Harvard Law School Berkman Center for Internet & Society The Berkman Center for Internet & Society at Harvard Law School

A SAFE HARBOR? DISCOVERY IN THE CONTEXT OF THE EU/US SAFE HARBOR PRINCIPLES

The "safe harbor" arrangement between the European Union (EU) and the United States, as concluded after two years of negotiations, purports to provide a predictable framework for transfers of personal data from the EU to US companies or organizations that adhere to a set of "safe harbor" principles issued by the US Department of Commerce. Most significant for our exploration of Digital Discovery, data pertaining to EU entities and transferred under the Safe Harbor provisions may be exempt from discovery in the US courts.

On the EU side, the safe harbor principles will be fulfilled based on an "adequate protection" standard, as delineated by the EU Data Protection Directive for transfers of personal data. A formal decision under the Directive (Article 25.6) to approve the "safe harbor" principles as providing "adequate protection" would require the support of a qualified majority among the Member States. The package as a whole is designed:
to provide guidance to companies and other organizations in the US who want to meet the "adequate protection" standard;
to provide the necessary legal certainty for those adhering to the agreed standard that their data transfers will not be interrupted; and
to create thereby a more predictable and less administratively burdensome framework, ensuring high data protection standards for data transfers to the US.

The key feature of the "safe harbor" principles is that they bridge the different approaches to data protection represented by the EU and the US and provide a common language, so to speak, for the two systems to share. The EU maintains a legislative approach to data protection while the US relies mainly on self-regulation, even as it is founded on considerable legal underpinning.

One major issue of concern to the EU, prior to ratification, was the way in which principles of data protection would be enforced in the US and, in particular, the accuracy and reliability of the list of companies adhering to the Safe Harbor and the possible sanctions for non-compliance. Another difficult issue was the way in which existing EU laws could be integrated into the arrangement.

The Directive 95/46/EC on Data Protection aims to remove obstacles to the free movement of data while guaranteeing the protection of the individual's right to privacy by harmonizing national provisions in this field. Member States may exempt from the Directive's obligations different types of data, in particular data relating to national security, defense, and crime detection and enforcement.

Since September 1998, the US/EU talks have coalesced around the search for a mutually acceptable "safe harbor" - a set of principles that US companies would sign up to on a voluntary basis, but to which they would then be bound, and which the Commission would find "adequate" under Article 25.6 of the data protection Directive. The US stressed that they had statutory powers to ensure that self-regulation would be enforced since any company in breach of obligations voluntarily entered could be sanctioned by US regulatory and/or law-enforcement agencies at both state and federal level. Any such cases would be treated as a matter or priority.