Briefing

Information matters: Harbouring grudges - the transatlantic data war

Posted by: Henry Sainty and Owen O'Rorke | Date posted : 07/05/2015

The term 'Safe Harbor' is guaranteed to wind up European practitioners, and not just those who object to the US spelling.  Oscar Wilde wrote in 1887: "We really have everything in common with America nowadays except, of course, language". In 2015 the global language is data, and the differences are starker than ever.

Dropped U's are of less concern to 'privacy hawks': what concerns them is the US culture when it comes to dealing with customer information. The United States remains the UK's largest single commercial partner in terms of exports, but as electronic business flies across the pond, the lag in data privacy law is far more marked than the time difference.  Perception and (to a large extent) practice suggests that this disconnect extends to attitudes as well: in the US, user data is a free market asset first and a personal right second.

The self-certifying Safe Harbor scheme is seen as emblematic of this clash of cultures, and – putting aside snobbery and orthography – it is the word 'Safe' that rankles most of all.  For the uninitiated, it is a system whereby US organisations (sorry, "organizations") wishing to take receipt of data from the EEA are obliged to confirm with the US Department of Commerce that they are adequately data privacy compliant to do so.

This requirement stems from European Directive 95/46/E, represented in the UK by the Eighth Data Protection Principle: "Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." Plainly this could be construed as anti-business when it comes to our American cousins, so the US-EU Safe Harbor 'program' – in deference to the local spelling – is a result of a negotiated compromise. It has not been universally well-received.

It is the 'self-certifying' part which spreads the most doubt, and where the worst practice has been uncovered. Very often companies will certify annually but not comply in practice, or certify once then let the next year lapse – all the while carrying on business with Europe under the badge of compliance (such as that provided by TRUSTe).  In short, the framework is perceived as a loophole by those who have no interest in complying with the distant laws of the Old World.

In January 2014, eager to show its teeth, the Federal Trade Commission (FTC) – the policeman of the scheme, or perhaps the 'Harbor patrol' – responded to EU criticism by revealing it had settled with some 12 companies (spanning mobile app technologies, DNA testing and professional sports teams) following a string of charges over false certification claims and non-compliance.  Last month it named-and-shamed two more companies, a recruitment forum and a mailing service, for misrepresenting their continued participation in the Safe Harbor framework. In addition, one of the companies misstated in its own Privacy Policy how the disputes procedure under Safe Harbor was supposed to work: specifically, by claiming any dispute would be arbitrated in the US (rather than an appointed, 'data-competent' European authority).

The details of these enforcement settlements were private, and it is not clear how much of an active deterrent the 26 charges brought by the FTC since 2000 have truly been to wider business practice. Certainly it has not convinced the European Commission that the scheme is working and, in the light of claims made by Edward Snowden about how US authorities treat personal data, it has drafted 13 recommendations for its still-forthcoming Data Protection Regulation (see blog pieces past, present and future) to deal with these concerns. For example, going forward, the EU wants the US to guarantee that European citizens will have their data rights upheld in the American courts.

For UK and European businesses there are lessons too. No-one is suggesting that you should not trade with the United States, but when you do so ensure that wherever possible you have adequate contractual controls over data processing. If this is not practical, look behind the promises. The mere appearance of Safe Harbor certification may not be enough in every case to protect the valuable rights of your data subjects, and if you have not taken steps to assess the adequacy of protection this could backfire in terms of your own liability as well.

As far as Europe is concerned, its citizens' privacy rights are non-negotiable. This is the red line that really matters when it comes to Safe Harbor – not the ones that pop up all over Spellcheck. Jean-Claude Juncker, as part of his coronation as European President, included the issue in his stated priorities: "I will not sacrifice Europe's safety, health, social and data protection standards on the altar of free trade." It is a proclamation that sums up the differences between the regimes. Unfortunately for international trade relations, the battleground is likely to get more intense before this cold information war can end.

Click here to read more posts from Information Matters.

If you require further information on anything covered in this briefing please contact Henry Sainty (henry.sainty@farrer.co.uk; 020 3375 7424), or Owen O'Rorke (owen.o'rorke@farrer.co.uk; 020 3375 7348), or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Intellectual Property page on our website

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, May 2015