European Parliament’s Civil Liberties Committee Report calls for immediate suspension of Safe Harbor
A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).
The Report sets out a series of aggressive recommendations that could limit access to personal data regarding European citizens as part of governmental mass surveillance and may affect the ability of corporations to transfer information across EU borders if they are alleged to be involved in such surveillance. The recommendations, if implemented, would not only likely lead to severe restrictions in data flows between the EU and the U.S. and the rest of the world but would also likely have a significant impact on the day to day business operations of many international businesses including in particular IT and telecommunications companies, social media and e-commerce companies, cloud providers and many others. Accordingly, it is important that businesses are aware of the recommendations and follow the discussions on the recommendations over the next few months.
The Report follows a series of meetings and public hearings held by the LIBE Committee on surveillance activities. The LIBE Committee has indicated in the Report that it intends to submit the recommendations to EU citizens, European Institutions and Member States after the European Parliamentary elections in May 2014. The recommendations would form part of a priority plan involving the creation of a European right of “Digital Habeas Corpus” for protecting privacy. A summary of some of the main recommendations follows:
- Calls on the U.S. authorities and the EU Member States to prohibit blanket mass surveillance activities and bulk processing of personal data;
- Calls on certain EU Member States including the UK, Germany, France, Sweden and the Netherlands, to revise where necessary their national legislation and practices governing the activities of their own intelligence services;
- Calls on EU Member States to take appropriate action immediately, including court action, against the perceived breach of their sovereignty allegedly perpetrated through mass surveillance programs; and
- Calls on the U.S. to revise its legislation so that it is line with the Committee’s view of international law and expressly recognizes the privacy and other rights of EU citizens.
International transfers of data
- Considers that large-scale access by U.S. intelligence agencies to EU personal data processed under the Safe Harbor does not fall within the criteria for the “national security” exception / designation;
- Would consider that the U.S./EU Safe Harbor principles do not provide adequate protection for EU citizens and that transfers should be carried out under the EU’s contractual clauses or Binding Corporate Rules (BCRs);
- Calls on the Commission to immediately suspend Commission Decision 520/2000 which approved the Safe Harbor privacy principles and related FAQs issued by the U.S. Department of Commerce;
- Calls on EU Data Protection Authorities to suspend data flows to an organization that has self-certified its adherence to the U.S. Safe Harbor Principles and to require that such data flows are carried out only under other instruments such as the EU’s contractual clauses; and
- Calls on the Commission to present by June 2014 a comprehensive assessment of the U.S. privacy framework covering commercial, law enforcement and intelligence activities.
- Calls on the Commission and the Member States to assess without delay whether the determination of adequacy of the laws in New Zealand and Canada have been affected by the involvement of their national intelligence agencies in the mass surveillance of EU citizens, and, if necessary, suspend or reverse the adequacy decisions.
Contractual clauses and other instruments
- Calls on EU Member States to prohibit or suspend data flows to third countries also based on the EU’s standard contractual clauses or BCRs in certain jurisdictions, which may include jurisdictions that have provisions such as the USA PATRIOT Act. The targeted jurisdictions would be those where the law to which the data importer is subject imposes requirements that go beyond the restrictions deemed necessary in a democratic society and which are likely to have a substantial adverse effect on the guarantees provided by the applicable data protection law and the standard contractual clauses, or because continuing transfer would create an imminent risk of grave harm to the data subjects; and
- Calls on the Article 29 Working Party to issue guidelines and recommendations on the safeguards and protections that contractual instruments should contain in light of third country laws on intelligence and national security and the involvement of the companies with mass surveillance activities.
Mutual Legal Assistance Agreement
- Calls on the Commission to conduct before the end of 2014 an in-depth assessment of the existing 2003 EU-U.S. Mutual Legal Assistance Agreement in criminal matters to verify its practical implementation.
TFTP and PNR Agreements
- Asks the Commission to suspend the Terrorist Finance Tracking Program (TFTP) Agreement and to react to concerns that passenger name record (PNR) data are saved in cloud systems in the U.S.
Umbrella agreement on data protection in the field of police and judicial cooperation (Umbrella Agreement)
- Asks to resume negotiations with the U.S. on the “Umbrella Agreement” which should provide for clear rights for EU citizens and effective and enforceable administrative and judicial remedies in the U.S. without any discrimination against EU citizens (that is, treatment as “non-U.S. persons”);
- Asks the Commission and the Council not to initiate any new sectorial agreements or arrangements for the transfer of personal data for law enforcement purposes without an “Umbrella Agreement”; and
- Urges the Commission to report on the negotiation of this Umbrella Agreement.
Data Protection Reform
- Calls for an acceleration on the pending EU Data Protection Regulation to allow for an adoption in 2014.
- Notes that trust in U.S. cloud computing and cloud providers has been negatively affected by mass surveillance and emphasizes the development of European cloud to ensure a high level of data protection;
- Reiterates its serious concerns about compulsory direct disclosures of EU personal data processed under cloud agreements to third country authorities by cloud providers and remote access to personal data by third country law enforcement and intelligence services; and
- Calls to speed up the work of the establishment of a European Cloud Partnership.
Transatlantic Trade and Investment Partnership Agreement (TTIP)
- Strongly emphasizes that the European Parliament should consent to the final TTIP agreement only if the agreement fully respects fundamental rights recognized by the EU Charter, and that the protection of the privacy of individuals in relation to the processing and the dissemination of personal data must be governed by Article XIV of the GATS.
EU IT Security
- Calls on the Commission, standardization bodies and ENISA, by September 2014, to develop minimum security and privacy standards and guidelines for IT systems, networks and services, including cloud computing services, in order to better protect EU citizen’s personal data; and
- States that both telecom companies and the EU and national telecom regulators have clearly neglected the IT security of their users and clients; calls on the Commission to make full use of their existing powers under the ePrivacy and Telecommunication Framework Directive to strengthen the protection of confidentiality of communication by adopting measures to ensure that terminal equipment is compatible with the right of users to control and protect their personal data, as well as ensure a high level of security of telecommunication networks and services, including by way of requiring state-of-the-art encryption of communications.