Safe Harbor—a framework that works

Abstract

• Safe Harbor is a self-regulatory framework providing adequate protection under the EU Directive for data transfers to US companies that have joined it, and is backed up by the enforcement power of the US Federal Trade Commission.

• From its beginnings in 2000, Safe Harbor has evolved to be an effective and innovative tool to provide protection to personal data transferred from the EU to the USA, and has over 2,500 member companies at present.

• Certain researchers and data protection authorities have voiced criticisms of Safe Harbor, which are based on misunderstandings and a lack of information about how it works in practice.

• Safe Harbor is not only an effective way to protect the transfer of personal data, but has also helped contribute to an increased interest in privacy protection in the USA over the last few years.

An historical perspective

On 24 October 1995, the European Commission released its Directive for the protection of personal data (Directive 95/46/EC of the European Parliament and of the Council, referred to as the ‘EU Directive’ or the ‘Directive’). Its intent was to provide data subjects in the member states effective privacy protection concerning the use of their personal information. It was enacted during the early developmental period of the Internet, a time when individuals' online use of the Internet was nascent and no one expected the level of intensity prevalent in today's global digital economy to rise so dramatically, or that personal information would have the economic value that it now does.

Meanwhile, in the United States, the Clinton administration embarked on a concerted effort to promote the Internet as the ‘information highway’ to innovation and as an engine for economic growth. On 22 July 1997, the White House released its report, ‘A Framework for Global Electronic Commerce’ (the full text is available at, http://clinton4.nara.gov/WH/New/Commerce/read.html, accessed 27 April 2011). The report recognizes the central role that the Internet, then referred to as the Global Information Infrastructure (GII), would play in future economic development, delivery of citizen-centric services, and the limited role governments should play in regulating online activity. One of the issues identified in the Framework as needing to be addressed was privacy. Leading up to the release of the report, different elements of the US government had taken various steps indicating the interest in the US in privacy and its impact on electronic commerce: In the 22 July 1997 Framework Report, the Administration announced its support for private sector efforts to implement meaningful, consumer-friendly, self-regulatory privacy regimes. These included ‘mechanisms for facilitating awareness and the exercise of choice online, evaluating private sector adoption of and adherence to fair information practices, and dispute resolution’. Moreover, the Administration believed that technology would offer solutions to many privacy concerns in the online environment.

• June 1995. The Privacy Working Group of the United States government Information Infrastructure Task Force (IITF) issued a report entitled ‘Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information’. The report recommends a set of principles (the ‘Privacy Principles’) to govern the collection, processing, storage, and re-use of personal data in the information age. These Principles, which build on the OECD ‘Guidelines Governing the Protection of Privacy and Transborder Data Flow of Personal Data’ and incorporate principles of fair information practices, rest on the fundamental precepts of awareness and choice.

• October 1995. The National Telecommunications and Information Administration (NTIA) issued a report entitled Privacy and the NII: Safeguarding Telecommunications-Related Personal Information. The report explored the application of the Privacy Principles in the context of telecommunications and online services and advocated a voluntary framework based on notice and consent.

• 6 January 1997. The US Federal Trade Commission (FTC) issued a staff report entitled ‘Public Workshop on Consumer Privacy on the Global Information Infrastructure’. The report, which focuses on the direct marketing and advertising industries, concludes that notice, choice, security, and access are recognized as necessary elements of fair information practices online.

• April 1997. The Information Policy Committee of the IITF issued a draft paper entitled ‘Options For Promoting Privacy on the National Information Infrastructure’. The paper surveyed information practices in the United States and solicited public comment on the best way to implement the Privacy Principles. The IITF's goal was to find a way to balance the competing values of personal privacy and the free flow of information in a digital democratic society.

• June 1997. The FTC held four days of hearings on technology tools and industry self-regulation regimes designed to enhance personal privacy on the Internet.

The report also noted that countries around the world, especially in the European Union (EU), recognized that privacy was a growing concern, and that policies governing the transborder transfer of personal data to countries for commercial purposes that did not offer a reasonable level of protection were needed to protect citizens and their online activities. The USA, to ensure that differing privacy policies around the world did not impede the flow of data on the Internet or stifle innovation, thus committed to ‘engage its key trading partners in discussions to build support for industry-developed solutions to privacy problems and for market driven mechanisms to assure customer satisfaction about how private data is handled’.

