Think Before Joining 'Safe Harbor'

Share this content:

His e-mail address is.

Should your company enter the "safe harbor"? The issue is exceedingly complex, and no simple answers will be found.

A complete discussion of all aspects of safe harbor might fill this entire newspaper. In addition, the usual rule applies. Ask two lawyers about the subject, and you will get at least two different answers to most questions. Whatever you do, don't enter the safe harbor quickly or casually.

Let's begin at the beginning. The European Union data protection directive prohibits the export of personal data from European Union member states to third countries (e.g., the United States) unless the third country provides an adequate level of protection. The adequacy of the protection is assessed in light of all circumstances surrounding a data transfer, and the conclusion can vary with respect to a country from sector to sector and, perhaps, from company to company.

No one can argue with a straight face that the United States generally meets the standard of adequacy. It is hard to convince knowledgeable Europeans - and EU officials are highly knowledgeable about American privacy law - that American records have legal protections comparable to those in EU countries. Don't expect these judgments to change any time soon. Most current legislative proposals - the ones that many in the business community think are too onerous - don't meet safe harbor standards.

The agreement between the United States and the EU establishes a way for personal data to be exported for processing, notwithstanding the lack of general adequacy in the United States. It took the Commerce Department and the EU about two years to strike a deal. Essentially, companies can opt in to safe harbor and be deemed to meet the adequacy standard until proved otherwise.

By the way, the term "processing" comes straight from the directive, and it is a very broad term. It includes virtually anything you might do with personal data, including collection, use, disclosure and just plain storage. If you receive EU data, you are almost certainly processing it.

An initial question for any company is whether safe harbor matters. Some companies know they are receiving consumer data from European affiliates. They can be sure it is worthwhile considering safe harbor. For multinational companies, human resource records may create a separate host of questions.

How about American companies that just operate Web sites accessible from Europe? Are they exporting personal data from Europe? In the Internet era, this is a tough question. Answering it for your Web site may require a complete analysis of what information you collect. Even casual visitors to a Web site who are not asked to register or disclose any personal information might disclose identifiable personal data when they surf your site. Arguably, even a casual collection of information that is not used in any substantive way could create data export concerns.

For companies using the Internet, safe harbor may not offer much assistance in addressing or avoiding EU data protection problems. The documents, at, include a July 17, 2000, letter from the Commerce Department to John Mogg at the European Commission. This letter includes the following crucial language addressing jurisdictional issues:

"I would like to confirm that it is the U.S. intention that participation in the safe harbor does not change the status quo ante for any organization with respect to jurisdiction, applicable law and liability in the European Union. Moreover, our discussions with respect to the safe harbor have not resolved nor prejudged the questions of jurisdiction or applicable law with respect to Web sites. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the safe harbor arrangement."

What does this polite reservation mean? For the Internet, it means that it remains an open question whether a U.S. company operating a Web site accessible in Europe is directly subject to EU data protection laws. It is possible that EU member states will determine that a U.S. Web site operator doing business with Europeans is processing personal data within Europe and is therefore subject to EU data protection laws directly.

Consider two identical Web sites that collect personal data from visitors, one Web site in Paris and the other in Peoria, IL. I doubt that all EU member states will decide that their data protection laws only apply to the site in Europe. It may take years before anyone definitively resolves jurisdiction questions.

So a company that decides to enter safe harbor and comply with its weakened standards for data protection may discover that the full EU data protection rules still apply directly. The only result may be adding an additional level of enforcement to the oversight already provided by EU authorities. It is crucial to remember that safe harbor is not the only way for a U.S. company to justify personal data exports from Europe. Several alternatives exist, and they will be discussed in future columns.

I am out of space, and I haven't even gotten a toe over the threshold of safe harbor. I told you this was a complex subject. When I return to this subject, I will explain why the safe harbor agreement is like a roach motel.

• Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture.

Next Article in Marketing Strategy

Sign up to our newsletters

Company of the Week

Since 1985, Melissa has helped thousands of companies clean, correct and complete contact data to better target and communicate with their customers. We offer a full spectrum of data quality solutions, including global address, phone, email, and name validation, identify verification - available for batch or real-time processes, in the Cloud or on-premise. Our service bureau provides dedupe, email/phone append and geographic/demographic append services for better targeting and insight. For direct mailers, Melissa offers easy-to-use address management/postal software, list hygiene services and 100s of specialty mailing lists - all with competitive pricing and excellent customer service.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above