The European Commission has identified the need for it to engage with US authorities as a matter of urgency to discuss shortcomings in the Safe Harbour regime, which allows organisations in the EU to legally transfer personal data to the US. It is not yet clear what changes will be made to the Safe Harbour scheme, but the clear message conveyed by the European Commission is that it needs to be strengthened and improvements made to enforcement and transparency. Any changes to Safe Harbour will impact on EU and US organisations that rely on it as part of their data privacy strategy.
The EU Data Protection Directive provides that personal data must not be transferred outside Europe unless the data will be adequately protected in the recipient country. Data can be legally transferred to the US if the recipient organisation participates in Safe Harbour. This requires them to have self-certified that they will handle the data in accordance with the Safe Harbour principles, the objective of which is to guarantee that the data will be protected in the same way that it would if it had never been transferred outside the EU. The Safe Harbour programme has been in place since 2000 and over 3000 US organisations now participate.
The European Commission’s call to US authorities to engage in talks came in a Communication – full title Communication from the Commission to the European Parliament and the Council – Rebuilding Trust in EU-US Data Flows. The Communication was prompted by revelations of large scale US intelligence gathering exercises (known as PRISM), involving the personal data of EU citizens, much of which had been transferred to the US relying on Safe Harbour. In its Communication, the Commission identifies the connection between the US Government surveillance and data held by US internet companies and the potential negative economic impact of the revelations as a result of a new lack of trust by EU citizens in using Internet services. The Commission identifies a lack of compliance with Safe Harbour principles, but having examined the options has decided to work with the US authorities with a view to strengthening the regime and creating a more effective enforcement programme.
The Commission expressly recognised the economic importance of the Safe Harbour scheme and therefore declined to use its powers to revoke or suspend Safe Harbour. However, it made express reference to these powers, indicating that they could still be exercised should US authorities decline to co-operate in a review, or if the outcome is unsatisfactory.
The Commission identified a number of the provisions of the new draft EU data protection Regulation as likely to help strengthen the regulation of personal data transferred to the US. The Regulation is not yet law, but the Commission deemed its adoption by spring 2014 more important than ever.
The outcome of the Commission’s discussions with the US authorities and the Commission’s subsequent “complete stock taking of the functioning of” the Safe Harbour scheme is expected by summer 2014. The future regulation of transatlantic data transfers remains uncertain as a consequence of this review, the draft EU data protection Regulation and the ever-fluctuating political context in this area. Future developments will be reported here.