The stance adopted by the European Commission in the report on the functioning of Safe Harbor published today was probably one of the worst kept secrets of the privacy world. It was patently obvious to anyone close enough to the controversy around the ability of Safe Harbor to live up to the expectations of EU policymakers and regulators that the European Commission would be critical about it but would stop short of delivering a fatal blow to the scheme.
So as expected, the commission's report unequivocally reveals some deficiencies that are seen as unfair for both U.S. companies which properly apply the scheme and European companies that simply comply with EU data protection law. The toughest criticism is directed at the simple fact that, because the self-certification process does not involve any kind of regulatory scrutiny—compared, say, to the BCR authorisation process—about 10 percent of companies claiming to meet the Safe Harbor standards are actually making false claims. It is mainly the false claims issue that seems to impact on the credibility of the whole scheme.
Interestingly, the commercial implications of this unfairness appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating in the EU. In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker and seems content with the existing language which allows access to data "to the extent necessary" to meet national, security, public interest or law enforcement requirements. This does not mean that the tension between EU data protection and access to data by non-EU public authorities is resolved, but it takes this issue away from the Safe Harbor discussions.
All in all, the tone and content of the commission's position is fairly measured and reflects the ongoing dialogue between the EU and the U.S. around international data flows, adequate privacy safeguards and common democratic interests. In the short term, this means that Safe Harbor will survive pretty much unscathed. In the longer term, this may even be the beginning of real interoperability of privacy approaches.