The European Commission has published Communications on Rebuilding Trust in EU-US Data Flows and on the Functioning of Safe Harbor. The Communications were released as a result of deepening concerns following the allegations of widespread access by U.S. intelligence agencies to personal data.

 The European Commission has called for action in six areas, including:-  

  1. Adoption of the EU’s draft Data Protection Regulation by Spring 2013;
  2. Improvement of the functioning of the Safe Harbour scheme (which provides a legal basis for the transfers of personal data from the EU to companies in the U.S. for commercial purposes);
  3. Swift conclusion of the current negotiations on the "umbrella agreement" for transfers and processing of data in the context of police and judicial co-operation;
  4. Use by the U.S. administration of the existing Mutual Legal Assistance and Sectoral agreements, whenever transfers of data are required for law enforcement purposes;
  5. Extension of the legal safeguards available to U.S. citizens to EU citizens, not resident in the U.S; and
  6. Accession by the U.S. to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (as it acceded to the 2001 Convention on Cybercrime).

Safe Harbour Improvements

The Commission made 13 recommendations to improve the functioning of the Safe Harbour scheme, including:-

  • Making the Safe Harbour more transparent (eg. by requiring self-certified companies to publicly disclose their privacy policies, and the privacy conditions of any contracts they conclude with sub-contractors);
  • Embedding ADR in the Safe Harbor scheme (eg. by ensuring that all Safe-Harbour self-certified companies should offer an ADR mechanism in their privacy policy and link to an ADR provider);
  • Actively enforcing and auditing compliance with the Safe Harbour scheme (eg. by subjecting a certain percentage of companies to ex officio investigations); and
  • Clarifying the circumstances under which U.S. authorities may access EU personal data processed by a Safe Harbour self-certified company.

The European Commission is calling on U.S. authorities to remedy these issues by summer 2014.  The Commission will then review whether the shortcomings of the Safe Harbour scheme have been addressed adequately, and decide whether to maintain, suspend or revoke the scheme.

The European Commission’s Press Release on Rebuilding Trust in EU-US Data Flows is available here