By Damon Greer

Amid the rancor erupting from the subnational data protection authorities and the German federal data protection authority over Edward Snowden’s revelations about the National Security Agency’s PRISM program and Internet interceptions, Safe Harbor has become a target for retribution. Jan Albrecht, the rapporteur for the EU’s once-and-future data protection regulation that promises to offer prescriptive measures to protect data and perhaps stifle innovation, called for Safe Harbor’s demise following entering into force of the regulation. The Article 29 Working Party opines that Safe Harbor may not provide the degree of protection—and really never did—that was expected when the European Parliament, the European Council and the European Commission (EC) approved the adequacy finding in July 2000. Still, one fact remains salient to the debate over the future or past of Safe Harbor as a legitimate tool for cross-border data transfers to the United States. The framework is legally binding on all member states in the EU and the three EEA countries, Norway, Iceland and Lichtenstein. No individual body may opt out of the agreement.

In the U.S., any organization that certifies compliance to the framework—Safe Harbor privacy principles and FAQs—is legally bound to adhere to its public commitments. Compliance is assured by third-party dispute-resolution bodies that include the European Union’s dispute resolution body—set up by the commission and the Working Party—and the Federal Trade Commission and the Department of Transportation’s Office of General Counsel.

Safe Harbor was negotiated to meet the cross-border data-transfer requirements of the EU’s Data Protection Directive, 95/46/EC, and to permit uninterrupted flows of personal data to the U.S. for commercial purposes. Safe Harbor is not perfect. It does not cover all sectors of the U.S. economy. Financial services and telecommunications are noted for their absence from the framework’s scope. In the early years of Safe Harbor’s existence, membership growth was tortuously slow—in 2004, only 440 companies were members—and enforcement was perceived by the commission and the Working Party to be nonexistent. Today, more than 4,000 are members, and 70 new applications are received each month. Acceleration began in 2007 and continues in part because of a heightened awareness of the importance of privacy globally among the business community and the concomitant need that governmental bodies recognize among their citizens to protect what is viewed as a fundamental right by many.

With the advent of the EU-U.S. Free Trade negotiations, it is certain that the draft regulation that updates and replaces the 1995 directive will be critical to the success of the negotiations. Is it a non-tariff trade barrier that singles out U.S. global companies or is it a measure that should be broadly recognized globally as a meaningful tool to protect fundamental rights? I can tell you the U.S. side will view a more prescriptive regulation as a non-tariff trade barrier, which, with tariffs averaging only three percent on goods exported to the U.S., will be more critical to negotiations than in lowering tariffs further.

When I served as director of the EU-U.S. and Swiss Safe Harbor Frameworks, in a meeting with Jacob Kohnstamm in 2010 in Brussels, I had proposed expanding the Safe Harbor principles to include accountability and purpose limitation as a means of making the framework more compatible with the discussions of what to include in the new regulation or directive. I also suggested that we could jointly fund a third-party study to ascertain what level of compliance is actually achieved by those entities that had "self-certified" to the Safe Harbor principles. I would note that no official EC implementation review has been completed or published since the 2004 review was released. In December 2010, we were informed by the secretariat to the Working Party that a draft implementation review had been completed and was awaiting internal approval before it would be shared with us and then released, hopefully in February 2011. It never was approved. In May 2011, the director general for justice met with senior level commerce officials to discuss, inter alia, Safe Harbor. At the meeting, the director general for justice presented an “unofficial” copy of the review’s executive summary, which indicated that the program was functioning well but improvements could be made in several areas including transatlantic communications. At that time, it was expected that the review would be released that autumn. It was not.

On the U.S. side, policy leaders led by the NTIA and White House were opposed to any discussions on modernizing Safe Harbor, and the legal community inferentially welcomed new rules because they would eventually lead to new business—notwithstanding the effectiveness of new data protection regulations in affording enhanced protection to EU citizens or how the new rules would be implemented and enforced.

The NSA’s domestic intelligence surveillance programs are linked irrevocably to the country’s security. Safe Harbor is a framework designed to protect EU citizens’ personal data that is legitimately collected by organizations for processing and use in the United States. Data controllers in Europe that collaborate with Safe Harbor-certified entities have legal obligations to their clients before engaging in any cross border transfer activity. It makes no difference if they use standard contractual clauses, binding corporate rules, Safe Harbor or any of the derogations in Article 26 of the directive, their fiduciary responsibilities are clear, as the Working Party has made abundantly clear over the years.

The distain the EU data protection community has for Safe Harbor today is not so much attributed to concern over citizens’ fundamental rights as it is over the dominance U.S. multinationals have of the high technology sector in Europe and the U.S. Our legal framework is not theirs, they do not understand ours, or choose not to listen when our system is explained and belittle the efforts made by all parties to achieve compromises between the U.S. and the EU.

The EU's practice of awarding adequacy seemingly based only on a national data protection law coupled with an independent data protection enforcement authority does not extend practical protection to other nations' citizens uniformly. The EU model does not work for every nation in the world. I sometimes wonder at the naïveté of the legal community when they view data protection rules in Russia and China as a sign of those countries' efforts to join the global data protection community.

Next year, the EU will hold parliamentary elections. Next June, the mandate to reform the data protection directive will expire if no progress to solving the myriad differences is achieved. It remains to be seen which direction the EU will follow if this scenario plays out.

Damon Greer served as the director of the EU-U.S. and Swiss Safe Harbor Frameworks from July 2006 through September 2011. He negotiated the U.S.-Swiss Safe Harbor Framework, organized and participated in four EU-U.S. Joint Safe Harbor conferences and numerous other events designed to educate audiences about Safe Harbor benefits. He can be reached at dcgreer@verizon.net.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»