On November 27th, 2013, the European Commission announced that it would not suspend the safe harbor agreement between the EU and the United States that has allowed cross-border personal data transfers between the two jurisdictions since 2000. The announcement followed the Edward Snowden revelations of U.S. surveillance activities, which prompted a number of public calls for suspension of the safe harbor by EU member states and statements by EU officials condemning the U.S.' reported practices.
In preserving (for now) the Safe Harbor, the EC nonetheless called for changes to U.S. governmental practices in order to "restore trust in EU-U.S. data flows." It released a Communication (strategy paper) on data flows between the regions, an analysis of how the Safe Harbor has functioned (and where it has failed), and other documents supporting its position. In the accompanying press release, the EC called for action in six key areas:
The complete collection of the EC's materials accompanying the announcement may be found here.
- A swift adoption of the EU's data protection reform: the strong legislative framework, as proposed by the European Commission in January 2012 (IP/12/46), with clear rules that are enforceable also in situations when data is transferred and processed abroad is, more than ever, a necessity. The EU institutions should therefore continue working towards the adoption of the EU data protection reform by spring 2014, to make sure that personal data is effectively and comprehensively protected (see MEMO/13/923).
- Making Safe Harbour safer: the Commission today made 13 recommendations to improve the functioning of the Safe Harbour scheme, after an analysis also published today finds the functioning of the scheme deficient in several respects. Remedies should be identified by summer 2014. The Commission will then review the functioning of the scheme based on the implementation of these 13 recommendations.
- Strengthening data protection safeguards in the law enforcement area: the current negotiations on an “umbrella agreement” (IP/10/1661) for transfers and processing of data in the context of police and judicial cooperation should be concluded swiftly. An agreement must guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic. Notably, EU citizens not resident in the U.S. should benefit from judicial redress mechanisms.
- Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data: The U.S. administration should commit to, as a general principle, making use of a legal framework like the mutual legal assistance and sectoral EU-U.S. Agreements such as the Passenger Name Records Agreement and Terrorist Financing Tracking Programme whenever transfers of data are required for law enforcement purposes. Asking the companies directly should only be possible under clearly defined, exceptional and judicially reviewable situations.
- Addressing European concerns in the on-going U.S. reform process: U.S. President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens. The most important changes should be extending the safeguards available to US citizens to EU citizens not resident in the US, increased transparency and better oversight.
- Promoting privacy standards internationally: The U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”), as it acceded to the 2001 Convention on Cybercrime.