Last month, I began a review of the “safe harbor” agreement between Europe and the United States. Companies that agree to enter the safe harbor will be able to lawfully export personal data from Europe to the United States for processing.
The safe harbor agreement is like a Roach Motel, which is a glue trap for cockroaches. Advertising for the product included the line, “Roaches check in, but they don’t check out.” If you prefer a different advertising metaphor, you might say that safe harbor is like a diamond – it is forever.
Once a company formally subjects its imported data to the safe harbor principles, there is no escape. Once an organization accepts personal data under the safe harbor framework, the data remain under that framework even if the organization subsequently withdraws. Organizations can check out of safe harbor, but data cannot.
Nor can an organization merge its way out of the requirements. If a safe harbor organization ceases to exist as a separate legal entity because of a merger or takeover, then it must notify the Department of Commerce in advance whether the safe harbor principles will continue to apply. If not, then the data must be deleted. Deleting data may be the only lawful escape from safe harbor.
The result is that any decision to enter the safe harbor could have long-lasting and interesting effects. In theory, a company may find itself worth less as a going concern because of the restrictions that apply to its imported European Union data and the permanent taint of safe harbor. Similarly, the safe harbor might even operate as a sort of takeover defense. An acquiring company might not want any involvement with the EU data restrictions.
Even ignoring the potential long-term effects, entering the safe harbor is not a simple decision. I identified at least 33 separate mandatory requirements and others that are contingent requirements. No company should even think about entering the safe harbor until it knows all of the consequences.
What are the alternatives to safe harbor? The first one is easy. Do not export any personal data from Europe. The data in Europe are already subject to local data protection laws, and nothing will change that fact. If your company can find a way to process the data in Europe, then life will be simpler. Of course, it is not always possible or practical to leave data in Europe.
Another way to avoid safe harbor is to obtain the consent of the data subject for exporting data. If you want to obtain consent, however, ensure that you do it with care. The EU Data Protection Directive mentions three types of consent. For some activities, ordinary, routine, run-of-the-mill consent is sufficient. To process sensitive data (e.g., health, racial, religious or political data), it is necessary to obtain explicit consent.
Exporting data to a third country with inadequate data protection rules requires unambiguous consent. The Article 29 Committee, established under the directive, suggests that the data subject must be properly informed of the particular risks of the transfer. Unambiguous consent can never be inferred, and any doubts about the sufficiency of the consent will be fatal.
Consent will work in some contexts. For a bank or insurance company that has direct contact with a data subject, obtaining consent for export should be easier. But for marketers, where direct contact with data subjects is less likely, the consensual exception may not help much. Still, consent is very powerful when it can be obtained.
Other exceptions that enable a company to export data without meeting safe harbor requirements are also not likely to be of much assistance to marketers, but they will be useful in other contexts. For example, a transfer of data may be made where the transfer is related to the performance of a contract between the individual and the company. Transfers are also exempt from export restrictions when necessary for the performance of a contract between a business and a third party that benefits the individual.
Finally, the most intriguing way to avoid safe harbor is through a contract between the data exporter and the data importer. In some instances, the contract approach may call for a contract between an EU subsidiary and its American parent. The contract will have to offer sufficient guarantees that privacy will be protected. It may be necessary to have a contract blessed by the relevant member-state data protection authority.
The commission is working on standard contract language, and when a final text is published, it should simplify the contracting process. Contracting will not avoid any substantive data protection requirements, but it will enable a U.S. company to avoid the jurisdiction of the Federal Trade Commission or other federal enforcement agency. That is a significant benefit.
In these two columns, I have pointed out some of the problems of safe harbor. And I just scratched the surface. The safe harbor documents are long, poorly drafted and contradictory in some places. Nevertheless, there will be times and circumstances in which safe harbor will be the easiest and simplest way to solve the EU data export problem. Whatever you do, do not be casual. Safe harbor is not a simple matter.
• Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected]