I have been thinking a lot recently about the days at the U.S. Department of Commerce (DoC) back in the late 1990s when we negotiated the U.S.-EU Safe Harbor Privacy Arrangement (Safe Harbor) with the European Commission (EC). I remember the first time that I met Barbara Wellbery, the chief architect of Safe Harbor. She was buried in work trying to build a "bridge" between the EU and U.S. on data privacy. I was an attorney in the General Counsel's office at the time, and I asked Barbara if she needed help.
She did.
And so began an unforgettable three-year journey, travelling back and forth between Washington and Brussels negotiating Safe Harbor, addressing U.S. private-sector concerns, responding to comments from the Member States and data protection authorities (DPAs), and ultimately arriving at an agreed set of Safe Harbor Privacy Principles and Frequently Asked Questions.
I never thought at the time that Safe Harbor would ever be in the spotlight as much as it is today. But, I also don’t think that any of us could have anticipated how much the world would change in the 15 years since Safe Harbor was negotiated: 9/11, the Snowden revelations and the explosion of the Internet are just a few of the things that have shaped our world along the way.
Watching all of this unfold in recent days, I have been struck by the many misunderstandings about the arrangement and the related impact of the European Court of Justice’s (ECJ’s) judgment. I thought now would be a good time to set the record straight on five myths about Safe Harbor.
Myth #1: The Safe Harbor Arrangement is terminated as a result of the Schrems judgment. Not so. The Safe Harbor is still fully operational as a program. Safe Harbor is not a treaty. It is an international cooperative arrangement whereby, on the U.S. side, the DoC promulgates the Safe Harbor Privacy Principles and FAQs, and maintains the list of Safe Harbor certified companies. The U.S. Federal Trade Commission (FTC) enforces Safe Harbor through its Section 5 authority. On the European side, in 2000, the European Commission followed the internal process set forth in the 1995 Data Protection Directive (95/46/EC) (Directive) to find that the Safe Harbor Privacy Principles and FAQs, as enforced by the FTC, provide "adequate protection" within the meaning of Article 25(6) of the Directive.
The Schrems judgment invalidated the European Commission's Safe Harbor decision. It did not, however, repeal or otherwise dismantle the Safe Harbor program itself. The DoC still operates the Safe Harbor list and program, which is fully functional and operational. The FTC's authority remains unchanged by the Schrems judgment, and if anything with Wyndham and other cases in the U.S., the FTC's enforcement authority is stronger than ever. The continued operation of the Safe Harbor program by the DoC is critical during this transition period, as there are many companies on both sides of the Atlantic that have commitments based on Safe Harbor, including contractual obligations to customers, arrangements with third parties, registrations with data protection authorities, works council shop agreements and the like.
Myth #2: The Safe Harbor is intended to address government surveillance issues. Not so. Safe Harbor is a commercial arrangement that was never intended to address government surveillance issues. These negotiations took place in the late 1990s, before 9/11, before the subsequent adoption of the USA PATRIOT Act, and the related escalation of government surveillance. Accordingly, we incorporated the only rationale into Safe Harbor that we could: a U.S. organization participating in Safe Harbor may disclose personal data to the extent strictly necessary to comply with legal requirements.
It is important to bear in mind that U.S. organizations seldom enjoy complying with court orders and making disclosures to government authorities. These are costs that do not further the company's growth, and often places the company at odds with its customers, business partners and others. Nevertheless, U.S. organizations must comply with U.S. court orders and legal obligations, just as European organizations must comply with local court orders and legal obligations. Any effort to layer on top additional conditions to respond to lawful orders would inherently place U.S. organizations in a conflict situation of either complying with U.S. law or complying with Safe Harbor. This sheds light on how government surveillance is beyond a commercial arrangement such as Safe Harbor, as it seems to have been in the other adequacy decisions reached by the European Commission.
For the U.S., this needs to be resolved through government-to-government negotiations such as those that have produced the "Umbrella Agreement" on data sharing, and related legislation and policy changes outside the Safe Harbor framework. Notably, other jurisdictions which previously received adequacy findings should also revisit these issues with the European Commission, and even internally within Europe, there are significant issues to be considered regarding government surveillance and privacy.
Myth #3: The Safe Harbor is poorly enforced by the FTC. Not so. The FTC has enforced Safe Harbor with increasing vigor over the last few years. In the race to enforce European privacy rights against U.S. companies on U.S. territory, the FTC is not only winning the race, it is the only one in the race. The FTC has driven dozens of Safe Harbor cases into 20-year privacy consent decrees, backed by potential penalties of $16,000 per violation for non-compliance with such orders. After counseling many hundreds of companies over the years on the range of options to address cross-border data transfers, I can say with certainty that the deterrent effect of potential FTC action is a strong motivator for U.S. organizations to build strong privacy programs implementing the Safe Harbor rules and to maintain those programs on an on-going basis. If the Europeans want to have strong enforcement of their privacy rights in the U.S., then they should want to keep the FTC in this role.
Myth #4: The Safe Harbor Arrangement failed to stand the test of time. Not so. Safe Harbor served as a bridge between the EU and U.S. for the vast majority of the effective life of the Directive. It became effective in November 2000, just about the time the national implementations of the cross-border transfer restriction in the Directive were coming into force. Safe Harbor thrived for 15 years, and has remained a transatlantic bridge for commerce and privacy all the way up to the present, where the Directive itself is poised to be replaced with the proposed General Data Protection Regulation. While both sides agreed that updates to Safe Harbor were needed, the EC and the DoC have engaged in vigorous negotiations on Safe Harbor 2.0.
Myth #5: The Safe Harbor Arrangement is no longer needed. Not so. Safe Harbor is needed today more than ever. It provides an enforceable solution for authorities on both sides of the Atlantic to collaborate and provide adequate protection for personal data. This enforceable solution cannot be replaced by model contracts, Binding Corporate Rules (BCRs) or other alternatives. More than half of the 4,000-plus U.S. organizations participating in Safe Harbor are small- to medium-sized enterprises that do not have resources to implement alternatives such as BCRs—only achieved by approximately 70 large multinationals to date—and would have significant challenges establishing point-to-point model contract solutions.
Similarly, online companies and others do business directly with users in Europe, and cannot enter into model contracts with such users, nor develop omnibus BCRs or other solutions. Such companies must likely turn to consent or reliance on "necessary to perform a contract" or other exceptions or derogations that would not enjoy the privacy benefits of FTC enforcement.
Looking back on it, I believe the bridge of Safe Harbor was built, at its core, on the trust and friendship between Barbara Wellbery and her counterpart at the European Commission.
Safe Harbor succeeded in bridging the gap between Europe and the U.S. on data flows at a critical time in the growth of the global digital economy. But in life, all things change, and Safe Harbor was due for an upgrade, as is the Directive itself.
Yet, fundamentally, it is important for both sides of the Atlantic to again come together and find a way to bridge the gap between our two systems, for the good of privacy protection and transatlantic commerce. It can be done. It must be done. It may just require us all to channel our inner Barbara Wellbery and recognize that we have more in common than we think.
photo credit: Toppled Column at the Temple of Zeus (122/365) via photopin (license)