Should we worry about Safe Harbor being suspended because of the NSA’s PRISM Program?
(LONDON) Various data protection power players have called for the suspension or curtailment of the US Safe Harbor program ever since the Snowden revelations that the US NSA has required large internet service providers such as Google to provide vast amounts of personal data transmitted by individuals in Europe (and elsewhere).
As many of you will know, the US Safe Harbor program is a voluntary program overseen by the FTC that allows US companies to meet EU requirements for data protection, thus facilitating transfers of personal data from the EU to Safe Harbor-listed companies in the US. The rationale for suspending the Safe Harbor program seems to be that Safe Harbor participants are practically unable to comply with EU data protection requirements because they have to comply with US government subpoenas that are contrary to European law.
Suspending Safe Harbor-based data transfers would be very disruptive to European and US companies that rely on it to conduct business – although there are alternatives that could be put in place fairly quickly by those companies, such as EU-approved model contract clauses.
That all sounds pretty alarming. However, while the EU Parliament has some very vocal opponents to the NSA’s PRISM program who see the Safe Harbor program as a point of leverage against the US, there are a number of reasons why Safe Harbor is unlikely to be suspended:
- There are other very weighty political considerations, including larger trade relationships and intelligence-sharing arrangements between the EU and the US. EU politicians and bureaucrats charged with looking after those relationships and arrangements may be less vociferous than their privacy-focused counterparts, but they also have a voice within the EU political structure.
- Many EU businesses would suffer along with US businesses if Safe Harbor was suspended because their business processes would be interrupted.
- The European Commission is very invested in promoting the adoption of cloud services as a business technology model, and suspending Safe Harbor would create a significant obstacle to uptake.
The latest move by the EU Parliament moves the focus off of Safe Harbor as such. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs is considering a bill that would require American companies to get EU approval before complying with a US government subpoena to release personal data of EU residents. The proposal seems to be based on the position that data transfers would be subject to EU law above all else. It seems likely that there will be heavy lobbying by US companies to avoid being put in the middle between US and EU legal orders. Also, there are underlying political considerations that may outweigh the forces behind the European Parliament’s protective bill, including its potential impact on intelligence-sharing arrangements between European countries and the US.