The recent vote at the European Parliament—by an overwhelming majority of 544 to 78 members, with 60 abstentions—calling for the immediate suspension of Safe Harbor has sent some powerful shockwaves across the business and legal communities in the EU and beyond. This should not have come as a surprise, given that the European Parliament has been very vocal in this respect for a while, but it is still a chilling reminder of the uncertainty surrounding the scheme—possibly the most widely relied upon mechanism to legitimise data flows between the EU and the U.S.
The big question that remains on the ground is whether EU-based organisations that rely on Safe Harbor as the legal basis for transferring data to either their own corporate group entities or service providers operating in the U.S. are doing the right thing or should be looking for alternatives.
To answer that question, and acknowledging that the adequacy status of Safe Harbor is a moving target, it is sensible to consider the following facts:
- The power to issue or revoke an “adequacy finding” like Safe Harbor rests with the European Commission and the European Commission alone. That will continue to be the case until the 1995 Data Protection Directive is replaced by something different. In the meantime, EU member states must accept that and ensure that national laws and their regulators comply with the commission's view.
- The European Commission has been thorough and unequivocal on where it stands on this matter. At the end of November 2013, the commission issued a report that confirmed its intention to respect Safe Harbor as long as certain weaknesses were corrected. This report should be regarded as the main point of reference for anyone concerned about the future of Safe Harbor. Its message is a simple one: Safe Harbor is not dead, but it needs to be strengthened in order to survive going forward.
- Much of the criticism about Safe Harbor is about politics and economics rather than data protection—think NSA access to European data, U.S. technological dominance, European competitiveness and other emotional issues. As a result, it is very difficult to perform an accurate and objective assessment of the effectiveness of the scheme to protect data and privacy. Possibly, one of the most dispassionate and scientific analyses of the functioning of Safe Harbor was the one carried out by the Future of Privacy Forum in December 2013, which concluded that whilst there was certainly room for improvement, the scheme had proved to be effective. And before this is dismissed as the opinion of a biased U.S.-based think tank, it should be pointed out that the respected European Data Protection Supervisor Peter Hustinx spoke in similar terms when giving evidence to the European Parliament in October 2013 and said that Safe Harbor had its merits and should not be thrown away without investigating the scope for improvements.
- One of the limitations of Safe Harbor, which appears to be the white elephant in the room that nobody wishes to deal with, is the fact that the nature of the scheme and its principles seem geared towards importers of European data who act as “controllers” in their own right, rather than “processors” or service providers. This is at odds with the fact that Safe Harbor has become particularly useful in the context of cloud service providers, many of which will take the data protection commitments to their customers extremely seriously but may struggle to demonstrate how their observance of Safe Harbor can benefit those constantly scrutinised European customers. This may of course be one of the points to be addressed by the EU data protection authorities in the forthcoming Article 29 Working Party assessment of Safe Harbor, which will surely become a key point of reference in due course.
- One final point that must not be forgotten is the fact that Safe Harbor is enforced by one of the mightiest regulators on the planet, the U.S. Federal Trade Commission. That alone is an indication that any responsible signatory party is likely to be taking its voluntary Safe Harbor responsibilities extremely seriously.
All in all, what's the final word on Safe Harbor then?
One thing is clear: Safe Harbor is not a silver bullet for compliance. It should be regarded as a well-established set of principles that—like those set out in BCR or CBPR programmes—can act as the basis for a fully-fledged global privacy programme. What really matters is to be able to show, both internally within an organisation and externally to third parties, that beyond the words and the paperwork, there is real evidence of commitment to the protection of personal information. That will really do the job.