FTC Commissioner Julie Brill warned last week that the EU's data protection reform effort has targeted the US-EU Safe Harbor, and that outrage over revelations regarding NSA surveillance has endangered the program's continuation.
The Safe Harbor was negotiated by the Clinton Administration as a way to ensure that the EU's then-new data protection directive would not block trans-Atlantic transfers of personal data. The directive prohibited member countries from allowing the transfer of data to countries that lacked adequate privacy protections. The United States, because its approach to data privacy differs widely from that in Europe, was not deemed to be adequate. Hence, without some solution, data flows between the EU and United States may have been disrupted. Needless to say, in today's era of global companies with customers and employees located around the world, that type of prohibition would have been catastrophic.
The Safe Harbor, which is voluntary, saved the day. It allows US companies to certify compliance to several basic privacy principles:
- Notice - Organizations must provide notice to individuals of the data they collect and what they do with it.
- Choice - Individuals must have the right to choose whether certain types of disclosures can be made.
- Onward transfer - Organizations must ensure that any third parties to whom they entrust personal information adhere to the same obligations.
- Access - Individuals have a right to reasonable access to their personal information.
- Security - Organizations must take reasonable measures to protect the personal information they collect.
- Data integrity - Organizations must take reasonable steps to ensure that the data they collect are accurate and only as extensive as necessary for the intended purpose.
- Enforcement - Organizations must afford an independent recourse to individuals who believe themselves aggrieved by a violation of these principles.
So what does any of this have to do with the National Security Agency? Well, nothing really. Every country's privacy laws contain exceptions for law enforcement or national security as permitted by applicable law. Although European privacy advocates frequently have criticized the lack of teeth inherent in the Safe Harbor, the current contretemps actually is about US law more widely and what many in Europe view as overly expansive government authority to require disclosure of personal information.
In other words, this is not about big, bad companies - the usual EU complaint - but instead big, bad government. The Safe Harbor has nothing to do with it, but without the Safe Harbor, data arguably would not be sent in the first place. Hence, at least some European government officials seem determined to try to leverage the threat of a data stoppage into US concessions on governmental surveillance.
(Yes, there is some sanctimony in this posture. European governments undoubtedly engage in a wide range of surveillance of their own; however, their ability to surveil in many respects is more limited than is that of the US, and the simple fact is that, unlike the US, they haven't been caught.)
So, will that effort succeed? I doubt it. In the first instance, the US and EU economies are far too closely entwined to permit a real barrier on exchange of data by companies operating in both markets. Moreover, even without a Safe Harbor, companies could enable data transfers through entry into "model contracts" with EU data exporters that obligate those companies to meet certain requirements. Model contracts are less attractive than the Safe Harbor for a variety of reasons, but, of salience here, they would do nothing to increase the protection of Europeans' personal data from lawful US governmental intrusion.
Most importantly, the EU position boils down to distaste over another government's spying on its citizens. The US government's frequent assurances that it treats US citizens' communications more protectively than those of foreigners - which largely have fallen flat at home - surely have inflamed sentiment abroad.
Nonetheless, I see little chance that the US government will agree to protections for US-housed data of Europeans that are greater than those for Americans or agree to apply US constitutionally required standards to foreign communications that pass through US internet service providers. The most likely outcome is resolution of the dispute through some private assurances and face-saving gestures that allow the Safe Harbor, perhaps with some modest changes, to continue.
However, in the longer term, the most objectionable US posture - that foreign communications are entitled to a lower degree of protection than those of US citizens - risks encouraging Europeans and others to develop methods of communication that do not depend on US providers. By aggressively leveraging our currently dominant position in the internet communications sector, and being discovered doing so, our government may be hastening the day when we no longer are so dominant.