Monday, March 19, 2012
The Safe Harbor
Periodically, and again today, there’s a conference to discuss trans-Atlantic privacy issues, and take stock of the Safe Harbor framework. As an American who works in this field in Paris, I have long cared more than most people about trans-Atlantic privacy issues.
Why is the Safe Harbor framework still relevant? Here’s a reminder: the Safe Harbor framework was created because of a quirk in European law dating from 1995 that divided the countries of the world into so-called "adequate" and not-"adequate", in terms of having European style data protection. Countries like the US and Japan are not currently deemed to have "adequate" protections under EU law, but other countries like Argentina and Mexico and Israel are. It's a fair question whether the criteria to assess "adequacy" are themselves realistic or out-dated. Essentially, the criteria area formalistic: e.g., does a country have a European-style “independent data protection authority” and European-style “comprehensive” privacy legislation? So, countries that do not, like Japan and the US, are not deemed to have “adequate” data protection, but countries like Mexico, Argentina or Israel are. The Safe Harbor framework constitutes an “adequacy” regime for the US-based companies that comply with it. Therefore, the Safe Harbor framework is a partial solution to a bigger “adequacy” problem.
Rather than debating the Safe Harbor framework, we should be debating the “adequacy” regime. In the real world, no one would believe for a minute that data is less protected in Japan or the US than in Mexico, Argentina or Israel. But this bureaucratic fiction has very real-world consequences, if it makes “illegal” the transfer of personal data from Europe to these non-”adequate” countries. Surely, such routine global data transfers from Europe to Japan, to take just one examples amongst many in the cloud, can’t all be “illegal”?
Why does Europe fight so hard to maintain these rather reality-divorced rules, and why is Europe choosing not to modernize them as part of its comprehensive data protection law review? There is a simple reason, and it has very little to do with the reality of privacy protections. The so-called “adequacy” test is a powerful tool used by European policymakers to cajole other countries into adopting European style data protection laws and regulations. In 2011 alone, 6 countries in Latin America adopted European-style data protection laws. The motivation for these countries is often unabashedly trade-based, namely, the unhindered transfer of personal data from Europe to these countries, which hope to build information-based out-sourcing industries. Europe holds out a significant carrot to countries, saying essentially, “if you copy my privacy legal structure, we’ll reward you with information-based trade.” This, in a nutshell, is why Europe is winning the global competition to influence privacy laws in countries around the world.
I have long been an advocate of the vision of global privacy standards. Instead, what the world is getting is the globalization of European privacy standards.