On 27 November 2013, the European Commission (“Commission”) confirmed the steps it requires the US to take in order to restore trust in the Safe Harbor framework following the uncovering of mass US government surveillance of EU citizens’ personal data stored in the US.

Overview of Safe Harbor

The aim of Safe Harbor is to provide an adequate level of protection for personal data transferred to the US by EU businesses in order to satisfy the restrictions under the Data Protection Directive (95/46/EEC) (“Directive”) on transferring personal data to countries outside of the European Economic Area (“EEA”). However, the US is not a country approved by the Commission as providing an adequate level of protection for this purpose.

The Safe Harbor framework was therefore developed by the Commission and the US Department of Commerce to allow for the transfer of personal data from the EEA to companies in the US which self-certify that they implement data protection measures meeting prescribed EU standards. Safe Harbor has been in effect since 2000.

Review of Safe Harbor

The Commission ordered a review of the Safe Harbor framework in September 2013 following the revelations that large-scale US intelligence collection programmes (principally, the PRISM programme) had led to the US government having unauthorised access to personal data relating to millions of EU citizens that was stored in the US by global US-based online service providers including Google, Facebook and Microsoft.

Following the review, the Commission has now published:

  1. Strategy Paper: on transatlantic data flows setting out the challenges and risks following the revelations of U.S. intelligence collection programmes, as well as the steps that need to be taken to address these concerns;
  2. Analysis: of the functioning of 'Safe Harbour' which regulates data transfers for commercial purposes between the EU and U.S.; and
  3. Report: on the findings of the EU-US Working Group on Data Protection which was set up in July 2013.

Steps for restoring trust

Referring to the “window of opportunity to rebuild trust”, the Commission has called for action to be taken in the following six areas in order to maintain the continuity of data flows between the EU and US:

  1. Adopt the proposed EU data protection reforms by Spring 2014;
  2. Make Safe Harbor safer through the US identifying, by Summer 2014, remedies to the 13 recommendations made by the Commission (see the Report);
  3. Strengthen data protection safeguards in the law enforcement area through agreeing the proposed “umbrella agreement” on police and judicial cooperation between the EU and US;
  4. Use the existing Mutual Legal Assistance and Sectoral agreements for US authorities to obtain data;
  5. Address European concerns in the on-going US process of reviewing the national security authorities’ activities; and
  6. Promote privacy standards internationally through US accession to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

WAB Comment

For the more than 3,000 US companies already self-certified under the Safe Harbor framework the Commission’s decision to set out steps to be taken by the US by Summer 2014 to restore trust in Safe Harbor, rather than to unilaterally suspend or revoke the framework now, will be welcome news indeed.

Yet the longer-term fate of the Safe Harbor framework will not depend only on the extent to which the EU considers the US to have satisfied these steps. The proposed General Data Protection Regulation (“Regulation”) will significantly raise the compliance threshold for processing personal data relating to EU citizens and has from its inception envisaged a “sunset period” whereby the principal means currently available for satisfying the data transfer restriction under the Data Protection Directive (including Safe Harbor, approved “White List” countries, model contractual clauses and binding corporate rules) will, unless they are amended or replaced, cease to have effect following a certain period after the Regulation comes into force. This reinforces the need for US companies which rely on Safe Harbor (as well as their EU-based corporate customers) to prepare for the possibility that the Safe Harbor framework will in any event need to be revised in the coming years to satisfy the higher standards of data protection required by the Regulation.