The EU Commission has invited data protection authorities to suspend data flows to the US, should they find that there is a substantial likelihood that Safe Harbor principles are being violated. Whilst encouraged by the fact that an increasing number of companies have signed up to the Safe Harbor programme, the report published by the Commission on the 25 October 2004 suggests serious shortcomings in compliance. Does that mean that America’s answer to European data protection requirements has lost its credibility for good?
The EC Directive on Data Protection prohibits transfers of personal data to countries outside the EU that are unable to offer adequate protection. The Safe Harbor programme is a scheme negotiated between the US Department of Commerce and the EU Commission. The Commission recognises that US entities which publicly sign up to the scheme will offer appropriate protection to personal data. As a result, data transfers to such organisations are lawful.
The Safe Harbor Principles
The Commission’s Report
Four years after the implementation of the programme, the Commission has published its review of the adequacy of the Safe Harbour programme. The Commission notes that a substantial number of companies failed to produce publicly available privacy policies. In some instances policies were published on the companies’ intranet pages, and in other cases they were not published at all. Of those privacy policies that were available to the public, a substantial number failed clearly to describe the processing operations. In a number of other cases, companies failed to give individuals the choice to opt-out of disclosures to third parties, whereas other organisations failed to provide individuals with access to information held about them. Lastly, many companies failed to identify bodies responsible for hearing individuals’ complaints. These shortcomings are serious; unless safe harborites publish appropriate privacy policies, the US Federal Trade Commission (the “FTC”) which is responsible for enforcing Safe Harbour is unable to take enforcement action. The report thus suggests a number of shortcomings in the system. But how, if at all, may these shortcomings be remedied?
The Commission makes a number of recommendations. First and foremost, it encourages the FTC to produce guidance on what constitutes “publicly available policies.” Secondly, it urges the FTC to take a more interventionist role where necessary, and thirdly to take a more proactive role in encouraging data subjects to protect their rights whenever possible.
Whether or not the Safe Harbor system will regain its credibility remains to be seen. Should no notable improvements take place within a reasonable time, data flows to the US may have to be suspended. In the meanwhile, organisations which transfer personal data to harborites should take steps to check that the harborite is meetings its obligations. This could include:
ensuring that there is a right to terminate any data transfer agreement and to require the transferee to destroy or return transferred data if the transferee fails to comply with the Safe Harbor principles, if an EU supervisory authority prohibits the transfer of personal data to the transferee and / or if the Commission revokes its approval of the Safe Harbor