‘Safe Harbor’ is a Mirage

We live in an increasingly legalistic era. But whilst laws are supposed to state the clear, indisputable, non-negotiable rules for our behavior, lawyers and lawmakers do indulge in fantasy from time to time. These fantasies occur where laws are passed that will not be followed, and cannot be meaningfully enforced, in practice. Here are some examples:

  • Vague laws that tell private enterprises to be more secure. How secure? Secure in what way? More secure than what? Secure enough to always thwart sneaky, pernicious, determined criminals? Secure enough to stop sneaky, persistent, determined government spies? More secure than our lousy, leaky, gaffe-prone governments?!?
  • Laws that tell people not to avoid or work around other laws. Such laws are sticking plasters applied to other laws that are not fit for purpose.
  • Laws passed by weaker nations that dictate terms to stronger nations. Some government leaders, perhaps driven by the pursuit of popularity, try to reverse the decisions of foreign courts by applying new rules in their own nation’s courts. What is the purpose of such an act, except to deny the reality that money and power transcends national borders?

One of the worst examples of legalistic self-delusion occurred in Europe, toward the end of the last century. Some rather ignorant politicians, aided and abetted by equally ignorant lawyers, decided there must be some rules to govern a startling new phenomenon at that time: the automated processing of personal data. It hardly mattered that the politicians and lawyers were technologically clueless and did not have the slightest idea how their objectives might be realized in practice. Somebody had to set the rules, it was their job to invent rules, so they wrote some rules, despite their incompetence. Flash forward two decades, and consider how well these rules, stated in the 1995 EU Data Protection Directive, have been realized in practice…

Article 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

Do we really feel that everybody tells us how they use the data they collect about us, that nobody ever collects excessive data, that such data is accurate and it is deleted when no longer needed?

Article 17

Security of processing

1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.

Do they mean things like not sending discs containing the personal tax records of 25 million people through the post? Or measures to prevent a disgruntled Swiss banker from sharing the details of thousands of tax-evading customers with Wikileaks? (Though not in the EU, Switzerland copied the EU’s rules on data protection.)

This section on security epitomizes where Europe went wrong. The requirements are vague: what is appropriate, and as technology changes, who decides when it becomes appropriate to change with it? The ambition is unrealistic; determined or privileged opponents can find weaknesses in the most stringently secure organizations in the world, such as the NSA, or Iran’s nuclear program. And worst of all, the enforcement was weak. The EU’s coming General Data Protection Regulation (GDPR) will increase the fines for data breaches, and will likely come in to force from 2017. The EU was forced to adopt the GDPR because the failure of the existing regime is so obvious. Between the years of 2005 and 2014, there have been 43 breaches of personal data records per every 100 EU citizens.

However, Article 17 is not the worst break from reality to be found in the 1995 EU Data Protection Directive. The Eurocrats entered the twilight zone when they asserted the following:

Article 25


1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

The EU and its national governments comprehensively failed to keep the extravagant data protection promises made to the citizens of the EU. And yet, they promised not just that EU rules would be obeyed within the EU. They also promised the same rules would be followed outside the EU.

Europe is pretty powerful. It can impose EU rules upon foreign nations and companies as a condition of doing business with European citizens. Even strong countries might go along with EU demands, for the sake of commerce and friendly relations. But not every country is so weak or so poor that it must simply bow to EU diktats. One country in particular is very powerful, and processes a lot of personal data: the United States of America. The USA was always going to be the country destined to make a mockery of the EU’s promises about data protection.

Some might criticize US politicians for never promising to protect the data of American citizens in the way that personal data is supposedly protected in Europe. However, at least American politicians did not over-promise. When it comes to data protection, the US has never attempted to adopt rules of law as seemingly strict as those found in Europe. At the same time, Europe cannot afford to unilaterally sever all business ties involving the electronic exchange of personal information with corporations based in the USA. This is the context for the most obscene legal fudge in the world of data protection and electronic communication.

If US businesses had been forced to demonstrate compliance with EU data protection rules on a case-by-case basis, the costs would have been enormous. So, in 2000, the authorities devised a legal workaround to sidestep the gigantic trap created by the new EU rules. That legal workaround is called ‘safe harbor’ (it seems appropriate to spell it the American way, though Europeans often choose the British spelling). The US Department of Commerce and the European Commission negotiated a way for US businesses to say they comply with EU rules, without needing to demonstrate they comply with EU rules. Put simply, the safe harbor privacy framework asks US businesses to self-certify compliance with EU data protection rules, asks everybody in the EU to believe those US businesses, and for everyone to pretend that EU rules have really been followed in practice. Have you spotted the flaw yet?

If anybody thinks we need to debate the absurdity of this workaround, or perhaps suggests we should look at data before judging if this regime works in practice, I feel that individual must already be biased. The problem with data protection is that its abuse can be impossible to detect, meaning we never have comprehensive data about the failure to comply. On the other hand, the EU utterly failed to realize its ambitions over a twenty year period when it backed its rules with only weak enforcement. The enforcement of these rules on US business is even weaker. In such circumstances, it should be obvious that US businesses are even less likely to comply.

