Will Safe Harbour be Destroyed by the Snowden Storm?

With the passage of European Commission’s Council Directive 95/46/EC, Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, the European Union became the leader in data privacy, setting the bar for other nations.  Aside from the European Union, more and more nation-states are following the basic principles of (1) notice; (2) choice; (3) restrictions on transfers to third parties; (4) access; (5) security; (6) data integrity; and (7) enforcement.   If a European Union entity wishes to transfer personal data to an entity outside the European Union, the non-European Union entity must be from a country deemed “adequate,” meaning that the European Union has determined that country’s privacy standards to be adequate in relation to its own.   If a country is not deemed acceptable, data may still be transferred if: the data subject gives consent for the transfer; the transfer is necessary for contract performance of a contract or, at the data subject’s request to complete tasks prior to contracting; if the performance of a contract between the controller of the subject’s data and a third party is in the data subject’s interest; or to protect the vital interests of the data subject.  The EU is now on the brink of tightening these restrictions with planned passage of a revised directive to be adopted by the end of 2014, click here to visit the European Commission’s website on data privacy.

The United States’ patchwork of privacy protections was not enough to deem the protections adequate.  To keep data flowing from European Union to United States, the European Union and United States negotiated a framework known as “Safe Harbor.”   Safe Harbor allows entities that qualify to voluntarily self-certify that the entity abides by certain principles, largely based on the European Union Principles.

However, the program has come under extreme scrutiny in the European Union.  Last spring, Edward Snowden blew the whistle on the United States National Security Administration, who has been actively collecting and storing personal information of United States citizens and foreign nationals, including heads of state, obtained through internet sources including Google, Facebook, Yahoo, and others.  In response, the European Union, led by Germany, has threatened to revoke their acceptance of the adequacy of the United States program.  If data cannot be transferred between the European Union and United States, communications and commerce will slow drastically and, in some cases, cease.  Therefore, the United States should adopt a substantially similar data privacy scheme as that established in the European Union.

Over 4,000 entities have registered with the Safe Harbor program.   The demise of Safe Harbor as a somewhat satisfactory substitute for stronger, across the board privacy protections would leave many entities with few options.  Unless the United States wants to be left without means to transfer personal data, keeping communications and commerce flowing, into the United States from European Union member states or like-minded nations, the United States must adopt substantially similar data privacy scheme as the current, pre-amendment scheme in place in the European Union.

While the current sectorial model of privacy in the United States is not adequate for the European Union, there is precedent for providing privacy protections that would.  For example, Gramm-Leach-Bliley Act, in part, governs privacy protections required of financial institutions and companies providing financial products, such as insurance, loans, and investment products.  Health Insurance Portability and Accountability Act’s Privacy Rule provides privacy protections for individuals’ health information.   The Fair Credit Reporting Act provides privacy protections for information included in credit reports.   The Telephone Consumer Protection Act and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 also allow consumers to opt-out of marketing.   Finally, the Video Privacy Protection Act protects the records of an individual’s video rental habits.   Expansion of the privacy protections provided by these statutes, from a sectorial model to a broad-based model would allow for continued data trade with the European Union and provide those in the United States with solid, much-needed, and overdue privacy protections.