Recognizing further the trade-restricting potential that the EU Directive could have on transatlantic commerce, the USA began work on studying the impact implementation of the Directive would have on trade between the USA and the EU. Following an assessment that found the USA would most likely not receive an ‘adequacy’ finding from the European Commission, it entered into a dialogue with the Commission's Directorate-General for the Internal Market on establishing a legal framework that would serve as a compromise between the two governments' legal frameworks, and at the same time satisfy the provisions of the Directive for receiving a favourable adequacy finding. These discussions were conducted under the US government's Electronic Commerce Task Force led by Barbara Wellberry, formerly chief counsel to the NTIA, who was seconded to the International Trade Administration of the US Department of Commerce. Following two years of negotiations with the Commission, stakeholder consultations, and interagency planning, the US–EU Safe Harbor Framework Agreement was completed and submitted for an adequacy determination. On 26 July 2000, the European Commission issued a communication awarding a favourable adequacy finding for the Framework (Decision 520/2000/EC recognizing the Safe Harbor international privacy principles). On 1 November 2000, the Framework was launched in the USA.

In 2000, the US administration considered data protection to be critically important and believed private efforts of industry working in cooperation with consumer groups to be preferable to government regulation, but that if effective privacy protection could not be achieved, then the policy of self-regulatory schemes would need to be re-evaluated and the government's role re-examined. Dedicated to continued dialogue with stakeholders, governments, and non-governmental bodies, the administration co-organized a conference on 26–27September 2000 at the US Department of Commerce jointly with the Fisher Center at the University of California, the Brookings–Internet Policy Institute, the Institute on Global Conflict and Cooperation (IGCC), The Berkeley Roundtable on the International Economy (BRIE), and the OECD. The European Commission also had strong representation; and to demonstrate the US government's commitment to fostering the Internet as an engine of growth, US Deputy Secretary of Commerce, Robert Mallett, opened the event, which was entitled The E-Business Transformation: Sector Developments & Policy Implications.

Since that time, membership in the Safe Harbor has risen from four organizations in 2000 to nearly 2,500 enterprises of all sizes and in more than fifty industry sectors today. Of course, no compliance initiative is perfect, and good actors may be sullied by the transgressions of a few. But it is sometimes not sufficiently recognized that Safe Harbor has been a resounding success, both in terms of raising the level of privacy compliance in the USA, and in facilitating the recognition by US business that privacy is a critical factor to success in the global marketplace.

Criticisms

In recent years, Safe Harbor has come under attack from a number of sources who believe the legal framework does not provide adequate protection for EU citizens. Allegations that organizations that self-certify compliance to the framework merely ‘check the box’, that the government provides no oversight to ensure compliance with the seven Safe Harbor privacy principles, and that there is no effective enforcement, have proliferated. However, as will be seen, these allegations are largely based on unsubstantiated or unsupported evidence, misunderstandings, and a lack of willingness to understand how Safe Harbor works in practice.

On 4 December 2008, Galexia.com, an Australian consultancy, issued its report, ‘Safe Harbor, Fact or Fiction’, which criticized the governmental bodies that oversee the agreement, the enterprises that self-certify compliance with Safe Harbor, and the third party dispute resolution bodies that serve as mediators to resolve complaints between EU citizens and Safe Harbor entities (<http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fiction_2008/>, accessed 27 April 2011). The report was sent to the administrator of Safe Harbor and the Federal Trade Commission after it had been released and circulated to the European Commission, European media outlets, and member states' data protection authorities (DPAs). However, the author(s) did not approach any of the administrative bodies that oversee Safe Harbor before the report's release, or seek an understanding of how the Framework's self-regulatory component works in practice.

Later, in March 2009, a supplement to the report was issued where the focus was on the third party dispute resolution bodies, the number of companies which continued to be ‘non-compliant’ (according to Galexia), and the allegedly exorbitant costs that EU citizens would incur to resolve outstanding disputes. At this time, the US Department of Commerce decided to refute these allegations, and has thus put on the Safe Harbor programme website information describing the role of dispute resolution bodies; a description of who pays the costs, if any, associated with dispute resolution; and an explanation about how dispute resolution bodies are chosen by organizations in accordance with instructions provided to them (see <http://export.gov/safeharbor/>, accessed 27 April 2011).

