The pending proposal from the European Commission for revision of the EU Directive (expected in early 2012) raises questions about the efficacy under a revised Directive of the EU-US Safe Harbor framework, which permits the legal cross-border transfer of personal data from the EU to the US for companies enrolled in the Safe Harbor and committed to the requisite privacy protections. That’s the recent observation in Europolitics, the European Affairs daily:
It is not clear what impact a revamp of the EU and US data privacy legal frameworks would have on Safe Harbour. According to the Commerce Department official, "we have been assured by the European Commission that Safe Harbour will not be affected by changes in the Data Protection Directive". The official adds, however, that they do have concerns about US firms lacking the clarity they need should new terms like ‘privacy by design’ and ‘right to be forgotten’ be introduced without their precise meaning being spelled out. A Commission proposal is due to be unveiled in early 2012.
The article goes on to speculate about and comment on pending US privacy legislation and its effect on cross-border transfers, concluding that passage of a new US law is not likely:
Meanwhile, the US Congress is considering several bills that could move the US from its current sector-based system to a more comprehensive framework. If this happens, Washington could ask the Commission to adopt a so-called adequacy finding on the US data privacy framework, which would permit an automatic free flow of personal data from the EU to the US. This could effectively render Safe Harbour obsolete. But there is no guarantee that the Commission would adopt such a finding even if Congress does enact comprehensive data privacy legislation. Moreover, with the Obama administration not yet strongly pushing these bills and some Republicans on Capitol Hill opposing them on the grounds that they will stifle innovation in the digital environment, their passage looks far from certain.
On the efficacy of the Safe Harbor arrangement, Peter Fleischer, Google’s Global Privacy Counsel offered a rousing defense in a recent blog: "I cannot think of a single international privacy framework that has done more to raise the standards of privacy practices by US companies over the last decade than Safe Harbor."
Mr. Fleischer also observed:
In fact, Safe Harbor has become the global framework by which many multinationals organize their global privacy compliance efforts, extending its reach far beyond the narrow explicit confines of data transfers from Europe to the US. Or as Damon Greer, the US government official currently responsible for Safe Harbor, recently put it in an eloquent rebuttal of the critiques of the program, “safe harbour has been a resounding success … facilitating the recognition by US business that privacy is a critical factor to success in the global marketplace
The Fleischer post begins with a reference to European concerns about law enforcement access to personal data of EU data subjects, but concludes that the efficacy of the Safe Harbor outweighs those concerns, which are currently the subject of transatlantic discussions between the EU and the US.