TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Safe Harbor: Caught Between Scylla and Charybdis? Related reading: An Honest Recap on Safe Harbor



Clash of Cultures

There are voices in the U.S. that claim a sort of ownership over the Internet in how companies have expanded in ways that make it challenging for other companies to compete. The growing discomfort with Safe Harbor in Europe in general and in Germany in particular "is just designed to carve out some of their commercial interests" those voices says, and the relevant players who are expressing these concerns "are essentially trying to set up some roadblocks for our companies to operate effectively there."

However, historical analysis suggests that these differences in the transatlantic relationship have already existed long before the Internet was born. An explanation by the European Commission’s Paul Nemitz during a conference in Brussels is noteworthy here: "Protection of data in Europe is a right which comes from even beyond a constitutional level … It is not a choice of politics whether to protect it or not. There is a right which people can enforce if necessary with the help of the judiciaries. In the U.S. because there is no such constitutional right—and certainly it seems unfortunate for non-citizens—there is large political discretion by Congress."

Additionally, the identification of other elements in this clash may be more sophisticated because these elements may be influenced by local heritages and member states throughout Europe. We need to dig deeper to fully anticipate the current dynamics in the transatlantic relationship in general and the forces driving the Safe Harbor discussion in particular.

Ben Scott, former policy advisor to Hillary Clinton and now managing director of Stiftung Neue Verantwortung in Germany, has identified an exciting element in his lecture Clash of Cultures: Europe vs USA--Surveillance and Civil Rights on This Side and the Other Side of the Atlantic. Scott identified relevant drivers in the political culture of the U.S. and in Germany that directly oppose one another.

American exceptionalism celebrates its military power, and even more so after 9/11, he notes. This attitude is rooted so deeply in American culture that it maintains uncritical public support even when military or intelligence agencies have not behaved adequately. There were times in Germany when military power and control of virtually all aspects of public and private life were celebrated.

But history taught Germany painful yet essential lessons.

German exceptionalism is now wary about any illegitimate use of the military and total control in democratic societies. This attitude is so rooted in German culture due to empirical evidence in Germany’s history that democracy is not necessarily a self-correcting form of government and, the author of this article may add here, that by a process of undermining human rights a democracy can be turned insidiously into a totalitarian regime in which all assets of a society, including collections of personal data, initially designed for a good purpose may be turned to a bad one.

This historical experience and the need to provide legal protection against the prosecution of some randomly selected demographic groups by a totalitarian regime has become a European heritage. This common heritage in Europe is evident in Article 8 of the European Data Protection Directive 95/46/EC, which requires EU member states to prohibit in principle the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

However, the high degree of exposure to this historical experience may stimulate Germany’s tendency to act as a kind of early warning system for data protection in Europe and may explain the recent findings of the conference of Data Protection Authorities of States and the Federation of Germany: "The understanding of what is meant by private sphere and digital self-determination and the relationship between state and citizens on both sides of the Atlantic is increasingly polarised and the huge differences in legal cultures begin to become even more apparent. Whereas on the one side there is the threat of the dismantling of rule-of-law structures as well as the annulment of basic rights in favour of a preventive state, there is on the other side a discussion under way concerning an extensive codification of data protection with the aim not less than a redefinition of the protection of the private sphere."

Big Solutions Versus Small Solutions

While the pressures to suspend Safe Harbor on the EU level grow without the desired U.S. movement toward the 13 recommendations of the EU Commission, German DPA Andrea Voßhoff rates Safe Harbor as not secure, demands short-term resolution of EU concerns and warns that a failure of negotiations may result in significant economic effects.

At the same time, relevant DPAs in Germany do not seem willing to wait any longer for a "big solution" on the EU level, announcing that they have opened, in some cases, administrative proceedings against relevant companies disclosing personal data on basis of the Safe Harbor scheme, thus starting to build a "small solution" to resolve Safe Harbor by a de facto suspension on a case-by-case basis. Other DPAs in the EU may choose to follow this approach, and the corresponding risk increases with every day passing by without effective resolution of the Safe Harbor.

The corresponding effects may be further amplified by the recent approval of a draft law for enforcing consumer data protection by the German government that targets the data-handling practices of companies whose business models are based on the commercialization of data and will empower consumers and other qualified associations to send cease-and-desist letters and to initiate legal action for injunctive relief against companies violating the law’s provisions. More specifically, it will allow class-actions in cases involving violations of the rules in advertising and market and opinion research, the creation of personality or usage profiles, address and data brokering and similar commercial uses.

The largest privacy class-action in Europe is already on its way in Austria where the responsible court in Vienna has scheduled the first hearing in Facebook’s alleged violation of European privacy laws for this April. In parallel, the European Court of Justice (ECJ) has notified Max Schrems that it will hear his case against the Irish DPA regarding Facebook's handling of his data (C-362/14) as early as March. Safe Harbor, cooked on low heat so far, will soon have to cope with intense heat.

A Special Deal Based on Shared Values

Alan Westin, the most venerable U.S. privacy scholar, defined privacy in 1967 as "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated to others." Likewise, the highest court in Germany defined privacy in its most appreciated proclamation of the right of informational self-determination in 1983 as "the capacity of the individual to determine in principle the disclosure and use of his/her personal data."

