I spoke on safe harbor on a panel at LegalTech sponsored and led by LDSI. Does it give as much protection as its proponents aver? Why is Europe so concerned about data privacy anyway?
It is a beguiling expression, safe harbor. You picture small boats rocking gently in the sunlight behind a stout sea wall whilst the storms rage beyond. Your precious cargo of data shipped from Spain or Italy is protected from the threatening clouds marked “SEC” and “IRS” and can be processed and reviewed in peace by your trusty crew. European data controllers can sleep peacefully at night confident that they are protected from marauding information commissioners and angry data subjects.
Such is the appeal of the expression “safe harbor” that America started using it simultaneously for more than one completely different concept. One is the registration mechanism thrashed out between the European Commission and the US Department of Commerce in 2000 to mitigate the commercial impact for US companies of the EU Directive 95/46/EU of 1995 on the Processing of Personal Data. Another protects ISPs from copyright infringements by their users. The expression also occurs in Evidence Rule 510 to do with waiver of privilege. This article relates to data privacy.
Before I start, I should make it clear (lest it appears otherwise from what I say below) that I am instinctively pro-American and anti-European. This often comes as a surprise to Americans, many of whom lump everyone from Yurrup in one seamless block. To me, as to many Britons, the EU is tolerated for its alleged economic benefits in a global market. At any other level, it is a conspiracy of small, grey, Belgian civil servants being inventive about their expenses and making petty regulations to ensure that they, their children, and their children’s children have jobs for life enforcing them. In amongst rules about the size of sausages, the shape of vegetables and countless other useless regulations, the privacy directive stands out as having a purpose, perhaps because it was rooted in history rather than in the size of the inducement offered by an interested party.
I sat on a panel at LegalTech last week at the invitation of LDSI, whose Deborah Coram was an able moderator. LDSI have processing facilities on both sides of the Atlantic and can, perhaps, be rather more objective about safe harbor and other data privacy issues than can a provider who must bring EU data to the US of they are to win the processing work at all.
The other advertised panellists were Tom O’Connor and Craig Ball. Late the previous evening, Craig and I press-ganged (these nautical metaphors are catching) George Rudoy who sportingly agreed to join us.
Deborah Coram outlined the provisions. The EU Directive 95/46/EU required member states to legislate to ensure that personal data was protected and would not be exported beyond the EU to countries whose standards for data protection did not meet EU standards of “adequacy”. The US attaches very little significance to data privacy and, fearing the serious commercial drawbacks which flowed from the Directive and its national implementations, the US Department of Commerce reached an agreement with the EU Commission in 2000 under which organisations could apply for safe harbor status. Such organisations were deemed to meet the EU standards of adequacy and the need for prior approval of data transfers is waived. EU citizens with complaints about the handling of their data generally have to bring them in the US, which polices the operation of safe harbor. Fines may be levied of up to $12,000 per day for breach of the safe harbor provisions.
Every provider of safe harbor facilities rushed to obtain certification and it became a marketing prop, with press releases adding this to the myriad other apparently good reasons for sending data to their processing facilities in the US. Many clients do just that, happy to feel able to comply with the demands of US clients, US parent companies and US lawyers desperate to meet the discovery deadlines set by US courts and regulators.
Others were not so sure. Although I dutifully reported one or two of the safe harbor certifications, I also delved around in the Export Portal of the US Department of Commerce and read a few of the certifications, observing amongst other things that they were unchecked self-certifications and that the wording of the scope of the certification was a free-form entry which varied from provider to provider. Mark Dingle of Simmons & Simmons in London drew my attention to the fact that EU privacy and data protection risks were not the only issue – the rules as to privilege are different in the US (and, indeed differ between US states) and it would be easy to overlook the implications of an inadvertent privilege waiver whilst focussing on privacy. There was also the question as to what happened to the data once it had been processed. Safe harbor principles cover onward transmission to another safe harbor-certified organisation, but that does not apply to most law firms (who would be doing the review) still less to their clients.
The seven safe harbor principles cover notice to individuals as to the purpose and use of information, choice as to the disclosure (by opting out as to most data or opting in as to sensitive information), the provisions as to onward transfer referred to above, access by individuals to the information held about them, security of the data, data integrity and enforcement.
One of the drawbacks of sitting on a panel is that one’s focus is on anticipating the next question rather than on noting what the others say. There was no great difference between us on this one. I had hoped to find a challenge to my own position – that I would never advise reliance on safe harbor alone except where there had been full compliance with the provisions as to notice and consent to every individual referred to, and where the client was able to make an informed assessment of the risks against the benefits. The latter, of course, may be substantial and it would be foolishly uncommercial to say that data should never be exported. The real catch is that you do not know – you may be reasonably sure but you cannot be certain – that there is no personal data in a collection without first processing it and it is strictly the case that the mere act of processing – even within the EU – requires the consent of those referred to. This is a bind which can really only be resolved by a proper information governance policy which catches the potentially private material on the way into the systems.
One potentially loses friends by arguing that safe harbor is not as safe as it may appear. One would lose more by being the first to get caught when an EU information commissioner or disaffected data subject happened to pick on you for a test case. I suggested at the session that the subject of data access is potentially part of a wider trade war. This is low-key as yet – the US taxes the import of French cheese, for example (did you know there is a 300% impost on Roquefort?) and the French scowl on data exports. I suggested that we might see a new climate with a new president – and came home to find Obama digging himself out of a protectionist hole which he had dug for himself and which would do little to ease relationships on this or any other front. For myself, I would happily trade concessions as to the import of data into the US if the US would make it slightly less tiresome to import myself through immigration at JFK (a sore point after my 90 minute wait, to which I will return in a separate post when I have cooled down on the subject).
This subject, which comes down in part to the problem of seeing ourselves as others see us, came up in our pre-panel discussions. I had said, or at least implied, that US judges did little to pour oil on the troubled waters of data privacy by appearing to take it for granted that those pesky Europeans would yield to the might and evident right of a US court. Craig Ball leapt to their defence, arguing that most US judges were willing to make concessions to accommodate EU privacy concerns. That, I am sure, is right. It only needs one heavy-footed judge to upset this, however. Europe may be willing to make concessions where security is involved (as happened over US demands for airline passengers’ PRN data) but a battle between US commercial interests and EU privacy concerns is a battle of equals, and to approach Brussels as if it were Omaha Beach is a tactical error which (as the French have already shown) will lead to reprisals. The fact that there have as yet been no reported examples of the US Department of Commerce using its enforcement powers does not mean that they will not do so next week.
I find it helps Americans to understand EU concerns if I remind them, as I did at this session, that EU citizens have good reason for their concerns about privacy and the potential for the misuse of data. The Nazis used census returns to plan the Holocaust and all kinds of other arbitrary classifications to group people for imprisonment and death. Sanjay Bhandari of Ernst & Young made much the same point at a panel on the following day which I will report in due course.
Safe harbor is better than nothing and, in the absence of any better form of cover, it helps those who are willing to comply with its potentially onerous requirements and whose risk analysis points towards data exports having regard to all the circumstances. The circumstances include matters whose weight is impossible to evaluate in the absence of precedents narrowly tuned to the facts – by “narrowly” I mean to draw attention to the very individual nature of each data collection and of each data subject’s position.
The subject needs airing, and I am grateful to LDSI for the opportunity to take part in their panel.