The European Commission has announced that it will not kill off Safe Harbor. Instead it has published 13 recommendations to improve it and has called on US authorities to help sort this out by summer 2014. There will then be a further review of the functioning of Safe Harbor.
Safe Harbor is the self-certification regime under which US businesses can make public commitments to comply with the Safe Harbor Privacy Principles. It usually exposes them to regulation by the Federal Trade Commission; a serious regulator in anyone’s book and with a long history of enforcing privacy breaches. The EU (in particular Germany) has long been wondering how “safe” the Safe Harbor really is. The Edward Snowden revelations, including about Angela Merkel’s phone being monitored, gave it the platform to escalate the issue. That is what prompted this review so it a fraught political area.
Why is this important?
Lots of businesses use US vendors to provide services which involve servers, back up or IT maintenance being provided from the US. Many others need to share data with their US operations or the US HQ. In our globalised world, global data transfers are the norm. Killing off Safe Harbor without providing an alternative solution would push many companies into hot regulatory waters. After all, although there are alternatives like Binding Corporate Rules adopted by vendors (the so-called “Processor BCRs”) they are still in their infancy.
What are the 13 recommendations?
The recommendations proposed by the EU beef up requirements in relation to transparency, redress, enforcement and, interestingly, access by US law enforcement agencies. Much of this looks like good data privacy practice. So far so good, although it is difficult to see how the recommendation that companies state in their privacy policies that they may disclose data for the purposes of national security and law enforcement, will deal with the PRISM debate. It’s surely not in a company’s gift to know whether a specific request for access is really necessary for legitimate purposes? In any event, national security laws are not harmonised in Europe and have always been excluded from the EU Data Protection Directive.
What happens next?
There is no doubt that companies will have heaved a collective sigh of relief that Safe Harbor has survived. Such was the reaction to the PRISM debate and Edward Snowden earlier this year that some were saying Safe Harbor is dead! This is important for the 3,000-plus companies that are Safe Harbor-certified and many more who we expect to join in order to sell their services into Europe as the digital and cloud markets grow.
The real question is whether the EU and the US can agree a basis to retain Safe Harbor in the long term which pays sufficient homage to European data privacy law and “works” for US business. It won’t help that we have European elections in May 2014 and that the Commission will be re-appointed at that time. To use the US analogy, does that make one of the negotiating parties analogous to a “lame duck president”? We doubt that, but it’s difficult to see how a final agreement can be reached any time soon. It’s also a reminder of the impact that politics can have on data privacy and that politics has, so far, failed to provide the answer.