EU Commission critical of US Safe Harbor programme

06 January 2005

Emilia Linde

The EU Commission has invited data protection authorities to suspend data flows to the US, should they find that there is a substantial likelihood that Safe Harbor principles are being violated. Whilst encouraged by the fact that an increasing number of companies have signed up to the Safe Harbor programme, the report published by the Commission on the 25 October 2004 suggests serious shortcomings in compliance. Does that mean that America’s answer to European data protection requirements has lost its credibility for good?

Background

The EC Directive on Data Protection prohibits transfers of personal data to countries outside the EU that are unable to offer adequate protection. The Safe Harbor programme is a scheme negotiated between the US Department of Commerce and the EU Commission. The Commission recognises that US entities which publicly sign up to the scheme will offer appropriate protection to personal data. As a result, data transfers to such organisations are lawful.

The Safe Harbor Principles

Organisations that adopt the Safe Harbor scheme must, amongst other things, provide notice to data subjects about the collection of data, the purposes of processing and potential intended transfers. They must provide individuals with the possibility to opt out of disclosure of their personal data to third parties. In addition, companies in reliance of this scheme must ensure that individuals have access on a reasonable basis to all information that might be held about them. Furthermore, organisations are required to agree that individuals’ complaints will be heard by either an Alternative Dispute Resolutions body or an EU panel and to state this in their privacy policy. This may all sound promising in theory, but does it work in practice?

The Commission’s Report

Four years after the implementation of the programme, the Commission has published its review of the adequacy of the Safe Harbour programme. The Commission notes that a substantial number of companies failed to produce publicly available privacy policies. In some instances policies were published on the companies’ intranet pages, and in other cases they were not published at all. Of those privacy policies that were available to the public, a substantial number failed clearly to describe the processing operations. In a number of other cases, companies failed to give individuals the choice to opt-out of disclosures to third parties, whereas other organisations failed to provide individuals with access to information held about them. Lastly, many companies failed to identify bodies responsible for hearing individuals’ complaints. These shortcomings are serious; unless safe harborites publish appropriate privacy policies, the US Federal Trade Commission (the “FTC”) which is responsible for enforcing Safe Harbour is unable to take enforcement action. The report thus suggests a number of shortcomings in the system. But how, if at all, may these shortcomings be remedied?

Recommendations

The Commission makes a number of recommendations. First and foremost, it encourages the FTC to produce guidance on what constitutes “publicly available policies.” Secondly, it urges the FTC to take a more interventionist role where necessary, and thirdly to take a more proactive role in encouraging data subjects to protect their rights whenever possible.

Conclusion

Whether or not the Safe Harbor system will regain its credibility remains to be seen. Should no notable improvements take place within a reasonable time, data flows to the US may have to be suspended. In the meanwhile, organisations which transfer personal data to harborites should take steps to check that the harborite is meetings its obligations. This could include:

  • requiring the harborite to provide a copy of its privacy policy
  • requiring audit rights and / or requiring the harborite to provide a copy of its audit reports
ensuring that there is a right to terminate any data transfer agreement and to require the transferee to destroy or return transferred data if the transferee fails to comply with the Safe Harbor principles, if an EU supervisory authority prohibits the transfer of personal data to the transferee and / or if the Commission revokes its approval of the Safe Harbor