What a safer Safe Harbour could look like
EU and U.S. negotiators are working against the clock to agree on a new and strengthened framework for transatlantic data flows by the end of January. This is the deadline provided by European data protection authorities after which they could start procedures against companies still relying on the old framework invalidated by the Court of Justice of the European Union (CJEU).[1]
A halt to commercial data transfers between the EU and the U.S. could severely damage our economies, worsen the transatlantic partnership and fragment the global Internet.[2] Negotiators are therefore scrambling to agree on a new framework that addresses the CJEU’s points of criticism.
So what should a new and improved Safe Harbour framework look like? Here are some ideas:
A streamlined and transparent framework
The main advantage of the original Safe Harbour was that it was a streamlined and cost-effective framework. Other types of transfer mechanisms exists, but they are costly, bureaucratic, limited in use, or take time to put in place. The main feature of Safe Harbour is the concept of companies’ self certification. These are binding legal commitments which are fully transparent to the public. Small- and medium-sized enterprises (SMEs), which constituted 60% of Safe Harbour companies, particularly benefitted from the framework.[3]
Free mechanisms for consumer complaints backed by strong enforcement
The U.S. Federal Trade Commission (FTC) should continue their recent trend of rigorous and rapid enforcement of complaints against companies. Today, consumers are ensured “affordable” and independent recourse mechanisms to further investigate and resolve complaints, e.g., through sanctions. Negotiators have indicated that such mechanisms should become free for consumers in a new framework.
Proportionate and limited access by governments
All governments occasionally request that companies provide access to user data for law enforcement or national security purposes. Many companies, such as social networks and search engines, already publish their own transparency reports. The U.S. Government should explain to the European Commission the proportionality and the limitations of its access to data transferred under the new data transfer framework. It is worth noting that the U.S. Government has already undertaken substantial reforms of its surveillance programs and competences, since the CJEU took on the Schrems case and since the European Commission’s stock-taking of the old Safe Harbour back in 2013.[4] It can be argued that these reforms were not reflected in the CJEU’s judgment.[5]
A dynamic framework open to continuous improvements
In light of ongoing privacy and surveillance laws and policy reforms in both Europe and the U.S., and the fast-moving nature of the global data economy, negotiators have indicated that the new framework will be a “living document.” Rather than waiting another 16 years to update any new framework, EU and U.S. officials should continuously assess and improve the framework, with the aim of avoiding another situation like today’s of substantial legal uncertainty.
Legal certainty equals business and consumer confidence
European data protection authorities have given EU and U.S. negotiators until the end of January to agree on a new framework after which they could take enforcement actions against hapless companies. The current lack of legal certainty for companies also undermines consumer confidence.
After two years of negotiations, EU and U.S. officials should, as soon as possible, present a new and safer Safe Harbour framework. Including these suggestions would significantly strengthen the new framework to the benefit of European and U.S. companies and consumers.
—