Privacy Law and Policy Reporter
There have already been several years of negotiation between the European Commission and the United States as to how US organisations can provide ‘adequate’ privacy protection so as to avoid the imposition of personal data export prohibitions under the EU Privacy Directive.
The ‘Safe Harbor principles’ are a partial answer proposed by the US (see (1999) 6 PLPR 10). US organisations may elect to join the Safe Harbor program, complying with the information privacy principles set out therein, and being subject to the enforcement requirements of the program (as discussed below). Organisations will self-certify that they come within the program.
The outcome of the Safe Harbor negotiations is important to countries such as Australia and New Zealand. The extent to which the EU is rigorous in how ‘adequacy’ is satisfied by the US will inevitably colour the rigour with which it applies these same adequacy standards to the privacy legislation of New Zealand or Australia. One of the questions that Australian parliamentarians about to debate the proposed extensions of privacy laws to the private sector need to ask is ‘Will this law be considered adequate by the EU?’.
There is still no simple way to answer that question, but recent developments in the Safe Harbor saga show that the answers are still highly contested between different EU authorities (let alone by the US). However, the process for their resolution is underway.
Article 25.6 of the Directive gives the Commission the power to take decisions, with the support of a qualified majority of the Member States in the Committee established under art 31 (the Committee of Ministers of Member States), determining that the data protection provided by a particular third country is ‘adequate’. Such decisions are binding on the Member States.
In November 1999 the European Commission released for internal comment within EU bodies a draft decision under art 25.6 concerning the Safe Harbor proposals, but only a Summary of the draft has been made public.
The Commission states that this decision will follow a general model for decisions on adequacy (which will therefore be applicable to Australia and other countries):
A number of Article 25.6 decisions are under preparation. In all of them, the main operative provision states that specified arrangements in the third country in question provide adequate protection and makes reference to the texts of those arrangements. A further provision indicates, by derogation from the first, the circumstances in which Member State authorities may suspend data transfers and refers to the possibility that the Commission may reverse, suspend or reduce the scope of the decision if evidence accumulates that the third country, in its entirety or in part, is not in fact providing adequate protection. The draft decisions also provide for a review of the decision after three years and state that each decision applies from a date 90 days after its official publication.
The draft decision clearly anticipates a finding of adequacy in relation to the Safe Harbor principles:
The finding of ‘adequacy’ is also made subject to two conditions referred to in the introduction of the ‘Safe Harbor’ principles, namely the requirement that organisations must publicly declare their adherence to the principles and the requirement that organisations qualifying for the ‘Safe Harbor’ must be subject to the jurisdiction of the Federal Trade Commission or another government body with powers to take enforcement action in cases of deception or misrepresentation.
Beyond that, most of the content of the draft decision must be implied from other comments on it, to which we now turn.
The Working Party of national Data Protection Commissioners, which is the advisory body established under art 29 of the Directive to give advice, among other things, on the adequacy of the privacy laws of third countries, replied to the EU Commission’s draft decision with an Opinion on 3 December 1999. The Working Party concludes that the proposed Safe Harbor arrangements ‘remain unsatisfactory’, and they summarise the points on which they think the Commission should ‘urge the US side to make ... key improvements’ as follows:
This summary does not convey the depth and detail of the Working Party’s recitation of the deficiencies of the Safe Harbor approach, and the extent to which they ‘deplore’ that the Commission and the US have comprehensively ignored their previous opinions on the subject. The best that the Working Party has to say about the Safe Harbor approach is that it is ‘useful’.
Some of the Working Party’s other criticisms of the Safe Harbor proposals, which it considers that the draft decision does not properly address, can be paraphrased as follows.
The Working Party’s views on enforcement requirements for adequacy are in themselves virtually a statement of ‘no confidence’ in the current version of the Safe Harbor approach, and if adopted would probably scuttle many boats trying to enter the Harbor.
It is hard to avoid the impression that the Working Party thinks that the EU Commission is simply selling out the principle of requiring adequate privacy protection in third countries for the sake of causing minimum disruption to US-EU trade. No doubt the Commission takes a different view. The art 31 Committee of Ministers of Member States will still have the final say. It is not yet clear whether the Data Protection Commissioners will convince sufficient Ministers to block the Commission from achieving the necessary majority, or whether their strong interpretation of ‘adequacy’ will merely be the high water mark left by the receding tides of the Safe Harbor.
The outcome is significant for other countries. The EU Directive set a higher international benchmark for privacy protection than previous international agreements, particularly in relation to the question of enforcement and remedies. The extent to which that standard becomes the benchmark outside Europe depends to a significant extent on the outcome of the Safe Harbor dispute. The benchmark inside Europe is being set by the Commission taking five EU Member States to court to ensure they fully implement the Directive (see p 91 in this issue).
In addition, where jurisdictions such as Australia or Hong Kong have their own personal data export prohibitions, the US will expect that the Safe Harbor proposals will be sufficient to satisfy Australian or Hong Kong law as well, and we will be in no position to resist their demands if Europe has already agreed.
For both of these reasons, if the art 31 Committee takes a weak approach to the requirements for ‘adequacy’, it will mean the demise of the international significance of the EU privacy Directive.
Graham Greenleaf, General Editor.