Monday, March 19, 2012

The Safe Harbor

Periodically, and again today, there’s a conference to discuss trans-Atlantic privacy issues, and take stock of the Safe Harbor framework. As an American who works in this field in Paris, I have long cared more than most people about trans-Atlantic privacy issues.

Why is the Safe Harbor framework still relevant? Here’s a reminder: the Safe Harbor framework was created because of a quirk in European law dating from 1995 that divided the countries of the world into so-called "adequate" and not-"adequate", in terms of having European style data protection. Countries like the US and Japan are not currently deemed to have "adequate" protections under EU law, but other countries like Argentina and Mexico and Israel are. It's a fair question whether the criteria to assess "adequacy" are themselves realistic or out-dated. Essentially, the criteria area formalistic: e.g., does a country have a European-style “independent data protection authority” and European-style “comprehensive” privacy legislation? So, countries that do not, like Japan and the US, are not deemed to have “adequate” data protection, but countries like Mexico, Argentina or Israel are. The Safe Harbor framework constitutes an “adequacy” regime for the US-based companies that comply with it. Therefore, the Safe Harbor framework is a partial solution to a bigger “adequacy” problem.

Rather than debating the Safe Harbor framework, we should be debating the “adequacy” regime. In the real world, no one would believe for a minute that data is less protected in Japan or the US than in Mexico, Argentina or Israel. But this bureaucratic fiction has very real-world consequences, if it makes “illegal” the transfer of personal data from Europe to these non-”adequate” countries. Surely, such routine global data transfers from Europe to Japan, to take just one examples amongst many in the cloud, can’t all be “illegal”?

Why does Europe fight so hard to maintain these rather reality-divorced rules, and why is Europe choosing not to modernize them as part of its comprehensive data protection law review? There is a simple reason, and it has very little to do with the reality of privacy protections. The so-called “adequacy” test is a powerful tool used by European policymakers to cajole other countries into adopting European style data protection laws and regulations. In 2011 alone, 6 countries in Latin America adopted European-style data protection laws. The motivation for these countries is often unabashedly trade-based, namely, the unhindered transfer of personal data from Europe to these countries, which hope to build information-based out-sourcing industries. Europe holds out a significant carrot to countries, saying essentially, “if you copy my privacy legal structure, we’ll reward you with information-based trade.” This, in a nutshell, is why Europe is winning the global competition to influence privacy laws in countries around the world.

I have long been an advocate of the vision of global privacy standards. Instead, what the world is getting is the globalization of European privacy standards.


Compulsively Aimless said...

Agree with you on need for global privacy standards. Recently at the EU Data Privacy forum held in Washington, the US government reps advocated for "interoperability" which translates into the long standing int'l law practice of mutual recognition. The EU advocated for "harmonization" which one of their panelists said meant adopting EU data protection standards outright.

This isn't the first time there has been the need to develop a global framework for industry. Contracts, copyright, accounting, and dozens of other areas have created frameworks but through a process of mutual recognition (UNCITRAL, OECD). What makes data privacy so special that one sovereign sets aside long established practices of private int'l law and unilaterally set the terms?

Michal Faber said...

Peter, interesting blog...

I must say you represent an American and corporate point of view which we Europeans and consumers are used to... so allow me to answer your question in another way for the sake of diversity and discussion

The point of having EU-style privacy regulations is to empower the individuals which often do not have the resources to fight corporations and governments in a civil court... privacy is a natural right which is increasingly abused

We Europeans experienced Nazi and then Soviet regimes (that was 20 years ago - we still remember) not mentioning every-day abuse of power shown by goverment officials across EU. In the last 20 years electronic means of data processing became a risk to privacy on a massive scale - take smart (electricity) meters for example.

With no overshight and proper legislation our rights to privacy will always come last... which is unacceptable

That's why sue-me-if-you-can American approach is inadequate for us Europeans. It sure must is good for American lawyers working for large corporations ;-)