The "safe harbor" arrangement, which as a result of this Decision will be fully up and running by November, is the result of more than two years of dialogue between the Commission and the US Department of Commerce. The dialogue was launched to head-off the possibility that data transfers to the US might be blocked following the entry into force in 1998 of the EU's Data Protection Directive, which provides that personal data can only be transferred to third countries providing "adequate protection".
Under the "safe harbor", US companies can voluntarily adhere to a set of data protection principles recognised by the Commission as providing adequate protection and thus meet the requirements of the Directive as regards transfers of data out of the EU.
Internal Market Commissioner Frits Bolkestein said, "The Decision on the ‘safe harbor’ is a very positive development. It provides a framework within which personal data transferred to the US will be better protected, while at the same time making transfers simpler for both EU and US businesses."
The US takes a sectoral approach to data protection which has produced a patchwork of federal and state laws and self-regulatory programmes. The US has not up to now wished to enact generally applicable data protection laws on the lines of the EU Directive for its private sector. Although participation in the "safe harbor" is optional, its rules are binding for those US companies that decide to join, and compliance with the rules is backed up by the law enforcement powers of the Federal Trade Commission and (for airlines) of the US Department of Transportation. The Commission's adequacy finding is binding on all 15 Member States.
Prior to the "safe harbor", personal data have already been flowing to the US, sometimes legally, sometimes illegally. By providing a simple framework for data transfers to the US, the "safe harbor" will reduce such circumvention as well as ensuring adequate protection for transferred data and setting a standard in the US which will pull data protection standards there upwards.
Data transfers to US organisations that choose to remain outside the "safe harbor" will normally still be possible, but will either need to benefit from one of the allowed exceptions (for example where the individuals concerned have given their agreement), or will require alternative safeguards such as a contract.
The Commission is working with the Member States, the data protection authorities and the private sector, to devise model contracts which will simplify that method of protection.
EU data exporters wishing to check whether their intended US recipient enjoys "safe harbor" status will be able to refer to a publicly-available list maintained by the Department of Commerce (or somebody it designates for the purpose). US organisations that self-certify their adherence to the "Safe Harbor" Privacy Principles and publicly declare this will appear on the list, provided that they are subject to the jurisdiction of either the FTC or the Department of Transportation. They may lose their "safe harbor" benefits, and this will be made clear in the list, if they persistently fail to comply with the Principles.
EU citizens who have a complaint about the way their data is being handled by a US "safe harbor" participant will be able to refer this to an independent dispute resolution mechanism. Each US organisation joining the "safe harbor" will have to indicate which such mechanism it is committed to work with when it makes its initial notification to the Department of Commerce and this information will be contained in the Department's public list. In many cases, individuals will also have the option of taking the US organisation to court in the US, for example under a "misrepresentation" statute (there would be misrepresentation if a company announced a certain privacy policy and then did not respect it) or under a specific statute such as the Fair Credit Reporting Act, which covers a number of situations where financial loss might occur (e.g. refusal of a loan).
The European Parliament, in its Resolution of 5th July, expressed the view that the "safe harbor" arrangement needed to be improved as regards remedies for individuals in case of breaches of the Principles before the Commission found it offered adequate protection. The Parliament did not express the view, however, that the Commission would be exceeding its powers if it adopted the Decision. The Commission decided to go ahead with the Decision, at the same time putting the Department of Commerce on notice as regards the Parliament's concerns by informing the US side that it would re-open the discussions to seek improvements if the Parliament's fears about remedies for individuals proved to be well-founded. The Commission has already communicated the Parliament's Resolution to the US authorities.
The Member States must take the steps necessary to make the Commission's Decision effective within 90 days of its notification to them. In the US, the details of the arrangement have now been made public and the "safe harbor" will therefore be open for business from early November. US companies can join at any time, but it is recognised that many will need time to decide whether to do so and, if so, to bring their policies and practices in line with the "safe harbor" requirements.
Both Switzerland and Hungary have generally applicable data protection laws which broadly follow the same approach as the EU Directive. For this reason, the commission said that recent Decisions to find them "adequate" were comparatively straightforward and concern all personal data transfers to these countries (whereas in the case of the US, the Decision concerns only data transfers to companies and organisations adhering to the "safe harbor" principles). The Commission has also held discussions with several other non-EU countries, notably Australia, Canada and Japan and will shortly start the process of determining whether Canada's new privacy law provides "adequate protection".
See also our guide, Data Protection.