The Galexia report also asserted that of the 1,597 companies that were Safe Harbor members at the time it was issued:

Only 348 organisations meet even the most basic requirements of the Safe Harbor Framework. Many organisations did not have a public privacy policy, or the policy failed to even mention the Safe Harbor. A large number of organisations failed to comply with Principle 7—Enforcement and Dispute Resolution, as they did not identify an independent dispute resolution process for consumers.

However, no credible evidence supporting these conclusions was provided, nor did the report's methodology define how these conclusions were reached. Moreover, the Department of Commerce was not approached prior to conducting the research or during its preparation to verify or disprove the findings. The Department was only contacted after the report was posted on the company's website and circulated among the EU data protection authorities, media outlets in Europe, and the European Commission's directorate general for Justice, Liberty, and Security (now DG Justice). Despite this faulty methodology, the study was accepted by many in the data protection community without further investigation, consultation, or verification of the facts.

The Galexia report also assumes that there has been little or no enforcement of Safe Harbor, which does not adequately take into account the activities of the self-regulatory enforcement mechanisms that many Safe Harbor companies use. For example, at the 2009 ‘Conference on Cross Border Data Flows, Data Protection and Privacy—Across the Divide: Successfully Navigating Safe Harbor’ held in Washington, DC, TRUSTe, a third party dispute resolution organization, reported that it had successfully resolved nearly 4,000 complaints between EU citizens and Safe Harbor certified companies that had chosen TRUSTe as its independent recourse mechanism.

Furthermore, more formal, ‘legal’ enforcement is being carried out by the FTC: for example, on 6 October 2009, the FTC announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the Safe Harbor (see <http://www.ftc.gov/opa/2009/10/safeharbor.shtm>, accessed 27 April 2011). And on 30 March 2011, the FTC announced that Google agreed to settle charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010 (see <http://ftc.gov/opa/2011/03/google.shtm>, accessed 27 April 2011). Among the FTC's allegations was that Google misrepresented that it was treating personal information from the European Union in accordance with the Safe Harbor framework because it failed to give consumers notice and choice before using their information for a different purpose from that for which it was collected.

In 2010, the Safe Harbor was criticized by the Düsseldorfer Kreis, an association of data protection authorities from the German federal states. The Düsseldorfer Kreis in its opinion on 29 April 2010 misinterpreted the European Commission's adequacy finding on the Safe Harbor; in particular, the group mistakenly assumed that a seven-year term limit exists for companies to be considered Safe Harbor members in good standing (there are none), and that the FTC administers the Safe Harbor (actually it is the US Department of Commerce; changes were later made to the opinion correcting these mistakes). A number of organizations have since accepted the Galexia report without providing new insight to the earlier findings or comprehending how Safe Harbor as a compliance tool for cross-border data transfers works to protect EU citizens' personal data. These studies replicate the earlier allegations without independent evidence to support their claims.

Strengths of the Safe Harbor

The Safe Harbor Framework's structure is founded on a self-regulatory regime based on a sector-specific approach and linked with federal enforcement primarily based on the FTC's section 5 authority under the FTC Act of 1914 governing deceptive and unfair trade practices (enforcement is undertaken instead by the US Department of Transportation in the case of Safe Harbor members who are subject to its jurisdiction rather than that of the FTC). Organizations are under no compulsion to join Safe Harbor and their commitment to adhere to the principles and the fifteen FAQs is voluntary. Furthermore, the FTC has committed to give priority attention to complaints referred to it by the EU data protection authorities' dispute resolution panel on behalf of EU citizens. In recent years, FTC enforcement has become increasingly involved in privacy disputes, including those involving Safe Harbor (see above), and its enforcement power is much feared among US companies.

