The Plain Truth About Safe Harbor
The stance adopted by the European Commission in the report on the functioning of Safe Harbor was probably one of the worst kept secrets of the privacy world. It was patently obvious to anyone close enough to the controversy around the ability of Safe Harbor to live up to the expectations of EU policymakers and regulators that the European Commission would be critical about it but would stop short of delivering a fatal blow to the scheme. So as expected, the commission's report unequivocally reveals some deficiencies that are seen as unfair for both U.S. companies, which properly apply the scheme and European companies that simply comply with EU data protection law. The toughest criticism is directed at the simple fact that, because the self-certification process does not involve any kind of regulatory scrutiny, about 10% of companies claiming to meet the Safe Harbor standards are actually making false claims. A more veiled criticism is directed to the enforcement mechanisms, which are seen as a little too lame by the commission. This translates into a very simple commercial point: Where a European company competes with a U.S. company operating under Safe Harbor, but in practice not applying its principles, the European company is at a competitive disadvantage in relation to that U.S. company. In the short term, this means that Safe Harbor will survive pretty much unscathed. In the longer term, this may even be the beginning of real interoperability of privacy approaches.