Privacy Law and Policy Reporter
The European Commission has finally decided, after two years of negotiations, that a revised version of the United States ‘Safe Harbor Privacy Principles’ (Safe Harbor) are considered to ensure an adequate level of protection for personal data transferred from the EU to US organisations adhering to the Safe Harbor. Under the EU’s data protection Directive, Member States must ensure personal data transferred to non-EU countries is ‘adequately’ protected. The Commission’s Decision is at odds with the views of Europe’s national data protection commissioners and the European Parliament, both of which have been severely critical of the Safe Harbor proposals as falling short of what should be considered ‘adequate’ privacy protection.
The Commission is now moving to examine the ‘adequacy’ of the legal protection of privacy in three other non-EU countries, starting with Canada and its new Personal Information Protection and Electronic Documents Act 2000 (see (2000) 7(2) PLPR 27), before moving on to consider Japan, Australia and other countries (but in what order is not certain). The Commission has also found the laws of Switzerland and Hungary ‘adequate’, but that is not surprising since they follow a similar approach to the EU Directive.
What are the implications of the EU Decision on Safe Harbor’s adequacy for Australia and other non-EU countries? On the one hand, the Commission has accepted a weak and fragmented standard of privacy protection in the US as ‘adequate’ in order not to endanger trade between the EU and the US. Since the Safe Harbor Decision is the first decision on adequacy concerning a non-European country, it can be seen as setting a low benchmark for ‘adequacy’. The strong criticism of this low standard by other European bodies means that it is no exaggeration to say that the Commission has sold out Europe’s high privacy standards set by the Directive in order to protect its US trade. European criticisms of the Directive are outlined below. The Safe Harbor Decision could signal that the EU Commission will decide that weak privacy protections in other countries are also ‘adequate’ to avoid accusations of inconsistency and hypocrisy.
On the other hand, there are reasons why countries such as Australia should not be sanguine that the EU will allow a low standard of protection to pass muster. Other countries do not have the economic muscle of the US. The criticism of Safe Harbor within Europe is sufficiently severe that the Commission may not wish to repeat the exercise, and may in fact wish to restore its privacy credentials (at the risk of inconsistency) with a stronger approach to other countries. The Safe Harbor Decision has sufficient qualifications and factors about it that are special to the US, such that it will be possible for the Commission to avoid treating it as a precedent. Finally, the Commission has already sent a strong signal to Australia that it will be taking a very critical approach to Australia’s private sector privacy legislation, as explained in this month’s lead article.
The Directive provides that the European Commission may decide that the protection offered by a particular country meets the ‘adequacy’ requirement. Before adopting a formal Decision to this effect, the Commission must seek the support of a qualified majority of Member States meeting in the framework of a Committee established under art 31 of the Directive. Prior to seeking the opinion of the Committee, the Commission must seek the opinions on the arrangement from Member States’ data protection commissioners (meeting in the framework of the working party established by art 29 of the Directive). Before finalising the decision, the Commission must also submit it to the scrutiny of the European Parliament, which checks that the Commission is using its powers under the Directive correctly (and also gives its opinion on the substance of the Commission’s proposed Decision). Once adopted the Decision is binding on all Member States, and is therefore a strong guarantee against the interruption of data flows from the EU to a country (or sector within a country) in whose favour an ‘adequacy’ Decision has been made. All of these procedures have now been completed in relation to Safe Harbor. They will have to be completed in relation to countries such as Canada and Australia.
The Decision accepts that the Safe Harbor proposals constitute ‘adequate’ protection in relation to those US organisations that have ‘unambiguously and publicly disclosed’ (in writing to the Commerce Department) a commitment to comply with the ‘Safe Harbor Privacy Principles’ (reproduced after this article), implemented in accordance with the Frequently Asked Questions (FAQs) that accompany them. These self-certifying organisations must also come within the statutory powers of a US government body with powers to ‘investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality’. Only the Federal Trade Commission (FTC) and the US Department of Transportation have been so designated as yet.
It remains to be seen what percentage of US organisations that wish to obtain personal data from EU countries will be able to satisfy these criteria. The FTC is excluded from jurisdiction covering some financial institutions, the telecommun-ications sector, much of transportation, and some aspects of insurance.
The Decision now makes clear that it does not affect the processing of personal data within EU Member States (which could affect Europeans using US websites). There are provisions for a European national commissioner to take unilateral action to suspend transfers where there is evidence of violations by US organisations which create an ‘imminent risk of grave harm’ to Europeans and the commissioner has taken reasonable steps to give the US an opportunity to respond. Although the Decision can be adapted at any time in light of experience or US legislation, there will be a review.
One notable aspect of the Safe Harbor is that the ‘Choice’ principle only gives individuals the right to opt out from any uses of their information incompatible with the purpose of collection, or any disclosures, although this is moderated by the ‘Data Integrity’ principle in relation to uses, and the exception for ‘sensitive’ information (where ‘opt in’ is required). This is contrary to the approach taken in many laws requiring consent (opt in), with other specific exceptions allowed.
The EU national data protection commissioners (the Article 29 Committee) comprehensively rejected the 1999 draft as inadequate. The Committee then delivered a new Opinion on the February 2000 draft of the Safe Harbor proposal and the Commission’s draft Decision, identifying many deficiencies that remained. Changes in the final versions of both the Safe Harbor principles and the Decision do address some of their criticisms. The Committee has not made a formal response to these final documents.
However, the European Parliament has passed a resolution on the Decision and the Safe Harbor Principles (5 July 2000). The resolution is very critical of how the Commission carried out the Safe Harbor negotiations (as bordering on entering into an international agreement without the Parliament’s consent), but falls short of deciding that it exceeded its powers. Although the Parliament does not have a formal role in approving the content of the Decision, it took the opportunity to state that the Safe Harbor proposals could only be considered ‘adequate protection’ if ‘the following changes are made to them’:
The Commission decided to go ahead and make the Decision without negotiating any such changes with the US, but instead stated it was:
putting the Department of Commerce on notice as regards the Parliament’s concerns by informing the US side that it would re-open the discussions to seek improvements if the Parliament’s fears about remedies for individuals proved to be well-founded. The Commission has already communicated the Parliament’s Resolution to the US authorities.
The enforcement weaknesses of Safe Harbor have also been criticised by a coalition of European and US consumer organisations (the TransAtlantic Consumer Dialogue — TACD):
... in stark contrast to the current protections offered by the EU Data Protection Directive where individuals are granted a specific right to judicial remedy and data protection authorities are obligated to follow up on those complaints, the FTC is not required to pursue the claims of any individual consumers ... Civil penalties or sanctions for one-time or persistent violations of Safe Harbor principles may only be assessed by the Federal Trade Commission (FTC) after being referred via industry-funded self-regulatory groups such as TRUSTe or BBBOnline, ADR bodies, or data protection authorities in EU member countries. Despite past cases where individual privacy has been compromised, no self-regulatory group has ever referred a member company for investigation and the FTC has never provided remedies for any of the companies with which they have reached settlements.
The European Parliament’s criticisms of the enforcement weaknesses of Safe Harbor are certain to be shared by the European data protection commissioners (given their previous comments), and represent a widespread level of concern in Europe about the weakness of the Safe Harbor compromise. In its resolution, the Parliament formally stated its support for the minimum requirements for ‘adequate protection’ set out by the Article 29 Committee in its opinion WP12 of June 1998. It has therefore attempted to present a united approach by the Parliament and the data protection commissioners. This may be significant in the coming deliberations concerning the laws of Canada, Australia and other countries that are not in as strong a negotiating position as the US.
Graham Greenleaf, General Editor.