It comes as no surprise that conversations about data protection are dominating capitals around the world. Unfortunately, those conversations are being twisted in a way that confuses the issues at hand and threatens policies like the EU-US Safe Harbor Agreement that help deliver the benefits at the core of the digital economy.
This situation is the product of the collision of two related — but separate — realms of data privacy, commercial data privacy and government access to data. While nations are moving quickly to establish a policy framework for a global cloud computing network that will connect businesses and consumers to products, services, and markets around the world, this summer’s disclosures of national surveillance practices have significantly heightened user and government concerns about access to data generally.
In the post-PRISM environment, cross-border data flows have taken center stage in discussions about consumer privacy — with some European officials calling for the suspension and termination of the Safe Harbor. Put simply, though, threatening the cross-border data flows that the Safe Harbor enables won’t solve the problem of government surveillance.
Today thousands of European and American companies are using the Safe Harbor mechanism to safely transfer data between Europe and the US. While not perfect, it is a functioning framework backed by meaningful enforcement, with industry committed to compliance. Other means for the transfer of data to and from Europe, including Binding Corporate Rules (BCR) and the EU Adequacy mechanism, are no doubt helpful, but their reach has so far been limited.
We can, and should, look at how to improve the way the Safe Harbor works. However, misguided efforts to address government surveillance by limiting commercial data flows, like suspending the Safe Harbor mechanism altogether, would have a significant negative impact on the ability of US and European companies to deliver services to users on both sides of the Atlantic. That means a significant negative impact on the delivery of digital services around the world. And importantly, it would not improve the protections in place for EU citizens when it comes to government access to data for national security.
The EU Member States will meet in the coming weeks in Brussels to discuss these and other points. Meanwhile, the European Parliament is continuing work toward agreement on a text for a new General Data Protection Regulation that it expects to put to vote before the end of the year. But there remain critical substantive points still outstanding in the proposal. The goal should not be to meet an artificial timeline based on political or diplomatic challenges, but to agree a world class, future-proof regulation that includes sound, practical rules for businesses to follow and that will deliver meaningful privacy protections for users in the commercial environment.
In the meantime, preserving the Safe Harbor — and the benefits that derive from it — should be the goal rather than the target of EU policymakers.