The Safe Harbor

Periodically, and again today, there’s a conference to discuss trans-Atlantic privacy issues, and take stock of the Safe Harbor framework. As an American who works in this field in Paris, I have long cared more than most people about trans-Atlantic privacy issues.

Why is the Safe Harbor framework still relevant? Here’s a reminder: the Safe Harbor framework was created because of a quirk in European law dating from 1995 that divided the countries of the world into so-called "adequate" and not-"adequate", in terms of having European style data protection. Countries like the US and Japan are not currently deemed to have "adequate" protections under EU law, but other countries like Argentina and Mexico and Israel are. It's a fair question whether the criteria to assess "adequacy" are themselves realistic or out-dated. Essentially, the criteria area formalistic: e.g., does a country have a European-style “independent data protection authority” and European-style “comprehensive” privacy legislation? So, countries that do not, like Japan and the US, are not deemed to have “adequate” data protection, but countries like Mexico, Argentina or Israel are. The Safe Harbor framework constitutes an “adequacy” regime for the US-based companies that comply with it. Therefore, the Safe Harbor framework is a partial solution to a bigger “adequacy” problem.

Rather than debating the Safe Harbor framework, we should be debating the “adequacy” regime. In the real world, no one would believe for a minute that data is less protected in Japan or the US than in Mexico, Argentina or Israel. But this bureaucratic fiction has very real-world consequences, if it makes “illegal” the transfer of personal data from Europe to these non-”adequate” countries. Surely, such routine global data transfers from Europe to Japan, to take just one examples amongst many in the cloud, can’t all be “illegal”?

Why does Europe fight so hard to maintain these rather reality-divorced rules, and why is Europe choosing not to modernize them as part of its comprehensive data protection law review? There is a simple reason, and it has very little to do with the reality of privacy protections. The so-called “adequacy” test is a powerful tool used by European policymakers to cajole other countries into adopting European style data protection laws and regulations. In 2011 alone, 6 countries in Latin America adopted European-style data protection laws. The motivation for these countries is often unabashedly trade-based, namely, the unhindered transfer of personal data from Europe to these countries, which hope to build information-based out-sourcing industries. Europe holds out a significant carrot to countries, saying essentially, “if you copy my privacy legal structure, we’ll reward you with information-based trade.” This, in a nutshell, is why Europe is winning the global competition to influence privacy laws in countries around the world.

I have long been an advocate of the vision of global privacy standards. Instead, what the world is getting is the globalization of European privacy standards.

"I didn't have time to write a short letter, so I wrote a long one instead". Mark Twain

I recently spent a few days grappling with government regulations written for the public. Together with my Dad, who is in his 80's, we tried to get some answers to simple Medicare questions about prescription drugs. I almost gave up when I realized that I still had no clue, after spending hours trying to read the government's guidance. I'm a Harvard-trained lawyer, and I couldn't understand them. I looked at my Dad, and I wondered what seniors are supposed to do who are often old and sick, and might not have a Harvard-lawyer around the house to help them.

Thankfully, there's a very worthwhile initiative, to get the US Federal government to use Plain English. Indeed, I think it's worthwhile to simply quote from the government's site directly:

President Obama signed the Plain Writing Act of 2010 on October 13, 2010. The law requires that federal agencies use "clear Government communication that the public can understand and use." On January 18, 2011, he issued a new Executive Order, "E.O. 13563 - Improving Regulation and Regulatory Review." It states that "[our regulatory system] must ensure that regulations are accessible, consistent, written in plain language, and easy to understand."

And to bring it back to my blog's topic, namely, privacy, I'd encourage you to take a look at how plainlanguage.gov has drafted its own site's privacy policy. It's here.

Many government regulations aren't really drafted for normal citizens. They're drafted by and for lawyers, lobbyists, specialists, and regulators. The same is often true of privacy policies. I'm in the school that thinks that privacy policies should be drafted for the general public, and that they should look something like plainlanguage.gov's privacy policy. Even the IRS, which is not an agency generally celebrated for its brevity of its prose, managed to publish a privacy policy that is exactly 7 sentences long.

Data Protection Officers, required by law in Europe

Europe has long led the world in creating privacy rules. Soon, Europe will likely make it a requirement for all companies with over 250 employees to appoint a Data Protection Officer (DPO). Here are a few practical thoughts about DPOs in the modern corporation.

1) We need to train up more DPOs. The universe of privacy professionals is still quite small, today. There simply aren't enough experienced DPOs to fill the imminent legal requirements. Soon, many thousands of companies operating in Europe will be looking to appoint DPOs to meet legal obligations, and since there is no available pool of such people, companies need to start thinking now about how to recruit, train and resource a DPO, and/or an entire DPO team, for the large companies.

2) Companies should decide if their data processing is simple or complicated, and staff their DPO accordingly. Depending on what kind of company you are, you could legitimately take three different approaches:

1) DPO role is added to existing function: Some companies may have data processing operations that are quite simple and unproblematic. For them, it may make perfect sense to ask someone in the Human Resources or Marketing departments to train up and play this role too.

2) DPO role is out-sourced. Some companies may decide to outsource the role to DPO-consultants who might provide similar services for many clients. Note to entrepreneurial privacy professionals: creating such shared-DPO-consultant services is likely to be a booming business opportunity in the future. Realistically, I think DPO-out-sourcing is only really an option for companies with simple data processing operations, but there are still legions of those.

3) DPO heavy-weights needed. Some companies have complicated and sensitive data processing operations. They will want their DPOs to be strategic data-stewards, guiding their companies to use and protect data in responsible ways, navigating through the thickets of regulatory rules, and representing them before regulatory bodies and courts. I think large and complicated companies should be expected to have senior and experienced DPOs, or in the cases of big companies, indeed, teams of them. But today, rather shockingly, some of the world's largest data processing companies, with mega-databases of trillions of pieces of personal data, do not have a single heavy-weight DPO on staff.

3) Companies need to give their DPOs adequate resources and authority. It's pretty obvious to me, as a long-time insider, that privacy will be well-served by a growing profession of DPOs in companies. To succeed, DPOs will need two things, which are essential to getting things done in large organizations: namely, resources and authority. It takes significant resources to monitor/advise/document the data processing operations of a large corporation (as will likely be required under the new EU laws) and it takes people with real authority to implement the goals of the role of the DPO, as the laws envision it. As for authority, I don't think authority always flows from corporate reporting lines (let's get over this simplistic thinking that every DPO should report to the CEO). I believe authority is derived from substantive knowledge of privacy law and business goals, judgment, persuasiveness, credibility, and perhaps most important of all, the backbone to defend the precious goal of privacy. The European legal proposals go even further in trying to protect the DPO's independence, by providing the DPO with some legal protections against unfair dismissal.

Europe, once again, leads the world in creating privacy rules. Europe proposes many daft rules (e.g., mandatory security breach notifications sent to consumers within 24 hours!, as is currently proposed, get real!). But, Europe sometimes leads the world in creating rules that meaningfully improve privacy protections. In the decade ahead, let's work together to strengthen and spread the role of the Data Protection Officer.