I have been thinking a lot recently about the days at the U.S. Department of Commerce (DoC) back in the late 1990s when we negotiated the U.S.-EU Safe Harbor Privacy Arrangement (Safe Harbor) with the European Commission (EC). I never thought at the time that Safe Harbor would ever be in the spotlight as much as it is today. Watching all of this unfold in recent days, I have been struck by the many misunderstandings about the arrangement and the European Court of Justice’s (ECJ’s) judgment, and thought now was a good time to set the record straight on five myths about Safe Harbor.
Myth #1: Safe Harbor is terminated as a result of the Schrems judgment.
Not so. The Safe Harbor is still fully operational as a program. Safe Harbor is not a treaty. It is an international cooperative arrangement whereby, on the U.S. side, the DoC promulgates the Safe Harbor Privacy Principles and FAQs, and maintains the list of Safe Harbor certified companies. The U.S. Federal Trade Commission (FTC) enforces Safe Harbor. On the European side, in 2000, the European Commission followed the internal process set forth in the 1995 Data Protection Directive (95/46/EC) (Directive) to find that the Safe Harbor Privacy Principles and FAQs, as enforced by the FTC, provide "adequate protection" within the meaning of Article 25(6) of the Directive. The Schrems judgment only invalidated the European Commission's Safe Harbor decision. It did not repeal or otherwise dismantle the Safe Harbor program itself. The DoC still operates the Safe Harbor list and program, and the FTC's authority remains unchanged by the Schrems judgment. The continued operation of Safe Harbor is critical in this transition period as companies still have Safe Harbor commitments, including contractual obligations, registrations with data protection authorities, works council agreements, and the like.
Myth #2: Safe Harbor is intended to address government surveillance issues.
Not so. Safe Harbor is a commercial arrangement. The concerns about surveillance need to be resolved through government-to-government law enforcement and national security negotiations such as those that have produced the US-EU "Umbrella Agreement" on law enforcement data sharing, and related legislation and policy changes.
Myth #3: Safe Harbor is poorly enforced by the FTC.
Not so. The FTC has enforced Safe Harbor with increasing vigor over the last few years. In the race to enforce European privacy rights against U.S. companies on U.S. territory, the FTC is not only winning the race, it is the only one in the race. The FTC has driven dozens of Safe Harbor cases into 20-year privacy consent decrees, backed by potential penalties of $16,000 per violation for non-compliance with such orders.
Myth #4: Safe Harbor failed to stand the test of time.
Not so. Safe Harbor thrived for 15 year as a transatlantic bridge for commerce and privacy. This marks roughly the period from the implementation of the Directive to the present, when the Directive itself is poised to be replaced with the proposed EC General Data Protection Regulation.
Myth #5: The Safe Harbor Arrangement is no longer needed.
Not so. Safe Harbor is needed today more than ever. It provides an enforceable solution for authorities on both sides of the Atlantic to collaborate and provide adequate protection for personal data, and cannot be replaced by model contracts, Binding Corporate Rules (BCRs) or other alternatives. More than half of the 4,000-plus U.S. organizations participating in Safe Harbor are small- to medium-sized enterprises that do not have resources to implement alternatives such as BCRs and would have significant challenges establishing point-to-point model contract solutions.