Either businesses can be trusted or they cannot be trusted. It makes no sense for EU politicians to simply trust American businesses to keep their compliance promises, after accepting that much tougher fines must be imposed on European businesses that fail to comply.

Science fiction humorist Douglas Adams once wrote about an invention called the ‘Somebody Else’s Problem (SEP) field generator’. Per his story, it is almost impossible to make a physical object invisible, but it is really easy to turn it into an SEP. When something is an SEP, nobody wants to look at it, and everybody pretends they cannot see it. The safe harbor workaround is the world’s biggest SEP. Currently 500 million EU citizens treat it as somebody else’s problem – but it is their problem. If they rely on the EU’s data protection rules, they should realize it is as cheap and easy to circumvent these rules as it is to transmit personal data to the USA.

There are a few Europeans who have taken ownership of the safe harbor problem. One of those individuals is Austrian privacy activist Max Schrems. He is driving the so-called ‘Europe vs Facebook’ legal dispute; Schrems has long believed that Facebook’s practices fail to meet the expectations of EU privacy law.

Schrems has succeeded in appealing his case to the European Court of Justice, the EU’s most senior court. According to the Wall Street Journal, a nonbinding opinion by the court’s advocate general will be published on June 24, with a final verdict expected before October.

There is a lot of squirming about Schrems’ case. Government lawyers and business representatives repeatedly observe that the loss of safe harbor would be very inconvenient. Billions of dollars of trade, involving big comms and tech companies on both sides of the Atlantic, could be thrown into a political and legal quagmire. I sympathize with why businesses would rather maintain the status quo. This is not a mess of their making, and they just want to do business. But this is a mess, and sometimes it is necessary to suffer some hardship to clear up the mess made by others.

The writer Charles Dickens had his own problems with trans-Atlantic law. He pleaded for Americans to adopt copyright laws like those in Britain, because pirate American publishers were copying his stories without paying a penny in royalties. One of Dickens’ most famous quotes also applies to the trans-Atlantic delusion that personal data can find safe harbor:

“If the law supposes that,” said Mr. Bumble, squeezing his hat emphatically in both hands, “the law is a ass — a idiot. If that’s the eye of the law, the law is a bachelor; and the worst I wish the law is, that his eye may be opened by experience — by experience.”

If trade between the EU and US is rocked by Schrems’ legal broadside, I would not blame Schrems personally. When it comes to data protection, current lawmakers are unwilling to admit to the mistakes previously made, by a previous generation of lawmakers who were stupefyingly naive. Even when the EU tries to patch up its own leaky data protection ship, it takes them many years to make little progress; the General Data Protection Regulation may come into force in 2017, after being first proposed in 2012. The EU tries to lead the world in the realm of data protection. However, the EU has lost its way, and struggles to plot a new course without losing face.

Given the potential economic impact of Schrems’ case, I expect the lawyers to once again find an imaginative interpretation of what occurs in law and practice. This might allow the world to continue as if nothing has happened. In other words, I expect they will find a new way to generate an SEP field around the topic of safe harbor. But in the long-run we would all be better off if the problem was genuinely fixed.

When I worked for T-Mobile UK, I was once asked to dial an automated service to participate in an employment engagement survey. The first question asked by the machine voice was whether I consented to having my personal data – the answers to the questions I was about to be asked – processed in the USA. Being the smart arse that I am, and being familiar with the laws that gave rise to this question, I wanted to see what would happen if I hit the number ‘2’ on the dialling pad, indicating I did not consent. The automated voice said thank you, and goodbye, and the call was ended. My boss was unhappy; he took this as proof that I was not engaged with my job. All EU citizens are given an illusion of choice over how they can protect their personal data. In truth, they are forced to make concessions that render the EU’s rules irrelevant.

In this article, I have no wish to debate whether people have too many or too few legal protections. I only wish to emphasize that the real extent of data protection should be consistent with what ordinary people are told about data protection. This is necessary so they can make informed decisions about who they give data to, and how it is used. When people are routinely given misinformation, they may eventually become cynical, and their behavior will then be less reasonable, and more erratic, than if they were treated as intelligent adults from the beginning.

DPA98, on my desk

DPA98, on my desk

From the first time I read the Data Protection Act 1998 (DPA98), which was Britain’s way of obeying the EU Data Protection Directive, I considered the section on cross-border data flows to be a work of supreme fantasy. Then, when the safe harbor fudge was delivered in 2000, I was convinced that European’s politicians were consciously choosing to deceive themselves and others. They wanted to pretend that they could force the US to follow EU rules, even though they knew US businesses would not pay the huge costs of genuine compliance. And why should US businesses hobble themselves by doing so? It was equally plain that EU businesses treated data protection as a box-ticking exercise, with little investment in the areas that would really drive costs – like making security more robust. The picture shows my personal copy of DPA98. I enjoy reading works of science fiction and fantasy, but this publication, and others in the data protection genre, are simply too fantastic for my tastes.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.