Around this time three years ago, I submitted my first Safe Harbor certification application to the Department of Commerce (DoC), even though, just six months before that, I had heard of neither Safe Harbor nor the EU Directive.
Then, a little more than a year ago, while attending a discussion on Internet freedom, I heard about DoC Secretary Penny Pritzker’s reference to the “Snowden Effect” on American businesses at the Aspen Institute Ideas Festival. I was taking part in the Institute’s Socrates forum, and it was probably during a coffee break that this nugget made its way to me.
I felt vindicated.
I had, of course, prepared my organization for the “doomsday” scenario of a world without Safe Harbor, especially important given the Snowden revelations and the growing European criticism of U.S. privacy protections—a trend that began long before we ever heard of PRISM. Paying particular attention to the actions and rhetoric of key institutions and leaders, it was clear that Safe Harbor was in trouble. But it was unclear to me if Safe Harbor would weather the storm. In fact, I was so torn on the issue that I drafted two very different opinion memos: “Safe Harbor Is Dead” and “Safe Harbor Lives Another Day.” Nonetheless, both suggested that, broadly, more was needed in order to shore up Safe Harbor, and, at the very least, to assuage the public perception of it in Europe.
My muted self-satisfaction was less about the contingency plans and more about how effective my public defense of Safe Harbor compliance to European audiences had proven to be. The “Snowden Effect” had essentially been neutralized at my organization because I had not only prepared it for a post-Safe Harbor world, but had readied it to defend our compliance under Safe Harbor. I found that other U.S.-based, Safe Harbor-reliant organizations were unprepared. EU-based competitors that had hoped privacy would be a debilitating issue were disappointed. Even as Safe Harbor was a then-preferred mechanism for cross-border data transfers and its fate at the time was uncertain, its legality was not in question. So in addition to being prepared for, among other things, the possibility that Europe-based clients might require Model Contracts, I knew (and had to know) how to make the case for our then-compliance under Safe Harbor.
In retrospect, it was simple.
I talked about what Safe Harbor meant in practice. I made it clear that, notwithstanding the legal mechanism of compliance, the conforming processes did indeed live up to the spirit and letter of the EU Directive and various applicable local privacy laws. The fact that as the privacy leader, I was a creature of EU institutions was immaterial to the extent that colleagues who followed the script in my absence reported the same outcome. This suggested that on balance it is not necessarily about the vessel that gets us across the Atlantic—it’s about the journey!
Safe Harbor, like its counterparts, Model Clauses and Binding Corporate Rules, is meant to bring the privacy practices of companies in third countries closer to EU “adequacy” standards. At the same time, those behind the EU Directive had envisioned a prosperous coexistence of forceful privacy protections and commercial enterprise facilitated by the free movement of data—the Directive’s preamble couldn’t make this any more obvious. As the Schrems judgment continues to be sliced and diced and Safe Harbor 2.0 becomes ever more critical, it is worth remembering that bridging this cross-Atlantic privacy divide is more than just about raw law—there is a widely acknowledged sociopolitical history of EU privacy regulations that cannot be ignored.
At present, the Safe Harbor Privacy Principles and FAQs provide a strong set of requirements. Yet the totality of the Safe Harbor Framework gives less than cursory mention to the historical underpinnings of European privacy posture. This has to change for Safe Harbor 2.0 to have meaningful impact on the compliance practices of participating members—the philosophical “why” has to be underlined.
So here’s a modest proposition to keep in mind for Safe Harbor 2.0: Training can never be overrated.
If you want to comment on this post, you need to login.