.

As trade negotiators in Washington and Brussels undertake long overdue discussions on a potential free trade agreement between the United States and European Union, there is another trans-Atlantic solution that has provided a successful model for U.S.-European commerce that should not be forgotten–the Data Protection Safe Harbor.

Created more than a decade ago, Safe Harbor provided a successful framework for free, fair trade between the United States and Europe for e-commerce. In a nutshell, this 1999 arrangement, negotiated in the U.S. by the Department of Commerce, enabled companies in the U.S. to move electronic data in and out of the EU so long as they publicly committed to abide by common-sense principles of data protection agreed to by the U.S. years earlier in an OECD convention. Such principles included limiting uses of data to the purposes agreed to by the data subject, and providing rights of access and correction, backed by FTC enforcement should a company fail to meet those commitments.

The Safe Harbor had huge benefits for U.S. multinational and e-commerce companies, which otherwise could have been forced to keep all EU personal data (including employee data) in the EU, or required to sign up for draconian “model contracts” that include such requirements as pre-agreement to accept any penalties that any EU regulator might choose to impose on the company for an alleged failure of compliance without any principle of limitation or any right of appeal. Instead, it enabled claims brought by EU citizens against U.S. organizations generally to be resolved in a streamlined, cost-effective manner in the U.S.

The result of the Safe Harbor was that many hundreds of U.S. companies modernized their privacy policies, posted them online, and agreed to FTC enforcement oversight by enrolling in the Safe Harbor. These firms respected EU data protection goals without expensive and unworkable burdens and were rewarded by increased customer confidence and decreased enforcement risk. At the same time, the U.S. companies respected EU law, and the EU demonstrated its respect for the U.S. legal and political system.

Now, however, EU privacy activists and some of the privacy czars of the individual EU countries are pushing hard-line revisions of EU data protection legislation that could serious harm U.S. companies by effectively eliminating the Data Protection Safe Harbor. U.S. companies may be effectively forced to give their EU-business to EU-based companies, or to sign up to rigid model contracts that impose essentially unlimited liability on the U.S. firms and which no domestic EU company would be required to sign. In Brussels, activists at organizations such as the European Digital Rights group claim that the "Safe Harbor is dead. We just forgot to bury it.”

If they succeed in destroying the Safe Harbor, they will eliminate an approach that has now worked successfully for a decade–and simultaneously target what could otherwise be a promising mechanism to resolve other differences between the two political and economic systems.

Right now, the U.S. Department of Commerce is fighting to preserve the Safe Harbor, with U.S. companies mostly disengaged, perhaps lulled into the risky view that the EU can’t possibly destroy a mechanism that has worked so well to promote bilateral trade.

Instead, U.S. companies should engage now to defend and protect the Safe Harbor. Indeed, it provides a proven path that we could take again to a broadened free trade agenda to build common prosperity.

The Honorable Cliff Stearns is a former Member of Congress (R-FL, 1989-2013), former Chairman of the Transatlantic Dialogue, and currently Senior Advisor to APCO Worldwide.

Photo: Peter Dreisiger (cc).

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.

a global affairs media network

www.diplomaticourier.com

Keeping a Safe Harbor

April 19, 2013

As trade negotiators in Washington and Brussels undertake long overdue discussions on a potential free trade agreement between the United States and European Union, there is another trans-Atlantic solution that has provided a successful model for U.S.-European commerce that should not be forgotten–the Data Protection Safe Harbor.

Created more than a decade ago, Safe Harbor provided a successful framework for free, fair trade between the United States and Europe for e-commerce. In a nutshell, this 1999 arrangement, negotiated in the U.S. by the Department of Commerce, enabled companies in the U.S. to move electronic data in and out of the EU so long as they publicly committed to abide by common-sense principles of data protection agreed to by the U.S. years earlier in an OECD convention. Such principles included limiting uses of data to the purposes agreed to by the data subject, and providing rights of access and correction, backed by FTC enforcement should a company fail to meet those commitments.

The Safe Harbor had huge benefits for U.S. multinational and e-commerce companies, which otherwise could have been forced to keep all EU personal data (including employee data) in the EU, or required to sign up for draconian “model contracts” that include such requirements as pre-agreement to accept any penalties that any EU regulator might choose to impose on the company for an alleged failure of compliance without any principle of limitation or any right of appeal. Instead, it enabled claims brought by EU citizens against U.S. organizations generally to be resolved in a streamlined, cost-effective manner in the U.S.

The result of the Safe Harbor was that many hundreds of U.S. companies modernized their privacy policies, posted them online, and agreed to FTC enforcement oversight by enrolling in the Safe Harbor. These firms respected EU data protection goals without expensive and unworkable burdens and were rewarded by increased customer confidence and decreased enforcement risk. At the same time, the U.S. companies respected EU law, and the EU demonstrated its respect for the U.S. legal and political system.

Now, however, EU privacy activists and some of the privacy czars of the individual EU countries are pushing hard-line revisions of EU data protection legislation that could serious harm U.S. companies by effectively eliminating the Data Protection Safe Harbor. U.S. companies may be effectively forced to give their EU-business to EU-based companies, or to sign up to rigid model contracts that impose essentially unlimited liability on the U.S. firms and which no domestic EU company would be required to sign. In Brussels, activists at organizations such as the European Digital Rights group claim that the "Safe Harbor is dead. We just forgot to bury it.”

If they succeed in destroying the Safe Harbor, they will eliminate an approach that has now worked successfully for a decade–and simultaneously target what could otherwise be a promising mechanism to resolve other differences between the two political and economic systems.

Right now, the U.S. Department of Commerce is fighting to preserve the Safe Harbor, with U.S. companies mostly disengaged, perhaps lulled into the risky view that the EU can’t possibly destroy a mechanism that has worked so well to promote bilateral trade.

Instead, U.S. companies should engage now to defend and protect the Safe Harbor. Indeed, it provides a proven path that we could take again to a broadened free trade agenda to build common prosperity.

The Honorable Cliff Stearns is a former Member of Congress (R-FL, 1989-2013), former Chairman of the Transatlantic Dialogue, and currently Senior Advisor to APCO Worldwide.

Photo: Peter Dreisiger (cc).

The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.