Contact Us

Disruptive Competition Project

655 15th St., NW

Suite 410

Washington, D.C. 20005

Phone: (202) 783-0070
Fax: (202) 783-0534

Contact Us

Please fill out this form and we will get in touch with you shortly.

What a safer Safe Harbour could look like

EU and U.S. negotiators are working against the clock to agree on a new and strengthened framework for transatlantic data flows by the end of January. This is the deadline provided by European data protection authorities after which they could start procedures against companies still relying on the old framework invalidated by the Court of Justice of the European Union (CJEU).[1]

A halt to commercial data transfers between the EU and the U.S. could severely damage our economies, worsen the transatlantic partnership and fragment the global Internet.[2] Negotiators are therefore scrambling to agree on a new framework that addresses the CJEU’s points of criticism.

So what should a new and improved Safe Harbour framework look like? Here are some ideas:

A streamlined and transparent framework

The main advantage of the original Safe Harbour was that it was a streamlined and cost-effective framework. Other types of transfer mechanisms exists, but they are costly, bureaucratic, limited in use, or take time to put in place. The main feature of Safe Harbour is the concept of companies’ self certification. These are binding legal commitments which are fully transparent to the public. Small- and medium-sized enterprises (SMEs), which constituted 60% of Safe Harbour companies, particularly benefitted from the framework.[3]

Free mechanisms for consumer complaints backed by strong enforcement

The U.S. Federal Trade Commission (FTC) should continue their recent trend of rigorous and rapid enforcement of complaints against companies. Today, consumers are ensured “affordable” and independent recourse mechanisms to further investigate and resolve complaints, e.g., through sanctions. Negotiators have indicated that such mechanisms should become free for consumers in a new framework.

Proportionate and limited access by governments

All governments occasionally request that companies provide access to user data for law enforcement or national security purposes. Many companies, such as social networks and search engines, already publish their own transparency reports. The U.S. Government should explain to the European Commission the proportionality and the limitations of its access to data transferred under the new data transfer framework. It is worth noting that the U.S. Government has already undertaken substantial reforms of its surveillance programs and competences, since the CJEU took on the Schrems case and since the European Commission’s stock-taking of the old Safe Harbour back in 2013.[4] It can be argued that these reforms were not reflected in the CJEU’s judgment.[5]

A dynamic framework open to continuous improvements

In light of ongoing privacy and surveillance laws and policy reforms in both Europe and the U.S., and the fast-moving nature of the global data economy, negotiators have indicated that the new framework will be a “living document.” Rather than waiting another 16 years to update any new framework, EU and U.S. officials should continuously assess and improve the framework, with the aim of avoiding another situation like today’s of substantial legal uncertainty.

Legal certainty equals business and consumer confidence

European data protection authorities have given EU and U.S. negotiators until the end of January to agree on a new framework after which they could take enforcement actions against hapless companies. The current lack of legal certainty for companies also undermines consumer confidence.

After two years of negotiations, EU and U.S. officials should, as soon as possible, present a new and safer Safe Harbour framework. Including these suggestions would significantly strengthen the new framework to the benefit of European and U.S. companies and consumers.

[1] It is worth clarifying that it wasn’t the Safe Harbour principles, nor any U.S. Government practises, nor any company’s behaviour that were invalidated by the CJEU. It was the European Commission’s 15-year-old “adequacy decision” that was invalidated as being in conflict with the EU’s own Data Protection Directive (EC/95/46) read in light of the EU’s Charter of Fundamental Rights. Given the widespread misperceptions about the CJEU “Safe Harbour ruling” it may make sense to rename the new framework.
[2] A halt of commercial data flows could lead to EU GDP losses of -1,1% and overall drop of domestic investments of -3,9% according to a 2014 think tank study from ECIPE.
[3] It is often misunderstood that European firms incorporated in the U.S., such as Adidas America, Inc. and Bayer, also rely on Safe Harbour for transferring payroll and other day-to-day commercial data from Europe to the U.S. In total, more than 4,400 companies have in the past 16 years self-certified to honor the Safe Harbour principles. Many other companies relied on the framework indirectly through their contracts with these companies.
[4] The U.S. Congress is moreover considering a new privacy bill, the Judicial Redress Act, which will extend U.S. privacy redress rights to Europeans. Some European Member States are furthermore now enacting surveillance laws similar to those which the United States is now reforming. Obviously, the EU cannot demand that the U.S. abide to higher standards than those in EU Member States.
[5] The CJEU clearly states that it did not analyse whether the U.S. provides protections “essentially equivalent to that guaranteed within the EU”. Instead, it criticised the European Commission for not making such a finding.

European Union

DisCo is dedicated to examining technology and policy at a global scale.  Developments in the European Union play a considerable role in shaping both European and global technology markets.  EU regulations related to copyright, competition, privacy, innovation, and trade all affect the international development of technology and tech markets.