organized and participated in four EU-U.S. Joint Safe Harbor conferences and numerous other events designed to educate audiences about Safe Harbor benefits. He can be reached at email@example.com.