Although there are alternative tools authorising data flows to the US (see DLA Piper’s previous Privacy Matters blog post to view the European Commission’s latest guidance on this matter), the Commission considers that a renewed and sound safe harbor framework is the most comprehensive solution for ensuring the protection of EU personal data when it is transferred to the US. In this respect, the Commission will continue to negotiate a renewed framework for transatlantic transfers of personal data and the objective is to conclude discussions with the US government within three months.
Already in 2013, the Commission started negotiations with the US government on a new arrangement for transatlantic data transfers based on 13 recommendations which fall into four categories:
- Self-certified companies should publicly disclose their privacy policies.
- Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme.
- Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
- Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
- The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.
- ADR should be readily available and affordable.
- Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
- Following the certification or recertification of companies under the Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
- Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
- In case of doubts about a company’s compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
- False claims of Safe Harbour adherence should continue to be investigated.
Access by US authorities
- Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
- It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.
Now that the Safe Harbor decision has been declared invalid, the Commission has intensified talks with the US government to ensure that the legal requirements formulated by the Court are complied with. Until this renewed transatlantic framework is in place, companies need to rely on the alternative transfer tools available.