Today, some four months after we first announced it, my organization put out our Safe Harbor Report on the effectiveness of the U.S.-EU Safe Harbor in protecting EU citizen privacy and promoting trans-Atlantic data transfers. That’s something of a mouthful, but I’m proud of my contributions to the report, which include the paper’s discussions on enforcement, government access to information (e.g., NSA activity), and some of the recommendations and case studies. I now know entirely too much about trans-Atlantic data transfers under the program, so here’s hope the European Union doesn’t and suspend the Safe Harbor now!
This morning, the European Commission released its report on the state of the US-EU Safe Harbor, a mechanism that provides for international data transfers, proposing a series of recommendations designed “to restore trust in data flows between the EU and the U.S.” Europeans have long been critical of the Safe Harbor — and America’s free-wheeling attitude toward privacy in general — but the Summer of Snowden provided a perfect pretext to “reconsider” the efficacy of the Safe Harbor.
America’s hodgepodge or “sectoral” approach to privacy has increasingly placed U.S. officials on the defensive, and there’s no question the Safe Harbor can be improved. However, conflating Safe Harbor reform with justified anger about expansive NSA snooping is counterproductive. First and foremost, while public and private data sharing is increasingly intermingled, government access to data is not the same as commercial data use. The Safe Harbor was explicitly designed to protect the commercial privacy interests of EU citizens.
It was not created to address national security issues, and the Safe Harbor specifically provides an exception from its requirements “to the extent necessary to meet national security, public interest, or law enforcement requirements.” As FTC Commissioner Julie Brill has noted, national security exceptions to legal regimes are not unusual. For example, the HIPAA Privacy Rule permits the disclosure of private health information in the interest of national security, and even the EU’s stringent Data Protection Directive includes an exception for state security or defense.