Why Europe is wrong to kill Safe Harbour

Suspending the EU-US Safe Harbour agreement on data protection will do nothing to address surveillance, says international policy analyst

Growing public scrutiny and outrage over government mass surveillance are both understandable and legitimate. However, suspending the US-EU Safe Harbour programme on the false pretext that it facilitates National Security Agency (NSA) surveillance is misguided.

Conflating national security and commercial trade issues serves the interests of the Safe Harbour’s opponents, who have tried to derail the programme since its inception in 2000. Framing the discussion in this way detracts from the larger and more important public debate that needs to take place in the US and Europe about the appropriate balance between national security interests and the protection of civil liberties and privacy rights.

The truth is that all of the mechanisms available under EU law to transfer personal information legally to the US offer no protection against government surveillance. Moreover, shutting out US companies may appeal to market protectionists, but in the end will only disadvantage European consumers.

Europe is also conducting mass surveillance

Concerns about mass surveillance are not limited to the US. The NSA’s Prism internet surveillance programme has been widely reported, but EU Member States – including France, Germany, the Netherlands, Sweden, and the UK – are conducting similar mass surveillance programmes.

A report by the Centre for European Policy Studies, commissioned by the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), details these extensive surveillance programmes, but tries to minimise their significance by comparing raw budget numbers.

Safe Harbour

The Safe Harbour requires Safe Harbour-certified companies to protect personal data they receive in accordance with a set of agreed upon privacy principles that can be enforced under US law. 

When the Safe Harbour agreement was reached in 2000, both the EU and the US hailed the agreement as a way to avert an interruption in data flows that threatened to disrupt transatlantic trade and provide a predictable and less bureaucratic way for European and US companies to share personal information. 

The Safe Harbour is appealing to US companies because it offers a simpler and less expensive means of complying with European adequacy requirements, which benefit US and European companies, and in particular small and medium enterprises.

A more meaningful comparison would be to look at budget-to-GDP ratios which show how comparable these programme budgets are. But even this analysis misses the more salient point – US and European governments all engage in mass surveillance and their activities merit public scrutiny and debate rooted in facts.

Threats to Safe Harbour driven by competition, not privacy

This latest flurry of threats to suspend the Safe Harbour immediately is an 11th hour attempt to shore up lagging support for privacy reform. Merging national security and commercial trade issues serves the interests of European companies that have fallen behind their US counterparts. It also responds to the public outrage over government surveillance and gives the public the illusion that there is a quick-fix solution.

If the Safe Harbour and the other cross-border mechanisms for transferring data to the US were suspended, it would have no effect on government surveillance; it would, however, give a boost to European companies by hamstringing American competitors.

European privacy cloud

The European Commission’s Safe Harbour report advocates the development of Europe’s own cloud computing capabilities because “the modalities of the US-EU Safe Harbour agreements have been gravely violated”; the LIBE report similarly calls for a “European privacy cloud” as a way to protect European data against US surveillance.  

But, as the facts in the LIBE report demonstrate, personal data is no better protected against European surveillance, and the only outcome would be to give European businesses a chance to catch up with their US competitors through legislation camouflaged in the guise of protecting civil liberties.  

Linking commercial and national security issues also provides a back door way for the Commission to exert influence over EU Member States’ intelligence activities, an area that falls outside its area of competence.

Transferring personal data to the US

There are essentially four options currently available to transfer personal data to the US: 

  1. Obtain the consent of the individual concerned; 
  2. Establish a contract between a company in the EU and the US; 
  3. Adopt a set of Binding Corporate Rules (BCRs) to enable transfers within the corporate family;
  4. The Safe Harbour.  

All but the Safe Harbour have significant disadvantages from a practical business perspective. Moreover, EU law has national security exceptions, so the reality is that none of these four options can protect individuals against government surveillance because EU Member State law does not provide for such protection.

Concerns over Safe Harbour are overblown

Many of the EC’s concerns about the Safe Harbour are overblown and have little to do with mass surveillance. For example, the Commission’s charges about false representations of Safe Harbour adherence by pointing to companies that claim to be Safe Harbour certified but are not on the list would require the impossible task of policing the internet. In fact, the FTC enforcement has been far more rigorous than the Commission suggests.

In contrast, there have been no enforcement actions by European data protection authorities against companies for failing to comply with the promises undertaken through the other two mechanisms promoted by the European regulators, namely Binding Corporate Rules and EU-approved Standard Contractual Clauses.

Furthermore, the Commission tries to claim illogically that the lack of Safe Harbour complaints is not evidence that the system is working properly. In its view, the Commission believes the lack of evidence suggests there is a problem.

Some Commission recommendations have merit, but these issues do not relate to surveillance. For example, the Commission’s criticism about the Safe Harbour’s “lack of transparency” refers to the fact that, in some cases, links to privacy policies are not working or the policies are not otherwise publicly available. Such concerns are legitimate and, as a result, the US Department of Commerce has stepped up its oversight of the programme and made its certification review more rigorous.

Protectionism serves no one

For companies and consumers, the Safe Harbour has been enormously beneficial. Trying to kill it under the false guise of being concerned about government surveillance serves no one. 

If the EU wants to limit government surveillance, then Member States should negotiate with the US about limiting US and EU surveillance rather than resort to protectionist means that will be ineffective in addressing public concerns about mass surveillance.

Cynthia Rich (pictured) is a senior international policy analyst in the Washington office of Morrison & Foerster LLP and was a member of the US government team that negotiated the 2000 US-EU Safe Harbour agreement.

Read more on Datacentre capacity planning