IAPP-GDPR Web Banners-300x250-FINAL

By Damon Greer

Amid the rancor erupting from the subnational data protection authorities and the German federal data protection authority over Edward Snowden’s revelations about the National Security Agency’s PRISM program and Internet interceptions, Safe Harbor has become a target for retribution. Jan Albrecht, the rapporteur for the EU’s once-and-future data protection regulation that promises to offer prescriptive measures to protect data and perhaps stifle innovation, called for Safe Harbor’s demise following entering into force of the regulation. The Article 29 Working Party opines that Safe Harbor may not provide the degree of protection—and really never did—that was expected when the European Parliament, the European Council and the European Commission (EC) approved the adequacy finding in July 2000. Still, one fact remains salient to the debate over the future or past of Safe Harbor as a legitimate tool for cross-border data transfers to the United States. The framework is legally binding on all member states in the EU and the three EEA countries, Norway, Iceland and Lichtenstein. No individual body may opt out of the agreement.

In the U.S., any organization that certifies compliance to the framework—Safe Harbor privacy principles and FAQs—is legally bound to adhere to its public commitments. Compliance is assured by third-party dispute-resolution bodies that include the European Union’s dispute resolution body—set up by the commission and the Working Party—and the Federal Trade Commission and the Department of Transportation’s Office of General Counsel.

Safe Harbor was negotiated to meet the cross-border data-transfer requirements of the EU’s Data Protection Directive, 95/46/EC, and to permit uninterrupted flows of personal data to the U.S. for commercial purposes. Safe Harbor is not perfect. It does not cover all sectors of the U.S. economy. Financial services and telecommunications are noted for their absence from the framework’s scope. In the early years of Safe Harbor’s existence, membership growth was tortuously slow—in 2004, only 440 companies were members—and enforcement was perceived by the commission and the Working Party to be nonexistent. Today, more than 4,000 are members, and 70 new applications are received each month. Acceleration began in 2007 and continues in part because of a heightened awareness of the importance of privacy globally among the business community and the concomitant need that governmental bodies recognize among their citizens to protect what is viewed as a fundamental right by many.

With the advent of the EU-U.S. Free Trade negotiations, it is certain that the draft regulation that updates and replaces the 1995 directive will be critical to the success of the negotiations. Is it a non-tariff trade barrier that singles out U.S. global companies or is it a measure that should be broadly recognized globally as a meaningful tool to protect fundamental rights? I can tell you the U.S. side will view a more prescriptive regulation as a non-tariff trade barrier, which, with tariffs averaging only three percent on goods exported to the U.S., will be more critical to negotiations than in lowering tariffs further.

When I served as director of the EU-U.S. and Swiss Safe Harbor Frameworks, in a meeting with Jacob Kohnstamm in 2010 in Brussels, I had proposed expanding the Safe Harbor principles to include accountability and purpose limitation as a means of making the framework more compatible with the discussions of what to include in the new regulation or directive. I also suggested that we could jointly fund a third-party study to ascertain what level of compliance is actually achieved by those entities that had "self-certified" to the Safe Harbor principles. I would note that no official EC implementation review has been completed or published since the 2004 review was released. In December 2010, we were informed by the secretariat to the Working Party that a draft implementation review had been completed and was awaiting internal approval before it would be shared with us and then released, hopefully in February 2011. It never was approved. In May 2011, the director general for justice met with senior level commerce officials to discuss, inter alia, Safe Harbor. At the meeting, the director general for justice presented an “unofficial” copy of the review’s executive summary, which indicated that the program was functioning well but improvements could be made in several areas including transatlantic communications. At that time, it was expected that the review would be released that autumn. It was not.

On the U.S. side, policy leaders led by the NTIA and White House were opposed to any discussions on modernizing Safe Harbor, and the legal community inferentially welcomed new rules because they would eventually lead to new business—notwithstanding the effectiveness of new data protection regulations in affording enhanced protection to EU citizens or how the new rules would be implemented and enforced.

The NSA’s domestic intelligence surveillance programs are linked irrevocably to the country’s security. Safe Harbor is a framework designed to protect EU citizens’ personal data that is legitimately collected by organizations for processing and use in the United States. Data controllers in Europe that collaborate with Safe Harbor-certified entities have legal obligations to their clients before engaging in any cross border transfer activity. It makes no difference if they use standard contractual clauses, binding corporate rules, Safe Harbor or any of the derogations in Article 26 of the directive, their fiduciary responsibilities are clear, as the Working Party has made abundantly clear over the years.

The distain the EU data protection community has for Safe Harbor today is not so much attributed to concern over citizens’ fundamental rights as it is over the dominance U.S. multinationals have of the high technology sector in Europe and the U.S. Our legal framework is not theirs, they do not understand ours, or choose not to listen when our system is explained and belittle the efforts made by all parties to achieve compromises between the U.S. and the EU.

The EU's practice of awarding adequacy seemingly based only on a national data protection law coupled with an independent data protection enforcement authority does not extend practical protection to other nations' citizens uniformly. The EU model does not work for every nation in the world. I sometimes wonder at the naïveté of the legal community when they view data protection rules in Russia and China as a sign of those countries' efforts to join the global data protection community.

Next year, the EU will hold parliamentary elections. Next June, the mandate to reform the data protection directive will expire if no progress to solving the myriad differences is achieved. It remains to be seen which direction the EU will follow if this scenario plays out.

Damon Greer served as the director of the EU-U.S. and Swiss Safe Harbor Frameworks from July 2006 through September 2011. He negotiated the U.S.-Swiss Safe Harbor Framework, organized and participated in four EU-U.S. Joint Safe Harbor conferences and numerous other events designed to educate audiences about Safe Harbor benefits. He can be reached at dcgreer@verizon.net.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»