The US-EU Safe Harbor: What Was It Before Being Ruled Invalid?
The Origin of The US-EU Safe Harbor
In 1995, the European Union gave a Data Protection Directive, which stated that transfer of an EU citizen’s personal data from any member state to a third country (outside the EU) could only take place if the third country ensured an ‘adequate’ level of privacy protection. Through the European Commission, an adequate level would be determined based on the third country’s international commitments or domestic law. This was basically the genesis of the US-EU Safe Harbor.
The Safe Harbor Law Amendment
A little later after the passing of this directive, the European Commission realized that the United States did not provide the required adequate levels of protection. As a result, in the year 2000, both parties reviewed and negotiated the Safe Harbor agreement, which now allowed United States companies to self-certify and ascertain that the protection they offered was in accordance with the directive’s requirements.
In 2013, several people cited their doubts on the Safe Harbor. Data protection commissioner Viviane Reding stated in July 2013 that Safe Harbor “may not be so safe”. Her thoughts were reiterated by Edward Snowden who revealed to journalists how the US National Security Agency (NSA) had massive access to data held in telecomm companies and big internet servers in the United States, against the Safe Harbor agreement requirements.
These concerns led the commission to work on recommendations that would improve the Safe Harbor agreement. In November 2013, the commission was able to issue 13 recommendations to the Safe Harbor agreement but negotiations to rework the agreement as per the recommendations are still ongoing to date.
How Self-Certification Worked
To ensure that their services were compliant with the European data protection directive, majority of the companies involved in the cross-border personal data transfer heavily relied on the Safe Harbor.
The self-certification provision eradicated most of the hurdles U.S. companies were facing when working to maintain compliance with the EU law. Instead of complying with individual member state’s data transfer guidelines, U.S. companies would self-certify and avoid individualized compliance. Generally, this was blanket-compliance.
Patrick Van Eecke, co-head of the global privacy practice at DLA piper explained how self-certification was convenient. He cited the fact that the harbor served as a one-stop-shop, which allowed export of personal data to the United States without the need to continuously ask for consent or enter into a bilateral agreement.
Companies Which Relied On The Safe Harbor Agreement
As of October 6, approximately more than 4,700 United States companies were relying on the safe harbor agreement. They dealt in digital transfer of EU citizens’ personal data from the EU to the US. These companies included Facebook, Google, Microsoft and Apple.
The Safe Harbor Downfall
Since the year 2000, compliance by the United States companies was hardly enforced or questioned by the Department of Commerce or Federal Trade Commission (FTC). The FTC and the Department of Commerce were mandated to provide oversight to the Safe Harbor Agreement. The European Commission also gave oversight, but minimally.
The progressive lack of oversight and attention by the United States authorities were major contributing factors to the safe harbor downfall. Instead of serious treatment and regard by companies, the agreement was being viewed as a mere ‘promise’ of compliance, which eventually turned into a free-for-all data transfer avenue. Coupled with shocking revelations, which alleged that the U.S. was using the harbor to unlawfully snoop, the agreement was eventually ruled invalid.
Did The U.S Government Use The Safe Harbor For Unrestricted Access?
In September 2015, Yves Bot, top advisor to the ECJ, issued an opinion that predicted that the court would render the Safe Harbor invalid. One key issue was the allegations that the United States enjoyed unrestricted access to personal data, a matter that did not resonate well with most people, including world leaders.
The debate led to different reactions across continents including Asia, Latin America, US and Europe. Barrack Obama for example cancelled a trip to Moscow, Russia as a sign of his disapproval of President Vladimir Putin’s decision to protect Snowden. Evo Morale, the Bolivian president, was suspected of smuggling Snowden out of Russia and as a result, his plane was forced down in Vienna. Brazilian president, Dilma Rousseff, was also not left out in the unfolding drama when she cancelled a state visit to Washington in protest, claiming that the United States was spying on her. The White House finally conceded and agreed that the NSA’s activities needed new constraints after German Chancellor, Angela Merkel, also accused the US of spying on her.
UK’s Prime Minister, David Cameron, seemed to come to the defense of the alleged illegal government activities. He accused the Guardian of failing to demonstrate social responsibility by damaging national security, by publishing the Snowden revelations.
In an effort that seemed like PR, Robert Litt, the general counsel from the office of US director of national intelligence and the U.S. mission in Europe, tried to argue that the United States did not have unrestricted access and mass surveillance like Snowden alleged. Instead, the US intelligence operated targeted surveillance.
To further defend the US government, Robert Litt stated that the NSA Prism data harvesting program did not give the United States unrestricted access to data. Presenting his argument through an article in the FT, Litt said that the United States relied on specific identifiers such as telephone numbers, and only when it believed that the addresses were used to communicate foreign intelligence information. He added that the process required legally compelled help from communications service providers under the administration of an independent court, alluding that this was a completely legal process.
The US-EU Safe Harbor was a very noble idea that eased operations for very many businesses. Unfortunately, the agreement was abused and led to a series of accusations, presidential stand-offs, threat to national security and loss of trust between countries.
As much as it has now been ruled invalid, the US and EU should not forget the prime reason why this legal provision was first formulated. It is essential that both parties find an amicable way forward and ensure that the bad reputation the agreement had previously undergone is rectified.
Image Courtesy: Stuart Miles, freedigitalphotos.net