As part of an on-going debate on the European data protection reform, doubts were cast over the adequacy of the Safe Harbor arrangements with the United States. Viviane Reding, the European Commissioner for Justice, Fundamental Rights and Citizenship, called the 13-year-old data-sharing agreement between the EU and the United States a potential “loophole for data transfers,” which does not provide adequate protection. “The Safe Harbour agreement may not be so safe after all,” she said when announcing a review of the cross-Atlantic agreement.
The existing General Data Protection Directive prohibits cross-border transfers of personal data to countries not recognised as providing adequate protection for the processing of personal data, unless certain mechanism are in place. The U.S.-EU Safe Harbor Framework attempts to transpose European data protection law into that of the United States, such data transferred to companies certifying adherence to the framework as deemed to provide adequate protection for the processing of personal data. Currently, around 3,000 companies have voluntarily joined the programme by subscribing to a binding set of data transfer rules.
EU officials have raised two criticisms. First, whether Safe Harbor actually provides adequate protection. Second, whether companies certified to Safe Harbor actually observe the principles. Past studies have shown organisations falsely claiming to have certified to Safe Harbor, as well as only a fraction of organisations fully complying with Safe Harbor requirements in practice.
The U.S. Federal Trade Commission (FTC), the body responsible for enforcing the Safe Harbor, recently increased its enforcement action to ensure compliance with Safe Harbor, including by requiring annual audits of Twitter, Google, Facebook and MySpace. However, the EU officials and representatives of some European data protection authorities doubt whether this is enough to make Safe Harbor work in its current form.
Article 3 of the U.S.-EU Safe Harbor Agreement allows the European Commission to reverse or suspend the agreement. Referring to this provision, the European Parliament requested that the European Commission conduct a full review of Safe Harbor. Ms. Reding has confirmed that she plans to present a comprehensive assessment of Safe Harbor before the end of the year. Companies relying on Safe Harbor may need to audit their adherence to the framework, or even to consider implementing other mechanisms for ensuring adequate protection for data transfers, including binding corporate rules.