In the early years of Safe Harbor's existence, few self-certifications were received from the business community. Perhaps influenced by the lack of predictability of EU member states' enforcement of national data protection laws, or lack of awareness of the data privacy legal framework in the European Union, Safe Harbor as a tool to promote compliance was underutilized. However, since then the Safe Harbor has continually evolved, and its use is much more sophisticated than it was ten years ago. Companies now routinely spend considerable amounts of money and time complying with the Safe Harbor principles, so that compliance goes much farther than simply ‘checking the box’, a point with critics of Safe Harbor fail to realize.

On 20 October 2004, the European Commission issued its first implementation review of the functioning of Safe Harbor (available at <http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf>, accessed 27 April 2011). At the time the review was conducted, 401 companies had self-certified compliance to the Safe Harbor privacy principles and the FAQs. The study examined 41 organizations' filings under Safe Harbor and assessed the responsible governmental bodies' role in executing their respective duties under the agreement. These agencies included the US Department of Commerce, the Federal Trade Commission, EU organizations including data protection authorities, and third party dispute resolution bodies.

Generally, the report's findings noted consistent growth in the programme's size, as well as where improvement could be made in the guidance offered to US organizations submitting self-certification filings. In particular, there was concern that companies were not incorporating the seven privacy principles into their privacy policies, that they were not publicly accessible, and that FTC enforcement was lacking. The authors argued for sua sponte investigations ‘where questions exist regarding Safe Harbor compliance’. The role played by alternative recourse mechanism third party dispute resolution bodies was called into question, essentially because the number of complaints reported at the time was insignificant. The latter fact and the previous findings underscored the fundamental differences between the EU and US legal frameworks for data privacy and personal data protection. In sum, the Commission was pleased with the progress made in the growth of Safe Harbor, concerned that privacy policies were not uniformly displayed or made available publicly, recommended improvements in the Department's website to enhance transparency, and noted that third party dispute resolution bodies needed to ‘provide for sanctions such as the publication of findings of non-compliance’.

Safe Harbor, in its 11th year, has left childhood and entered adolescence. On the sixth anniversary of the Commission adequacy finding, there were 798 companies in Safe Harbor. Today, 2,500 enterprises are certified to Safe Harbor and approximately 50 organizations seek certification each month. Of course, no compliance initiative is perfect; for instance, it is true that nearly 20 per cent of those entities that have joined have allowed their certifications to lapse for various reasons, the most prominent of which is that employees responsible for managing Safe Harbor compliance have left the organization without a transfer of duties to new personnel. Still, despite the overall record and growth, it is sometimes not sufficiently recognized that Safe Harbor has been a resounding success, both in terms of raising the level of privacy compliance in the USA, and in facilitating the recognition by US business that privacy is a critical factor to achieving success in the global marketplace.

Critics of Safe Harbor also fail to take into account the costs of complying with it, and those of failing to comply with the law. In February 2011, the Ponemon Institute issued a study entitled ‘Cost of Compliance: Benchmark Study of Multinational Organizations’ (the text of the study is available at <http://www.tripwire.com/ponemon-cost-of-compliance/pressKit/True_Cost_of_Compliance_Report.pdf>, accessed 27 April 2011; see also <http://www.ponemon.org>). The study examined the compliance practices of 46 multinational organizations and sought to quantify the costs associated with both compliance and non-compliance with selected data protection and privacy regulatory requirements (compliance with the EU Directive was covered in the study). The findings indicated that average compliance costs were US$3.5 million, and the costs for non-compliance with laws was nearly three times higher ($9.4 million), with a range from $1.4 million to $28 million. The per capita compliance cost was $222 per employee, and the per capita non-compliance cost was $820 per employee. Clearly, it is in the interest of the organization to comply with data protection laws wherever they may be encountered.

In addition, the harm done to trust and reputation by failing to comply with data protection regimes (as noted by UK Information Commissioner Christopher Graham in his presentation at the ‘23rd Annual International Conference 2010 Privacy Practices on Trial’ conference in Cambridge, UK) is, in many ways, incalculable and ultimately erodes an organization's presence in the global marketplace and imperils its competitiveness. Today, any organization that builds a solid compliance regime irrespective of the legal framework under which it functions will gain a competitive edge as new technologies, applications, and processes emerge. To do otherwise would, as the Ponemon study clearly points out, cause the business greater, long-term harm.

