How to Avoid Mines in 'Safe Harbor'

Share this content:
Last month, I began a review of the "safe harbor" agreement between Europe and the United States. Companies that agree to enter the safe harbor will be able to lawfully export personal data from Europe to the United States for processing.

The safe harbor agreement is like a Roach Motel, which is a glue trap for cockroaches. Advertising for the product included the line, "Roaches check in, but they don't check out." If you prefer a different advertising metaphor, you might say that safe harbor is like a diamond - it is forever.

Once a company formally subjects its imported data to the safe harbor principles, there is no escape. Once an organization accepts personal data under the safe harbor framework, the data remain under that framework even if the organization subsequently withdraws. Organizations can check out of safe harbor, but data cannot.

Nor can an organization merge its way out of the requirements. If a safe harbor organization ceases to exist as a separate legal entity because of a merger or takeover, then it must notify the Department of Commerce in advance whether the safe harbor principles will continue to apply. If not, then the data must be deleted. Deleting data may be the only lawful escape from safe harbor.

The result is that any decision to enter the safe harbor could have long-lasting and interesting effects. In theory, a company may find itself worth less as a going concern because of the restrictions that apply to its imported European Union data and the permanent taint of safe harbor. Similarly, the safe harbor might even operate as a sort of takeover defense. An acquiring company might not want any involvement with the EU data restrictions.

Even ignoring the potential long-term effects, entering the safe harbor is not a simple decision. I identified at least 33 separate mandatory requirements and others that are contingent requirements. No company should even think about entering the safe harbor until it knows all of the consequences.

What are the alternatives to safe harbor? The first one is easy. Do not export any personal data from Europe. The data in Europe are already subject to local data protection laws, and nothing will change that fact. If your company can find a way to process the data in Europe, then life will be simpler. Of course, it is not always possible or practical to leave data in Europe.

Another way to avoid safe harbor is to obtain the consent of the data subject for exporting data. If you want to obtain consent, however, ensure that you do it with care. The EU Data Protection Directive mentions three types of consent. For some activities, ordinary, routine, run-of-the-mill consent is sufficient. To process sensitive data (e.g., health, racial, religious or political data), it is necessary to obtain explicit consent.

Exporting data to a third country with inadequate data protection rules requires unambiguous consent. The Article 29 Committee, established under the directive, suggests that the data subject must be properly informed of the particular risks of the transfer. Unambiguous consent can never be inferred, and any doubts about the sufficiency of the consent will be fatal.

Consent will work in some contexts. For a bank or insurance company that has direct contact with a data subject, obtaining consent for export should be easier. But for marketers, where direct contact with data subjects is less likely, the consensual exception may not help much. Still, consent is very powerful when it can be obtained.

Other exceptions that enable a company to export data without meeting safe harbor requirements are also not likely to be of much assistance to marketers, but they will be useful in other contexts. For example, a transfer of data may be made where the transfer is related to the performance of a contract between the individual and the company. Transfers are also exempt from export restrictions when necessary for the performance of a contract between a business and a third party that benefits the individual.

Finally, the most intriguing way to avoid safe harbor is through a contract between the data exporter and the data importer. In some instances, the contract approach may call for a contract between an EU subsidiary and its American parent. The contract will have to offer sufficient guarantees that privacy will be protected. It may be necessary to have a contract blessed by the relevant member-state data protection authority.

The commission is working on standard contract language, and when a final text is published, it should simplify the contracting process. Contracting will not avoid any substantive data protection requirements, but it will enable a U.S. company to avoid the jurisdiction of the Federal Trade Commission or other federal enforcement agency. That is a significant benefit.

In these two columns, I have pointed out some of the problems of safe harbor. And I just scratched the surface. The safe harbor documents are long, poorly drafted and contradictory in some places. Nevertheless, there will be times and circumstances in which safe harbor will be the easiest and simplest way to solve the EU data export problem. Whatever you do, do not be casual. Safe harbor is not a simple matter.

• Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. His e-mail address is

Next Article in Marketing Strategy

Sign up to our newsletters

Company of the Week

Since 1985, Melissa has helped thousands of companies clean, correct and complete contact data to better target and communicate with their customers. We offer a full spectrum of data quality solutions, including global address, phone, email, and name validation, identify verification - available for batch or real-time processes, in the Cloud or on-premise. Our service bureau provides dedupe, email/phone append and geographic/demographic append services for better targeting and insight. For direct mailers, Melissa offers easy-to-use address management/postal software, list hygiene services and 100s of specialty mailing lists - all with competitive pricing and excellent customer service.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above