TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout
GDPR-Ready_300x250-Ad
PrivacyTraining_ad300x250.Promo1-01

The recent vote at the European Parliament—by an overwhelming majority of 544 to 78 members, with 60 abstentions—calling for the immediate suspension of Safe Harbor has sent some powerful shockwaves across the business and legal communities in the EU and beyond. This should not have come as a surprise, given that the European Parliament has been very vocal in this respect for a while, but it is still a chilling reminder of the uncertainty surrounding the scheme—possibly the most widely relied upon mechanism to legitimise data flows between the EU and the U.S.

The big question that remains on the ground is whether EU-based organisations that rely on Safe Harbor as the legal basis for transferring data to either their own corporate group entities or service providers operating in the U.S. are doing the right thing or should be looking for alternatives.

To answer that question, and acknowledging that the adequacy status of Safe Harbor is a moving target, it is sensible to consider the following facts:

  • The power to issue or revoke an “adequacy finding” like Safe Harbor rests with the European Commission and the European Commission alone. That will continue to be the case until the 1995 Data Protection Directive is replaced by something different. In the meantime, EU member states must accept that and ensure that national laws and their regulators comply with the commission's view.
  • The European Commission has been thorough and unequivocal on where it stands on this matter. At the end of November 2013, the commission issued a report that confirmed its intention to respect Safe Harbor as long as certain weaknesses were corrected. This report should be regarded as the main point of reference for anyone concerned about the future of Safe Harbor. Its message is a simple one: Safe Harbor is not dead, but it needs to be strengthened in order to survive going forward.
  • Much of the criticism about Safe Harbor is about politics and economics rather than data protection—think NSA access to European data, U.S. technological dominance, European competitiveness and other emotional issues. As a result, it is very difficult to perform an accurate and objective assessment of the effectiveness of the scheme to protect data and privacy. Possibly, one of the most dispassionate and scientific analyses of the functioning of Safe Harbor was the one carried out by the Future of Privacy Forum in December 2013, which concluded that whilst there was certainly room for improvement, the scheme had proved to be effective. And before this is dismissed as the opinion of a biased U.S.-based think tank, it should be pointed out that the respected European Data Protection Supervisor Peter Hustinx spoke in similar terms when giving evidence to the European Parliament in October 2013 and said that Safe Harbor had its merits and should not be thrown away without investigating the scope for improvements.
  • One of the limitations of Safe Harbor, which appears to be the white elephant in the room that nobody wishes to deal with, is the fact that the nature of the scheme and its principles seem geared towards importers of European data who act as “controllers” in their own right, rather than “processors” or service providers. This is at odds with the fact that Safe Harbor has become particularly useful in the context of cloud service providers, many of which will take the data protection commitments to their customers extremely seriously but may struggle to demonstrate how their observance of Safe Harbor can benefit those constantly scrutinised European customers. This may of course be one of the points to be addressed by the EU data protection authorities in the forthcoming Article 29 Working Party assessment of Safe Harbor, which will surely become a key point of reference in due course.
  • One final point that must not be forgotten is the fact that Safe Harbor is enforced by one of the mightiest regulators on the planet, the U.S. Federal Trade Commission. That alone is an indication that any responsible signatory party is likely to be taking its voluntary Safe Harbor responsibilities extremely seriously.

All in all, what's the final word on Safe Harbor then?

One thing is clear: Safe Harbor is not a silver bullet for compliance. It should be regarded as a well-established set of principles that—like those set out in BCR or CBPR programmes—can act as the basis for a fully-fledged global privacy programme. What really matters is to be able to show, both internally within an organisation and externally to third parties, that beyond the words and the paperwork, there is real evidence of commitment to the protection of personal information. That will really do the job.

5 Comments

If you want to comment on this post, you need to login.

  • comment Emma Butler • Mar 20, 2014
    Excellent, concise, accurate analysis as always, thank you.
  • comment Jeff Chester • Mar 21, 2014
     Safe Harbor fails to provide to EU citizens the privacy they deserve. Instead of cursory discussion, what is required is an informed critique, something US and EU privacy and consumer NGOs will provide. 
  • comment Kimberly Verska CIPP/US • Mar 21, 2014
    I think the key point is one that Eduardo mentions in his third bullet point, i.e. that this is a question of politics as much as it is about the true adequacy of Safe Harbor.  The FTC has stepped up its enforcement of Safe Harbor laggards, which will help from an optics perspective.  My view based on my US privacy practice is that Safe Harbor is increasingly only half a solution, since as Eduardo notes, it is rare that data provided to US processors simply comes to rest here, and methods of securing the data on the move to sub-processors of Harborites are contentious in practice. There is room for creative thoughts from both sides of the pond in this space.
  • comment John Kropf • Mar 21, 2014
    Eduardo.  
    As always, superb analysis    SH is one of the examples of interoperable privacy.    One thing unusual about it is that unlike most Int'l agreements that are reciprocal -- SH is one way only.  Would be interesting thought exprent to apply adequacy bith ways.   
    
  • comment Allen Brandt • Mar 28, 2014
    In the last days, things may be changing:
    
    on March 26, in Brussels, there was an agreement between the EU and the US, where we can expect some changes to the Safe Harbor arrangement by "this summer". 
    
    I think this is significant, as it appears to give some comfort that the program will continue, and moving forward, in a way that allows the European regulators to have some comfort in the manner in which the program is being operated.
    
    Always the optimist.....