TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | The Plain Truth About Safe Harbor Related reading: Notes from the Asia-Pacific region, 17 March 2023




The stance adopted by the European Commission in the report on the functioning of Safe Harbor published today was probably one of the worst kept secrets of the privacy world. It was patently obvious to anyone close enough to the controversy around the ability of Safe Harbor to live up to the expectations of EU policymakers and regulators that the European Commission would be critical about it but would stop short of delivering a fatal blow to the scheme.

So as expected, the commission's report unequivocally reveals some deficiencies that are seen as unfair for both U.S. companies which properly apply the scheme and European companies that simply comply with EU data protection law. The toughest criticism is directed at the simple fact that, because the self-certification process does not involve any kind of regulatory scrutiny—compared, say, to the BCR authorisation process—about 10 percent of companies claiming to meet the Safe Harbor standards are actually making false claims. It is mainly the false claims issue that seems to impact on the credibility of the whole scheme.

This is based on the simple fact that those companies do not even have a privacy policy on their website—frankly, not a particularly difficult thing to do compared to some of the other EU-inspired privacy standards which are part of the Safe Harbor Privacy Principles. A more veiled criticism is directed to the enforcement mechanisms which are seen as a little too lame by the commission. This translates into a very simple commercial point: Where a European company competes with a U.S. company operating under Safe Harbor, but in practice not applying its principles, the European company is at a competitive disadvantage in relation to that U.S. company.

Interestingly, the commercial implications of this unfairness appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating in the EU. In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker and seems content with the existing language which allows access to data "to the extent necessary" to meet national, security, public interest or law enforcement requirements. This does not mean that the tension between EU data protection and access to data by non-EU public authorities is resolved, but it takes this issue away from the Safe Harbor discussions.

All in all, the tone and content of the commission's position is fairly measured and reflects the ongoing dialogue between the EU and the U.S. around international data flows, adequate privacy safeguards and common democratic interests. In the short term, this means that Safe Harbor will survive pretty much unscathed. In the longer term, this may even be the beginning of real interoperability of privacy approaches.

photo credit: TPCOM via photopin cc


If you want to comment on this post, you need to login.