Critics also fail to understand the key role the Safe Harbor has played in raising awareness and acceptance of privacy protection in the USA. At the time Safe Harbor was enacted, many such companies in the USA were deeply sceptical that legal regulation of privacy would actually be workable in an increasingly globalized and fast-paced business environment. As the current discussion concerning privacy regulation in the USA demonstrates, many US companies have completely changed their positions, and now accept the need for some regulation as a way to build consumer confidence and deal with cases that self-regulation cannot. In addition, privacy compliance has become widely accepted among globalized US companies as essential to protect personal data and avoid legal liability.

Discussions with the chief privacy officers of US companies and anecdotal evidence leave no doubt that the experience of having to implement privacy protections under the Safe Harbor was crucial in leading to greater acceptance of privacy compliance and protection among the US business community over the past ten years. It has instilled into corporations the importance of safeguarding personal data and has contributed to the development, growth, and adoption of strategic information business practices that integrate the corporation's principal divisions up to the executive level in devising comprehensive codes of conduct to protect personal data. Examples of the commitment to apply Safe Harbor privacy principles to corporate policies include the following observations from executives in the privacy arena:

There is no doubt in my mind that Safe Harbor has been important in raising the general level of awareness of privacy among US companies in general over the last 10 years. Joseph Alhadeff, Chief Privacy Officer, Vice President, Global Policy, Oracle USA, Inc.

Joining Safe Harbor since its inception has substantively contributed to the understanding, importance and formulation of sound information management practices as part of our commitment to building strong brands that are recognized for protecting our consumers' privacy and setting a very high bar in complying with data protection laws wherever they are found. Sandra Hughes, Global Privacy Executive, Procter & Gamble Company

One of the catalysts for developing a comprehensive global privacy program at Merck & Co., Inc. has been our certification to the Safe Harbor principles since 2001. Safe Harbor enabled colleagues outside of the Europe to better comprehend the impact of the European legal framework for data protection and to understand why protecting personal data is fundamental to appropriately conducting business in the global marketplace. Today, our global privacy program at Merck begins with employee privacy awareness and includes comprehensive privacy policies and standards, training and accountability mechanisms such as annual compliance verification, audits, prospective reviews, mechanisms for raising and addressing privacy concerns and ongoing privacy oversight to assure adequate protection for personal data. Hilary Wandall, Chief Privacy Officer, Merck & Co., Inc.

Those who criticize the Safe Harbor would do well to remember that much of the heated rhetoric surrounding it only creates uncertainty for individuals whose data are processed, without bringing any benefit of privacy. The Commission's Safe Harbor adequacy decision provides for steps the DPAs can take if they believe that it no longer provides an adequate level of data protection (ie, suspension of data flows and formal notification to the European Commission). If there are genuine concerns about Safe Harbor, the DPAs may follow such formal procedures rather than using other outlets to levy criticisms against the program.

Conclusion

Safe Harbor is a bridge that connects two different, yet complementary legal regimes, each of which has their imperfections but share common goals—protecting privacy. The USA and the EU are two regimes that protect data and privacy consistent with their respective historical development, culture, customs, and law. It remains to be seen whether a unitary framework founded on the premise of one particular experience or another will meet the needs of all, or whether regional or national arrangements will emerge as more effective solutions to protecting privacy. What is important is that whatever path data protection and privacy takes, the methodology employed should be equipped with flexible tools that may be readily adapted to rapid technological change.

The European Union's current revision of its legal framework founded on the Directive may challenge compliance departments both in member states and third countries whose businesses must comply with whatever emerges. In the USA, both the Department of Commerce's and the Federal Trade Commission's review of the privacy framework, along with Congress' interest in protecting consumers' online privacy, may present alternatives to the current model. It thus remains to be seen whether the US model converges with the EU's revision, or whether the differences are so pronounced as to lead to the development of an altogether different approach that ensures innovation is encouraged and economic growth sustained.

Safe Harbor is an innovative approach to privacy protection that attempts to build such a bridge between two EU and US privacy regimes. Criticisms of it based on a misunderstanding of how it works, and a lack of appreciation of the key role it has played in the US privacy debate, are misplaced and undermine the goal which both systems are striving to attain, namely increased protection of privacy in a globalized world.

Author notes