With just 209 US companies signed up for the mechanism for legal EU-US transfer of personal data, Brussels data privacy mandarins are on the case.
Topic: Data protection
Who: EU Data Protection Working Group
When: July 2002
European data protection officers have decided to launch a new in-depth analysis of the "Safe Harbor Agreement". This was concluded in 2000 between the USA and the European Commission so as to facilitate the safe transfer of personal data from the European Union to businesses located in US. This was driven by the EU Data Protection Directive of 1995, which outlawed transfers of personal data from the European Union to any other state which did not have "adequate" data protection laws. The firm view of the European Commission was and remains that the US does not have "adequate" data protection laws.
"Safe Harbor" was a mechanism which made it possible for US companies to legally receive personal data from the European Union. Part of the process involved signatory US companies committing to abide by levels of data privacy protection which were equivalent to those in the 1995 Directive.
Since the introduction of Safe Harbor in November 2000, there has hardly been a stampede of US companies to sign up. Indeed only 209 companies have so far done so. Clearly, something is not working and the data protection working group has invited submissions from all data protection authorities, businesses and interested associations by 31 October 2002 on how take-up in the US of Safe Harbor can be increased, including thoughts on initiatives for improving knowledge by businesses of the requirements for satisfying and remaining in Safe Harbor, the necessary measures for perfecting mechanisms for resolving disputes and measures for increasing the transparency of the functioning of the Safe Harbor Agreement, especially relating to observance day to day by American companies of the principles which they agree to adhere to when signing up to Safe Harbor.
Why this matters:
Clearly the Safe Harbor Agreement is not working in its current form, and there can be no doubt that every day gigabytes of personal data are being transferred from the EU to the US in a manner which is thoroughly non-compliant with the EU data protection laws, but escapes detection or enforcement action.
On the face of it, therefore, the working group is right to be initiating a fundamental review of the operation of Safe Harbor. It is often forgotten, however, that there are other ways in which personal data can be legally transferred from the European Union to the US. If, for example, such transfer is necessary for the purposes of performing the contract of purchase which the individual entered into when he or she provided their personal data, then there should be no legal difficulty. There are also other legal ways and means in which a legal transfer can be effected. Rather than wait for the deliberations of the data protection working group to be concluded, those involved in these transfers might prefer to take advice.