The similarities of these representative definitions of privacy from each side of the Atlantic are obvious, except for the fact that first is based on a claim and the latter on an actual capacity based on constitutional rights. The shared values between U.S. and Europe led to the Safe Harbor agreement in 2000. And for many years the Safe Harbor was easy to operate and worked practically soundless and everything could have been fine …

The Phantom Menace

Yet, "A Brief History of Safe Harbor" shows a rapidly growing discomfort in Europe with the agreement. Similar concerns have been raised by industry, referring to distortions of competition due to a lack of enforcement. These concerns have been further amplified by the ever-increasing pervasiveness of information technology breaking down all formerly existing barriers in the collection and processing of personal data. We’re in a new era, and big data has become the new oil.

Unfortunately, the global race for claiming and exploiting the digital oil fields, dominated by U.S. companies like Google and Facebook, did not always consider privacy concerns as first priority. Finally, the Snowden revelations brought to light the close collaboration between the private and the public sector and ubiquitous surveillance of the Internet. The disproportionate bulk data collection has made EU citizens suspicious and diminished their self-determination regarding when, how and to what extent information about them is communicated to others.

Ultimately, Safe Harbor was not designed to cope with these challenges.

Code Blue for Safe Harbor

European Commission Director of Fundamental Rights and Union Citizenship Paul Nemitz spoke plain English at the Computers, Privacy and Data Protection Conference 2015 in Brussels when he compared Safe Harbor with a patient Europe wants to live but not at all costs.

As a consequence, Nemitz challenged those who support Safe Harbor to help find solutions for enforcing the right of European data subjects against the behaviour of private companies as well against unlimited government surveillance. He stressed the EU position on that matter: "It is a request only in the context of Safe Harbor pertaining to data transferred to a closed group of identified companies. We need some good will here and we need some readiness to be a real partner because real partners take into account their mutual concerns and it is not enough just to say ‚that is domestic U.S. law and that’s how we are handling this. The Safe Harbor is a special deal which Europe makes for the U.S. We make this with no other country in the world. It equates the companies which go through the self-certification to European companies and in return to this special deal, some special effort … is necessary."

"A Brief History of Safe Harbor" demonstrates that the EU position represented by Nemitz has been expressed by various other representatives of the EU and relevant member states. However, the increasing frequency and pitch of voice in these statements in recent months seem to go far beyond ordinary impatience with the slow progress but rather begin to reveal partners who are becoming increasingly alienated over differences in legal cultures and in matters of data protection.

Scylla and Charybdis

Thus, relevant business may discover itself in an uncomfortable situation reminiscent of the 12th book of the Odyssey where Ulysses, on his way back from the Trojan War, had to pass a strait with the sea monster Scylla (an ineffective Safe Harbor) on the left and the whirlpool daemon Charybdis (actual or de facto suspension of Safe Harbor) on the right. In such a situation, only a small passage (EU Model Clauses or Binding Corporate Rules) may remain between the sea monster and the whirlpool daemon which would guarantee a safe journey home without loosing ship or crew—a situation vividly described by Ludwig Fulda:

Liegt Scylla links, Charybdis rechts bereit,
was kann dem armen Erdenpilger glücken?
Der falsche Weg ist viele Meilen breit,
der rechte schmäler als ein Messerrücken.

If Scylla left and Charybdis right is ready
what can the poor earthlings succeed?
The wrong way is miles wide,

the right one is narrower than the back of a knife


According to Nemitz, Safe Harbor is the litmus test of whether we together are able to recreate the trust in the Internet. His question is significant: "Without the U.S. moving on the Safe Harbor, where does the trust of people stand when they are using the Internet?" This looms over the Atlantic.

Let us hope there will be a swift breakthrough in the negotiations so that the present Scylla-and-Charybdis menace faced by businesses in Europe and the U.S. will vanish.

The views expressed in this article are my own and do not necessarily represent the views of the organisations with which I am associated, nor do the conclusions I have drawn necessarily represent the views of the persons I have quoted in this article.

1 Comment

If you want to comment on this post, you need to login.

  • comment Damon • Mar 5, 2015
    Dear Mr. Wilhelm, this is the first article I have read that succinctly captures the essence of the problems confronting cross-border data flows with respect to data protection and privacy between the U.S. and the EU.  As the former director of the U.S.-EU and Swiss Safe Harbor Frameworks, I agree that the cultural differences have long existed and the persistence of the belief in exceptionalism renders mute any objective dialogue to reach a compromise and indeed threatens on our side of the Atlantic a clear threat to democracy.  With nearly 5,000 companies in Safe Harbor today who are compliant with their commitments, and many of them small to medium-sized enterprises, I doubt seriously that model contracts or binding corporate rules offer reasonable alternatives should Safe Harbor suffer "a thousand cuts" from individual DPAs on a case-by-case basis. 
    It may be that the agreement negotiated between the U.S. and the EC is no longer relevant to the times and needs to be replaced by a supra-national instrument that provides equivalent protection with extraterritorial provisions, which offer predicable protection that meets the EU's directive or EDPR if it is ever enacted.  Let's hope that a viable solution may be found that transcends the current hostility from both sides of the Atlantic.