The aim of Safe Harbor is to provide an adequate level of protection for personal data transferred to the US by EU businesses. Under the Data Protection Directive (95/46/EEC) (“Directive”), which has been implemented in the UK by the Data Protection Act 1998, personal data can only be transferred to countries outside of the European Economic Area (“EEA”) if “adequate protections” have been put in place or in circumstances where the destination country has been pre-approved as affording adequate data protection. As the US is not such a pre-approved country, the Commission and the US Department of Commerce have an agreed “Safe Harbor” framework in place that allows for the transfer of personal data from the EEA to companies in the US where such companies implement data protection measures which meet EU standards.
The Safe Harbor agreement, which took effect at the beginning of November 2000, requires companies that sign up to Safe Harbor to adhere to the following seven principles (which are broadly similar to the principles in the Directive):
- Notice – organisations must inform individuals about the purposes for which they collect and use information about them;
- Choice – organisations must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to a third party or used for a purpose which is incompatible with the purpose for which it was originally collected or subsequently authorized by the individual;
- Onward transfers – organisations may only disclose personal information to third parties which is consistent with the principles of notice and choice;
- Access – individuals must have access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate;
- Security – organisations creating, maintaining, using or disseminating personal information must take reasonable measures to assure its reliability for its intended use and reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction;
- Data integrity – organisations may only process personal information relevant to the purposes for which the information has been gathered; and
- Enforcement – there must be (a) mechanisms for assuring compliance with the Safe Harbor principles; (b) procedures for verifying that the commitments which companies make to adhere to the Safe Harbor principles have been implemented; and (c) obligations on organisations to remedy problems arising out of a failure to comply with the principles.
US organisations which self-certify that they conform to the requirements of Safe Harbor are deemed as having met the data protection standards laid down by the Directive. However, recent revelations on the NSA’s surveillance programme, Prism, have led many European politicians to question whether Safe Harbor creates a loophole for data transfers.
The EU Justice Commissioner said in a recent press release that “The Safe Harbour agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones.”
The Commission is working on an assessment of Safe Harbor which it will present before the end of the year.