Looking Closer at Safe Harbor

In mid-March, the European Parliament voted for the proposed European General Data Protection Regulation. This development ensures that the regulation – which has been in legislative limbo for over two years – remains on the table, even after the parliamentary elections in May. In doing so, the Members of Parliament (MEPs) also reinforced some of the data protection amendments in the proposal and strengthened a resolution calling for the suspension of the Safe Harbor agreement with the US.

According to Jan Philipp Albrecht, spokesperson for the regulation:

“I have a clear message to the council: Any further postponement would be irresponsible. The citizens of Europe expect us to deliver a strong EU-wide data protection regulation. If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them.”

The EU Justice Commissioner Viviane Reding also expressed her support for the vote:

“The message the European Parliament is sending is unequivocal: This reform is a necessity and now it is irreversible. [The vote] will make life easier for business and strengthen the protection of our citizens.

Suspending Safe Harbor

An overwhelming majority of MEPs voted for the immediate suspension of Safe Harbor; 544 to 78 members (with 60 abstentions) called for the end of the agreement. Of course, the European Parliament has expressed its disapproval in this situation for a while, but it is still an important reminder for both business and legal communities in the EU and beyond. It’s surprising as Safe Harbor is possibly the most widely-relied upon mechanism to legitimize data flows between the EU and US.

At this point, it’s important to consider if EU-based organizations that use Safe Harbor as the legal basis for transferring data to their own corporate group entities or service providers operating in the US are doing the right thing.

There are some areas of contention, outlined below:

  • The power to issue or revoke an adequacy finding lies with the European Commission alone. Until the 1995 Data Protection Directive is replaced, this will continue to be the case. Meanwhile, EU member states must accept that and ensure that their national laws and regulating bodies comply with the EC’s requirements.
  • A lot of the problems with Safe Harbor is related to politics and economic issues, rather than data protection. Consider NSA access to European data, US technological dominance, European competitiveness and other noteworthy issues. These contribute to the difficulty in performing an accurate and objective assessment of the efficacy of the scheme, particularly in terms of protecting data and privacy.
  • Another major limitation of Safe Harbor is that the nature of the scheme and its principles are directed towards importers of European data who act as “controllers,” rather than processors or service providers. Safe Harbor has been taken up by cloud service providers – many of which are concerned with the data protection commitments to their customers, but find it difficult to show how Safe Harbor can benefit their EU clients. Hopefully, this will be one of the points addressed by the EU data protection authorities in the upcoming Article 29 Working Party assessment of Safe Harbor.
  • As a closing remark, consider that the Safe Harbor agreement is enforced by one of the most powerful regulators on the planet: the US Federal Trade Commission. This should indicate to any responsible party that even voluntary Safe Harbor responsibilities should be taken very seriously.


In March, 2014, an overwhelming majority of the European Parliament voted for the immediate suspension of the Safe Harbor agreement between the EU and the US. This article takes a look at the situation.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/European Privacy (CIPP/E), a privacy professional should be comfortable with topics related to this post, including:

  • European Parliament (I.B.c.)
  • International data transfers – Safe Harbor (II.I.c.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>