The US-EU Safe Harbor agreement is even more ineffective than previously thought. One of the more arcane bits of wonkery that allow trade between Europe and America, the Safe Harbor was cooked up in 2000 to allow US companies to adhere to the EU’s strict data protection laws. All a company has to do to join is say its complies with seven privacy principles, which include telling people what data it collects and what it does with it, offers them the choice to opt out, and so on. Without the Safe Harbor, many American firms would be unable to smoothly do business in Europe. It has for years been criticized as toothless. Now it turns out that hundreds of companies claiming to adhere to its provisions aren’t members of the framework.
One out of every seven claims of Safe Harbor membership is false, data privacy expert Chris Connolly told the European Parliament’s committee on civil liberties, justice and home affairs yesterday. According to Connolly, 427 of the roughly 3,000 US companies on the Safe Harbor list either haven’t signed up or have let their membership lapse. (Quartz could not verify the numbers because the list is offline due to the US government shutdown.) Many of them nonetheless use the word ‘EU’ or the European flag, and a tenth of the fake claimants have a Safe Harbor logo created by the Department of Commerce, the EU Observer reported Connolly as saying.
The agreement underpins 21st century commerce between America and the EU. It also has the potential to be a major stumbling block for the proposed free trade zone between the two regions. Immediately after the announcement, the German data commissioner posted an article with the headline “Transatlantic Free Trade Zone? But only when the US provide improved data protection!” In July, EU commissioner Viviane Reding announced a review of the agreement (paywall). And European parliamentarians are presently working on a renewed data privacy bill which would tighten regulations and be enforceable across the continent. As the bill goes through amendments, it is possible the agreement may be repealed altogether.
That leaves two options. Either the US will have to take European concerns about data protection more seriously or American firms will have to substantially change the way they do business so they can keep customer data within Europe’s borders. Neither seems likely at the moment. But the EU may just force America’s hand.