USA to strengthen Safe Harbour framework for data transfers
March 28, 2014 |
The Safe Harbour arrangements, in place since 2000, in the United States of America (the “USA”) regarding transfer of personal data from the European Union to the USA has been an imperfect vehicle for ensuring some form of compatibility in the processing of personal information, data protection and free movement of data by US organisations to a standard consistent with the EU Directive 95/46EC. In November the European Commission issued quite a critical report on the functioning of the Safe Harbour arrangements. It is found here. It is, for practitioners in the privacy field, a very useful and informative document. The conclusions and recommendations are:
Since its adoption in 2000, Safe Harbour has become a vehicle for EU-US flows of personal data. The importance of efficient protection in case of transfers of personal data has increased due to the exponential increase in data flows central to the digital economy and the very significant developments in data collection, processing and use. Web companies such as Google, Facebook, Microsoft, Apple, Yahoo have hundreds of millions of clients in Europe and transfer personal data for processing to the US on a scale inconceivable in the year 2000 when the Safe Harbour was created.
Relatively transparent information in this respect is provided by some European companies in Safe Harbour. For example Nokia, which has operations in the US and is a Safe Harbour member provides a following notice in its privacy policy: “We may be obligated by mandatory law to disclose your personal data to certain authorities or other third parties, for example, to law enforcement agencies in the countries where we or third parties acting on our behalf operate.”
Due to deficiencies in transparency and enforcement of the arrangement, specific problems still persist and should be addressed:
a) transparency of privacy policies of Safe Harbour members,
b) effective application of Privacy Principles by companies in the US, and
c) effectiveness of the enforcement.
Furthermore, the large scale access by intelligence agencies to data transferred to the US by Safe Harbour certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data in transferred to the US.
On the basis of the above, the Commission has identified the following recommendations:
Transparency
- Self-certified companies should publicly disclose their privacy policies. It is not sufficient for companies to provide the Department of Commerce with a description of their privacy policy. Privacy policies should be made publicly available on the companies’ websites, in clear and conspicuous language.
- Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme. This will allow European data subjects to verify immediately, without additional searches whether a company is currently a member of the Safe Harbour. This would help increase the credibility of the scheme by reducing the possibilities for false claims of adherence to the Safe Harbour. The Department of Commerce has started in March 2013 to request this from companies, but the process should be intensified.
- Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services. Safe Harbour allows onward transfers from Safe Harbour self-certified companies to third parties acting as “agents”, for example to cloud service providers. According to our understanding, in such cases the Department of Commerce requires from self-certified companies to enter into a contract. However, when entering such a contract, a Safe Harbour company should also notify the Department of Commerce and be obliged to make public the privacy safeguards.
- Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme. The label “Not current” on the Department of Commerce list of Safe Harbour members should be accompanied by a clear warning that a company is currently not fulfilling Safe Harbour requirements. However, in the case of “Not current” the company is obliged to continue to apply the Safe Harbour requirements for the data that has been received under Safe Harbour.
Redress
The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel. This will allow European data subjects to contact immediately the ADR or EU panel in case of problems. Department of Commerce has started in March 2013 to request this from companies, but the process should be intensified.
ADR should be readily available and affordable. Some ADR bodies in the Safe Harbour scheme continue to charge fees from individuals – which can be quite costly for an individual user – for the handling of the complaint ($ 200-250). By contrast, in Europe access to the Data Protection Panel foreseen for solving complaints under the Safe Harbour, is free.
Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints. This makes the dispute resolution an effective, trusted mechanism providing results. It should also be reiterated that publication of findings of non-compliance should be included within the range of mandatory sanctions of ADRs.
Enforcement
Following the certification or recertification of companies under the Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
In case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
False claims of Safe Harbour adherence should continue to be investigated. A company claiming on its website that it complies with the Safe Harbour requirements, but is not listed by the Department of Commerce as a ‘current’ member of the scheme, is misleading consumers and abusing their trust. False claims weaken the credibility of the system as a whole and therefore should be immediately removed from the companies’ websites.
Access by US authorities
Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.
That was followed up by a very pointed speech, titled A data compact for Europe, by the Vice President on 28 January 2014 where she stated, amongst other matters:
First, we must make Safe Harbour safer. The Commission has made 13 concrete recommendations. 13 ways to improve all aspects of the functioning of Safe Harbour. Let me put it simply: we kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the U.S. will have to service it. This summer, we will see how well those repairs were carried out. Safe Harbour has to be strengthened or it will be suspended.
Secondly, we have to agree on strong data protection rules in the law enforcement context. We need a robust EU-U.S. data protection agreement in the law enforcement sector (the so-called Umbrella Agreement) which ensures EU citizens keep their rights when their data is processed in the U.S. This is not theory. What if your name is identical to that of a suspect in a transatlantic criminal investigation? Your data accidentally gets collected and included on a U.S. black list. You should be able to have it deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. They should have them when their data is exchanged with the U.S.
Thirdly, we must ensure that European concerns are addressed in the reform of U.S. surveillance programmes. President Obama’s speech just 10 days ago is a step in the right direction. He recognised that the current data collection programmes go too far. New limits on bulk data collection will be imposed. He also responded to a long-standing request from the European Commission, namely to give European citizens who do not live in the U.S. rights and protection when their data is being processed across the Atlantic. In his Presidential Policy Directive, President Obama gave clear instructions for current safeguards that apply to U.S. citizens – such as the principle of data minimisation and retention – to in future be available to “all persons, regardless of their nationality or wherever they might reside”.
The United States of America and the European Union issued a joint statement yesterday regarding a range of matters but specifically an improvement of the Safe Harbour Provisions. The statement is found here.
It provides at paragraph 12:
The transatlantic digital economy is integral to our economic growth, trade and innovation. Cross border data flows are critical to our economic vitality, and to our law enforcement and counterterrorism efforts. We affirm the need to promote data protection, privacy and free speech in the digital era while ensuring the security of our citizens. This is essential for trust in the online environment.
and 14:
Data protection and privacy are to remain an important part of our dialogue. We recall the steps already taken, including the EU-US ad hoc Working Group, and take note of the European Commission Communication of 27 November 2013 and President Obama’s speech and Policy Directive of 17 January 2014. We will take further steps in this regard. We are committed to expedite negotiations of a meaningful and comprehensive data protection umbrella agreement for data exchanges in the field of police and judicial cooperation in criminal matters, including terrorism. We reaffirm our commitment in these negotiations to work to resolve the remaining issues, including judicial redress. By ensuring a high level of protection of personal data for citizens on both sides of the Atlantic, this agreement will facilitate transfers of data in this area. The United States and the EU will also boost effectiveness of the Mutual Legal Assistance Agreement – a key channel of cooperation in the digital era. In addition, we are committed to strengthening the Safe Harbour Framework in a comprehensive manner by summer 2014, to ensure data protection and enable trade through increased transparency, effective enforcement and legal certainty when data is transferred for commercial purposes.