Who: European Commission
When: 19 July 2013
Law stated as at: 4 September 2013
The European Commission has announced an assessment of the EU-US Safe Harbor agreement and will present its results by the end of 2013. Vice President Reding explained at a European Justice Council meeting held on 19 July 2013 that “the Safe Harbor agreement may not be so safe after all”, adding that “it could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones.”
The assessment comes amid serious concerns about US government intrusion into the privacy of European citizens following revelations about the US computer surveillance system PRISM, which has allegedly been used by the US National Security Agency (NSA) to monitor and gather large volumes of information from internet and telephone communications.
Vice President Reding’s announcement also follows the launch of an inquiry earlier in July by the European Parliament’s civil liberties committee into the US surveillance programmes, including the bugging of EU premises and other spying allegations .
Why this matters:
Background to Safe Harbor
The EU-US Safe Harbor framework (“Safe Harbor”) has been in place since 2000 when it was agreed between the US Department of Commerce and the European Commission to allow transfers of personal data between the European Union and the US. Safe Harbor allows any US companies (with some exceptions in financial services and telecoms sectors) to self-certify their compliance with seven Safe Harbor privacy principles, which are broadly based on the core aspects of the EU Data Protection Directive 95/46/EC (the “Directive”).
The US government publishes a list of companies which have signed up. Ultimately the Federal Trade Commission will take enforcement action against companies who make misrepresentations to consumers or commit deceptive acts such as announcing a particular set of privacy policies and practices and then not abiding by them. Their involvement can mean fines and also bad publicity but there have been very few publicised cases of enforcement.
Safe Harbor is one of several possible solutions that companies can use to transfer personal data outside of the European Economic Area when they would otherwise be prohibited from doing so by Article 25 of the Directive. Article 25 states that a “transfer may take place only if….the third country in question ensures an adequate level of protection”. In the UK there are equivalent provisions contained in the 8th principle of the Data Protection Act 1998.
Companies may be using Safe Harbor in a variety of contexts. For example, to transfer employee information to a US parent company or to transfer consumer information so it can be processed by a US subcontractor.
However, Safe Harbor is not the only solution to “adequacy” and companies can also use one of the EC approved Model Clauses, which contractually impose the obligations contained with the Directive on companies importing personal data. Alternatively Binding Corporate Rules (BCRs) may be adopted for intra-group company transfers where they are often more appropriate than Safe Harbor if there are a number of group companies and jurisdictions involved. BCRs allow companies to develop their own framework to meet their organisation’s requirements provided that it meets minimum standards. They must be approved by all relevant data protection authorities.
Many companies currently use Safe Harbor and so any change to the conditions under which Safe Harbor can be used or in a worst case scenario its withdrawal would force those companies to re-assess their data transfer solutions and put in place another means of transferring personal data.
However, it is unlikely that the European Commission would suddenly withdraw Safe Harbor and any changes would likely arise during the process of agreeing the new European Data Protection Regulation.
Whilst there are rumours of a shift away from using US companies particularly for cloud based services where this means that personal data may be transferred, there are other legal means of transferring data available, and so predictions of a surge in business for European-based service providers may be exaggerated. Having said that, some US companies have been exploring setting up European data centres to allay customer fears and mistrust about data leaving Europe.
The German position
From a German perspective, concerns about Safe Harbor are not new and in 2010 additional prerequisites were introduced for companies exporting personal data using Safe Harbor. This meant that German companies have been required to assess and document certain criteria applied by US-based recipients of data prior to transfer.
In July 2013, the Düsseldorfer Kreis, a working group of representatives from Germany’s sixteen state data protection authorities that aims to achieve a uniform approach to data protection questions under German law, upped the ante by issuing a press release stating that they would no longer approve any export of data to the USA using Safe Harbor. In addition, they asked both the German government and the European Commission to review not only Safe Harbor but also the EC Model Clauses.
Despite the press release the legal position has not changed for German companies. Those relying on Safe Harbor do not have to obtain any official approval or registration to use it and so for now, the press release is a strong political statement without any practical effect. Whilst it demonstrates the increasing scepticism of German authorities with regard to Safe Harbor, German authorities cannot overrule the European Commission’s decision that Safe Harbor provides an adequate ground for exporting personal data.
Article 29 Working Party Perspective
The Article 29 Working Party has also signalled its concerns about PRISM in a letter to Vice President Reding in which it also highlights the possibility for competent authorities in Member States to suspend data flows otherwise permitted under Safe Harbor “in cases where there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.”
The French position
In France, the French Data Protection Authority, the CNIL, also announced in June that it had created an internal working group to study the privacy issues arising from access of the personal data of French citizens by foreign public authorities and a summary of their findings is expected in September 2013. On 28 August 2013 the Paris prosecutor’s office explained that it had launched a preliminary investigation to decide whether there is enough evidence to open a formal investigation.
The investigation follows complaints from the International Federation for Human Rights (FIDH) and the French Human Rights League (LDH) regarding “fraudulent access to an automated data processing system, collection of personal data by fraudulent means and wilful violation of the intimacy of private life.”
The future of Safe Harbor
Finally, the European Commission assessment of Safe Harbor is being carried out at the same time as pressure mounts to agree and finalise the contents of the new EC Data Protection Regulation proposed in January 2012. According to the UK’s Deputy Information Commissioner, David Smith, the process could be impacted by concerns about US surveillance, which may “spur on a renewed drive to agree the Regulation in the autumn but equally they could be another complication making agreement even more difficult to achieve.” Smith explained that “any belief that changes to the text of the draft Regulation can somehow prevent the US authorities from gaining access to the personal data of EU citizens must be mistaken [because t]his is an issue that goes much wider than data protection law.”
The review highlights another weakness in using Safe Harbor as a data transfer solution and may signal time for companies using it to review their data transfer solutions. Other reasons why Safe Harbor may not be suitable include the inability to use Safe Harbor if there are any onward transfers from the US data importing company without taking additional compliance steps. In a service provision context, companies already have to work to convince partners and customers that Safe Harbor meets their concerns in the face of existing attitudes of European data protection regulators. The review announced by Vice President Reding may increase reluctance to use Safe Harbor especially if its future is uncertain.