The monthly law journal which covers all aspects of data protection and data privacy: data transfer & outsourcing, marketing and e-marketing, freedom of information (FOI), employee monitoring, privacy compliance, online data acquisition and consent, personal data, website compliance and emerging technologies such as behavioural advertising, cloud computing and smart grids. / read more
The level of concern about the legal restrictions affecting international data transfers is on the increase. Debates at privacy conferences and Twitter exchanges ardently evidence that overcoming those restrictions has become a managerial priority, as well as a growing headache for multinationals. Safe Harbor is constantly in the firing line and its supporters are often accused of trying to pull the wool over the eyes of European data exporters and regulators no matter how hard they try to show its effectiveness. Conversely, undertaking a Binding Corporate Rules (BCR) project is often seen as an overwhelmingly daunting exercise with an uncertain return. This is not a reassuring position to be in, given that the prospect of a restrictions-free future for global data flows is unlikely. As a result, making data transfers legal tools work, continues to be one of the greatest challenges faced by privacy professionals.
The truth is that the prohibition on exports of data that is present in a number of the world's data privacy laws disregards the reality of the internet and mobile communications. As technology evolves and all of us embrace the global nature of information sharing, it seems almost surreal that some policy makers and regulators insist on building some sort of physical, or at least digital, fortress around the data within their jurisdiction with the aim of preventing unwanted interferences. Data flows are the norm, not the exception. Digital information is constantly being transmitted and made available across borders just because we live in an interconnected world. There is something slightly absurd about having an outright prohibition on something that simply happens by default every second of the day through the use of widely spread technology. Yet the trend is set to continue.
Looking at the immediate legislative future, the restrictions on international data transfers will almost definitely carry on. The ongoing data protection legislative reform taking place in Europe shows us that the aim of creating a geographical data barrier will survive and make its way into the new framework. There was a time at the beginning of the reform process when it seemed possible for Europe to consider a less restrictive approach. But the mass surveillance revelations of 2013 had the effect of turning data transfers restrictions into a seemingly natural way of protecting European data and safeguarding the fundamental right to data protection. This was perhaps an inevitable reaction and so far the European Commission, the European Parliament and the Council of the EU seem determined to keep the 1990s-style prohibition and preserve it in the legal regime for the foreseeable future.
As a consequence, mechanisms like Safe Harbor and BCR become all the more necessary despite their drawbacks. The European scepticism regarding Safe Harbor is legendary. Since the early days, politicians and regulators have been questioning its standards of protection compared to the European regime. What is often forgotten is that Safe Harbor was not a European creation. Safe Harbor is a self-regulatory framework which originated in the US and is targeted at an American corporate audience. It does not look like European law because it was never meant to mirror the EU data protection directive. It involves a self-certification process rather than a prior-checking European-style approach because that is the kind of process that is regarded as suitable when a US legal mindset is applied. In other words, Safe Harbor was meant to establish a US framework that could be regarded as providing an adequate level of data protection.
On the other hand, BCR was devised by an inspired group of EU data protection regulators who had the vision to develop an EU-based framework of global applicability. As a concept, BCR is probably the single biggest contribution to the adoption of European privacy standards around the world since the Council of Europe Convention for the Protection of Individuals of 1981. What is depressing is the failure by some to see the commitment that organisations make when deciding to go down the route of implementing BCR across their international operations. Every single one of those organisations is effectively giving a very clear message to the regulatory community and the world that they are prepared to achieve very high standards of privacy compliance. For that reason, they deserve a degree of trust that they do not always receive. This lack of recognition is the cause of much frustration and has damaged the image of BCR as a truly effective tool.
Fortunately, there is a way forward even in a world of unrealistic legal barriers to data flows. In Europe, we must recognise that Safe Harbor is not EU law but a self-regulatory mechanism which reflects the traditions and values of the US legal system and its approach to privacy protections. It should be assessed on that basis and efforts should be devoted by all to bridge that gap. BCR should be regarded as an evident sign of commitment to privacy and high data protection practices, and not as a chance by regulators to test the stamina of privacy professionals. Achieving high standards for the protection of privacy on a global basis is not impossible, but those who strive to achieve that objective should be rewarded with tolerance and trust.
Eduardo Ustaran Partner
Hogan Lovells, London email@example.com