This morning, the European Commission released its report on the state of the US-EU Safe Harbor, a mechanism that provides for international data transfers, proposing a series of recommendations designed “to restore trust in data flows between the EU and the U.S.” Europeans have long been critical of the Safe Harbor — and America’s free-wheeling attitude toward privacy in general — but the Summer of Snowden provided a perfect pretext to “reconsider” the efficacy of the Safe Harbor.
America’s hodgepodge or “sectoral” approach to privacy has increasingly placed U.S. officials on the defensive, and there’s no question the Safe Harbor can be improved. However, conflating Safe Harbor reform with justified anger about expansive NSA snooping is counterproductive. First and foremost, while public and private data sharing is increasingly intermingled, government access to data is not the same as commercial data use. The Safe Harbor was explicitly designed to protect the commercial privacy interests of EU citizens.
It was not created to address national security issues, and the Safe Harbor specifically provides an exception from its requirements “to the extent necessary to meet national security, public interest, or law enforcement requirements.” As FTC Commissioner Julie Brill has noted, national security exceptions to legal regimes are not unusual. For example, the HIPAA Privacy Rule permits the disclosure of private health information in the interest of national security, and even the EU’s stringent Data Protection Directive includes an exception for state security or defense.
Dismantling or weakening the Safe Harbor will not prevent the NSA from getting the data of EU citizens. “Companies are going to be transferring data and they’re going to find ways to do it,” Proskauer Rose attorney Jeremy Mittman explained to Politico. Our modern global economy relies on data transfers, and absent the Safe Harbor, other data transfer mechanisms such as binding corporate rules and standard contract rules will continue to be subject to a similar national security exception. It’s likely that the NSA’s surveillance efforts are both excessive and counterproductive at this point, but US-based companies are still bound to comply with valid legal orders. As soon as European data gets into the United States, the US government can compel companies to provide it with access to that information. Or as Verizon put it, “The laws are not set by Verizon, they are set by the governments in which we operate. I think its important for us to recognise that we participate in debate, as citizens, but as a company I have obligations that I am going to follow.”
Certainly, perhaps as a matter of policy, companies like Verizon ought to push back against overbroad or unnecessary government information requests — and many companies such as Apple, Google, Microsoft, and Facebook are. Still, companies are ultimately required to comply with US laws, and the existence of a national security exception does not by itself reflect a failure of the Safe Harbor.
The European Commission has called for any national security exception to be used “only to the extent that it is strictly necessary or proportionate.” Unfortunately, no one truly knows what this means anymore. For its part, the Commission provides no further guidance. The Federal Trade Commission, which enforces the Safe Harbor, is not in a position to determine the scope of national security demands. They are in the business of enforcing commercial privacy, not starting intra-agency battles with the intelligence community. Jan Albrecht, who is leading efforts to reform Europe’s data law, recognizes that his efforts will have little impact on intelligence agencies. He remarked that national security remains “a huge loophole and we need to close it. But we can’t close it with this regulation.”
The only parties that can properly resolve this are high level officials on both sides of the Atlantic. Absent a comprehensive agreement between the EU and the US regarding surveillance and government intelligence efforts, the only way to truly protect EU citizens from the NSA would be to prohibit any and all transfers of data into the United States. Even that may not work. It may not even be realistic. The damage this would cause to the transatlantic, let alone the global economy would be considerable. This course of action may indeed give European officials some leverage over American surveillance efforts, but it would come at great cost. Tearing down the Safe Harbor would be a drastic, and misplaced effort to address a much larger concern about the scope of the NSA’s surveillance programs.