Safe Harbor and Free trade agreement in the wake of the data privacy scandal
The free trade agreement planned between the USA and Europe is at peril of falling apart amidst acute political displeasure and resentment, and looming disputes surrounding the global enforceability of future European data privacy mandates.
We propose a substantial revaluation of the “Safe Harbor” concept, in order to be able to coalesce the mutual interests of both sides.
The significance of the scheduled Transatlantic Free Trade Agreement is unquestionable, and is also affirmed by Viviane Reding, the EU commissioner in charge of data privacy issues.
Article by Dr. Sebastian Kraska (attorney at law, external Data Protection Officer).
Criticism of the Safe Harbor Treaty to date
Criticism of the Safe Harbor Treaty has intensified for a variety of reasons over the past few months. Most often it is not the provisions themselves that are coming under criticism; instead, the focus of discussion is being shifted to their (allegedly) deficient internal implementation and absence of independent regulatory controls. Thus, for example, the German Conference of Federal and State Data Privacy Authorities raised the issues surrounding the Safe Harbor Treaty in its joint statement dated July 24, 2013. The negotiating mandate adopted by the LIBE Committee also contained a draft provision on the automatic termination of the Safe Harbor Treaty if this is not modified within the next five years.
Practical significance of the Safe Harbor Treaty
Currently, the US/EU Safe Harbor Database holds 4,272 registrations of US/EU Safe Harbor-certified businesses. Precisely because of the data exchange between US companies and medium-sized European companies, the US/EU Safe Harbor Treaty represents a key building block for establishing an “adequate level of data privacy” according to EU standards, based on my experience.
Alternative “EU Standard Agreements”: beneficial in form / no material improvement
The EU Standard Agreement, which is often the preferred alternative in the practices of regulatory agencies, frequently demands too much from the medium-sized European company by virtue of its complexity, on the one hand. On the other hand, EU Standard Agreements offer no material improvement when it comes to establishing the minimum standards of technical and organizational measures on handling personal data. To the best of my knowledge, the contractual provisions of the EU Standard Agreements have not yet been litigated to date.
Concept of the Data Privacy Officer: internal business monitoring
The concept of commissioning a Data Privacy Officer who administers the internal data privacy policies (a concept which has recently been incorporated into the debate on the EU Data Protection Regulation as well), which is pursued primarily in Germany, demonstrates its value from the viewpoint of corporate business practices: the commissioning of a data privacy officer leads to the creation of internal data privacy structures, and the establishment of tracking measures on data security regulations. In exchange for the mandated commissioning of an officer, German companies (unlike other European nations) are not required to report on procedures to data protection authorities.
Appointment of a “Data Privacy/Safe Harbor Officer”
The German model of internal enforcement by appointing a data privacy officer also corresponds to the regulatory approach of the Safe Harbor Treaty. It would therefore seem reasonable to consider requiring the commissioning of a “Data Security/Safe Harbor Officer” to strengthen the internal implementation of the Safe Harbor Treaty for US-based companies. This individual would then be responsible for the internal implementation of the Safe Harbor Treaty, which would substantially bolster the plausibility, vis-à-vis Europe, of adherence to data privacy regulations. Europe could consider this approach as an affirmation of its data privacy efforts.
No excessive burden on US companies that have a functioning data privacy structure
The proposed measures would cause only a negligible added burden on those US companies whose data privacy structures are already functioning.
Compliance on the US side: trade benefits for the EU and the USA
Expansion of the Safe Harbor Treaty by the appointment of a “Data Security/Safe-Harbor Officer” would:
- comply with the European regulatory approach;
- accommodate the US concept of internal self-regulation;
- bring about an actual improvement at the level of technical/organizational data security measures, and
- secure the realization of a US-EU trade agreement that is reasonable to both sides.