On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:
A communication on rebuilding trust in EU-U.S. data flows;
A report on the findings of the EU-U.S. Working Group tasked with analyzing conflicts between EU and U.S. data protection laws (an electronic copy of the report is not yet available but the main findings are summarized in Section 7 of the European Commission’s press release).
The European Commission’s analysis of the Safe Harbor Framework concludes that the current Framework lacks transparency and active enforcement, resulting in some Safe Harbor self-certified companies not complying with the Safe Harbor Principles in practice. The European Commission believes the current Safe Harbor Framework should be revised. In particular, the Commission recommends that the following issues be addressed:
The Safe Harbor Framework must become more transparent, by ensuring that:
- Safe Harbor self-certified companies publish their privacy policies;
- The website privacy policies of Safe Harbor self-certified companies link to the U.S. Department of Commerce’s Safe Harbor list;
- Safe Harbor self-certified companies publish the privacy provisions of their contracts with subcontractors and notify the U.S. Department of Commerce of onward transfers of personal data under the Safe Harbor Framework; and
- The U.S. Department of Commerce’s Safe Harbor website notes which companies’ Safe Harbor certificates are not current.
Alternative dispute resolution (“ADR”) must be embedded in the Safe Harbor Framework, by ensuring that:
- Safe Harbor-related ADR is readily available, and any participation fees are affordable to EU citizens; and
- The U.S. Department of Commerce monitors whether ADR providers are transparent and provide sufficient information regarding Safe Harbor disputes.
Compliance with the Safe Harbor Framework must be more actively enforced and audited by:
- Regularly carrying out external audits of Safe Harbor self-certified companies to assess their actual compliance with the Safe Harbor Framework and their privacy policies;
- Following up with external audits of Safe Harbor self-certified companies that were found to not be in compliance with the Safe Harbor Framework;
- Ensuring that the U.S. Department of Commerce notifies the relevant EU data protection authority if it has indications of, or has received complaints about, a Safe Harbor self-certified company’s non-compliance; and
- Carrying out ad-hoc investigations of companies that falsely claim to comply with the Safe Harbor Framework.
The circumstances under which U.S. authorities may access EU personal data processed by a Safe Harbor self-certified company must be made clear:
- The privacy policies of Safe Harbor self-certified companies must provide sufficient detail about U.S. laws requiring disclosure, and how U.S. authorities may use those laws to access EU personal data (including whether the relevant company applies any exceptions to the Safe Harbor Principles concerning U.S. national security, public interest and law enforcement); and
- The U.S. national security exception to the Safe Harbor Principles must be used only where proportionate and strictly necessary.
The amendments necessary to remedy these issues will be identified between now and the summer of 2014. This process will involve the European Commission, EU Parliament and the Council of the European Union, as well as relevant U.S. authorities. The European Commission will then review whether the identified shortcomings of the Safe Harbor Framework have been addressed adequately, and decide whether to maintain, modify, suspend or revoke its Safe Harbor Decision.
The European Commission’s joint review of the PNR Agreement concludes that there are no indications that the PNR Agreement was breached by U.S. surveillance programs. The next review of the PNR Agreement is scheduled for 2015.
Following consultations triggered by allegations that the terms of the TFTP Agreement had been breached, the European Commission concludes that no such breaches occurred. This also follows written assurances from the U.S. Government that there is no direct access to EU personal data contrary to the terms of the TFTP Agreement.
The next review of the TFTP Agreement will be carried out in spring 2014. Notably, the European Commission also concluded that there is currently no clear case for establishing a European Terrorist Finance Tracking System.
In its analysis, the European Commission also discusses the ad-hoc EU-U.S. Working Group, tasked with solving direct conflicts between U.S. and EU laws in the context of data protection (e.g., where a company is required under the USA PATRIOT Act to transfer EU personal data to the U.S. in violation of EU data protection laws). In this context, the European Commission notes that the existing mutual legal assistance treaties, as well as the umbrella agreement on international transfers of personal data for criminal investigations that is currently being negotiated, are paramount. The European Commission states that the existing mutual legal assistance treaties should be used more and that the umbrella agreement should afford EU citizens who do not reside in the U.S. with some legal standing and access to legal redress in the U.S.
Finally, the European Commission emphasizes the importance of the proposed EU General Data Protection Regulation in the context of international data transfers, calling for the adoption of the proposed Regulation by spring 2014.