Is the legal framework underpinning the allowed sharing of data across the Atlantic an anachronism in need of replacement, or is it essential to the economic relationship between the U.S. and European Union (EU)? A panel discussion hosted by the Center for Strategic and International Studies (CSIS) on June 10 asked more specifically if debate over the U.S. EU Safe Harbor for international data transfer is about data protection or data protectionism, and tried to explore how data privacy and data security concerns fit into the ongoing U.S.-EU trade negotiations and the status of the Safe Harbor.
The future success of the over 3000 U.S. companies that have already voluntarily submitted to the Safe Harbor guidelines, and the future of innovation in survey, opinion and marketing research on both sides of the Atlantic, hang in the balance.
The European Position
Paul Nemitz, director of fundamental rights and European citizenship in the office of the Directorate-General Justice of the European Commission and one of the lead European negotiators, characterized the current status of the Safe Harbor discussions as a decision-making process by the European Commission, not as a bilateral negotiation. Nemitz characterized the right to privacy as fundamental, with “constitutional status in Europe.” He further insisted that while some see the European stance as protectionist, the repeal of the Safe Harbor “has a protectionist function, but its [primary] function is not protectionism.” Nemitz insisted that the primary arguments for renegotiating or revoking the Safe Harbor related to European citizens’ fundamental privacy rights, and the presumed violation of those rights by U.S. companies and the U.S. government.
Nemitz expressed that Europe is motivated by severe concerns about last summer’s revelations about NSA surveillance. At one point in the discussion, James A. Lewis, director and senior fellow at CSIS, countered that government surveillance issues would not even be covered by any deal. He asserted that the negotiations merely relate to private collection and use of data, and that Americans would never adopt a consumer data privacy system as stringent as Europe’s. Of the recent “right to be forgotten” decision from the European Court of Justice, Lewis said, “we have a word for that in the west… censorship.”
Nemitz said in return that Europeans believe that privacy rights belong to individuals. Those rights, he said, are equally enforceable against both state and non-state actors and that data collection and retention practices that are illegal for the government cannot be allowed for corporations.
Europe only allows the export of data when the privacy right of the individual will be “adequately protected,” and the European Commission, according to Nemitz, has determined that privacy is not “adequately protected” by existing American law or even by the current Safe Harbor system. He characterized current discussions not as a negotiation or a compromise on the extent of Europeans’ privacy rights, but a discussion of how best to protect those rights.
In response to claims by the European Commission that U.S. privacy laws do not adequately protect consumers, the International Trade Association’s Deputy-Assistant Secretary for Services Ted Dean, who is involved with the negotiations on the American side, said that when companies represent “that they are members of safe harbor, the FTC can and does enforce these provisions.” Dean held that the continued free flow of data is essential to a strong economy on both sides of the Atlantic. “Underpinning that economic relationship (between the EU and the U.S.) is the free flow of data that goes with goods trade, services trade, and investment,” he said.
Harriet Pierson, an American lawyer at Hogan Lovells specializing in information privacy law, asserted that while the Safe Harbor needs modification, the need for modification arose from changes in technology, not human rights concerns. Pierson said, “The ‘Safe Harbor 1.0’ laws are from a pre-social media, pre-mobile computing era” and do not take account of Big Data and the ever-increasing amount of information voluntarily shared by consumers. Because it was drafted in the late 1990s, she argued, the current state of the agreement does not reflect the collection of data necessary to make such services functional.
The Safe Harbor program is essential to the conduct of survey, opinion and marketing research across the Atlantic, because, as MRA has previously stated, ”Intentionally or not, the EU wields the Data Directive and its ‘adequacy’ standard as an anti-competitive trade measure, discriminating against U.S. companies in digital trade because they do not deem the U.S. to have ‘adequate’ data privacy protections.”
MRA was encouraged by the European Commission’s report on the Safe Harbor and the commissioners’ recommended ”actions to be taken in order to restore trust in data flows“ following ”deep concerns“ about U.S. spying revelations, since it seemed to indicate the continuing usefulness of the agreement in protecting consumer privacy, even as it made recommendations to potentially alter that agreement. However, we share the concerns of U.S. Assistant Secretary of Commerce Larry Strickling, expressed at a conference last year, that we shouldn't “allow the concerns to lead to cutting off data flows between the U.S. and the EU. Transborder trade – and especially transatlantic trade – now relies on the continued open flow of data, and cutting off these flows would cause significant and immediate economic damage on both sides of the Atlantic.”
While these debates continue, MRA urges all researchers who self-certify to the Safe Harbor to continue to adhere to the privacy principles (Notice, Choice, Onward Transfer (to Third Parties), Access, Security, Data Integrity and Enforcement) in their privacy policies and practices with respondents (and to ensure they are properly renewed with the Department of Commerce).