European Commission Responds to Concerns About U.S. Surveillance, Reviews Safe Harbor

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner  

Nov. 27 --The European Commission Nov. 27 published a package of reports and assessments on data exchange programs between the European Union and the U.S., with the overall conclusion that no immediate action is needed to suspend or moderate trans-Atlantic data transfers in the wake of revelations about U.S. mass surveillance initiatives.

However, the commission, the EU's executive arm, said that one data transfer agreement, the U.S.-EU Safe Harbor program, should be updated by mid-2014 to assuage the fears of Europeans about the transfer of their data to the U.S. by U.S. companies, and to contribute to the restoration of trust in EU-U.S. data flows.

Under the Safe Harbor program, data transfers from the EU are permitted on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC).

European Commission Justice Commissioner and Vice-President Viviane Reding, speaking to reporters Nov. 27, said that the commission had put forward 13 recommendations for the improvement of Safe Harbor.

U.S. authorities should implement the recommendations, or the commission could decide to suspend Safe Harbor, Reding said. The latter possibility is the “Damocles sword that the commission has taken out and is hanging over Safe Harbor,” she added.

Aim to 'Rebuild Trust.’

Other than the recommendations on Safe Harbor, the reports published by the commission had the effect of reaffirming the EU's position on a number of issues related to EU-U.S. data exchange in the context of leaks by U.S. National Security Agency contractor Edward Snowden of classified information relating to U.S. data surveillance.

The documents issued by the commission Nov. 27 were:

• an overall strategy paper on “rebuilding trust in EU-U.S. data flows”;

• an analysis of the operation of Safe Harbor;

• reviews of two other EU-U.S. data exchange programs, the Terrorist Finance Tracking Program (TFTP) and the agreement on airline passenger name records (PNR); and

• a summary of the activities of an EU-U.S. working group on data protection, which was set up in July in response to the Snowden revelations, and in the context of ongoing EU-U.S. talks about the transfer of data for law enforcement purposes.

 

The overall strategy paper said that “the EU, its member states and European citizens have expressed deep concerns at revelations of large-scale U.S. intelligence collection programs, in particular as regards the protection of personal data. Mass surveillance of private communication, be it of citizens, enterprises, or political leaders, is unacceptable.”

Safe Harbor Recommendations

The commission said that by late September 2013, 3,246 U.S. companies had adopted Safe Harbor as a framework for trans-Atlantic data transfers, and that it relied on “commitments and self-certification of adhering companies.”

However, according to the commission report on the operation of Safe Harbor, there was a “growing concern” among EU data protection authorities about the “very general formulation of the principles and the high reliance on self-certification and self-regulation.”

According to the commission report on the operation of Safe Harbor, there was a “growing concern” among EU data protection authorities about the “very general formulation of the principles and the high reliance on self-certification and self-regulation.”

The commission's 13 recommendations to shore up Safe Harbor relate to greater transparency on the part of adhering companies, ensuring a right of redress for data subjects, stricter enforcement and the inclusion in corporate privacy policies of disclaimers relating to the possibility that mandatory disclosure of data to law enforcement bodies might be required.

On enforcement, the commission said that a proportion of companies participating in Safe Harbor should be inspected for “effective compliance” with the rules, rather than only for “compliance with formal requirements.”

In case of doubts about compliance, the U.S. administrator of the scheme, the Department of Commerce, should inform the relevant EU data protection authority, the commission said.

Suspension of TFTP Rejected

On TFTP, the commission rejected European Parliament calls for a possible suspension of the program. The Parliament in October adopted a nonbinding resolution calling for the suspension of TFTP (206 PRA, 10/24/13). Under the program, U.S. officials can request transfers of data held by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a Belgium-based consortium that provides financial data transfer communication services.

EU Commissioner for Home Affairs Cecilia Malmström, speaking to reporters Nov. 27, said suspension of TFTP was unnecessary because “I have received written assurances from the U.S. authorities that the agreement has not been breached.”

On the PNR program, Malmström said that the “implementation is in line with the conditions set out” in the EU-U.S. PNR agreement, which was approved by the EU in April 2012 (81 PRA, 4/27/12).

In a Nov. 27 statement, Cecilia Malmström added that “the commission will continue to carefully monitor the implementation of the EU-U.S. agreements on data transfers in order to uphold EU citizens' rights.”

Redress Concerns Restated

On the activities of the post-Snowden EU-U.S. working group on data protection, the commission said that EU and U.S. officials had met four times since July to “establish the facts around U.S. surveillance programmes and their impact on personal data of EU citizens.”

The group had confirmed some EU concerns, including that U.S. Foreign Intelligence Surveillance Court orders to companies to disclose data offer “no opportunities for individuals to obtain access, rectification or erasure of data, or administrative or judicial redress,” the commission said.

To reinforce data protection safeguards in law enforcement, the commission reiterated its position that U.S. law should allow a right of redress for EU citizens, and that “as a general principle” the U.S. should use existing agreements, such as the EU-U.S. mutual legal assistance treaty, to obtain private data of citizens suspected of criminal activity.

In addition, the U.S. should sign up to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the commission said.

MEPs: Commission Conclusions Weak

Some members of the European Parliament criticized the commission's approach.

Jan Philipp Albrecht, German Green lawmaker, said in a Nov. 27 statement that it was “seriously regrettable that the commission has completely ignored the demand of the European Parliament to suspend the EU-U.S. agreement on the transfer of SWIFT bank transaction data.”

“This slight by the commission in ignoring Parliament's demand must make members of the European Parliament more wary in the future about waving through far-reaching international agreements,” Albrecht said.

Albrecht is the Parliament's lead negotiator on the draft EU data protection regulation, which was published by the commission in January 2012 to replace the EU Data Protection Directive and is currently under discussion (205 PRA, 10/23/13).

Sophie In't Veld, Dutch liberal member of the European Parliament, said in a Nov. 27 statement that the commission “has not done a proper investigation” into the operation of the PNR and TFTP agreements.

The commission's conclusions “are based solely on reassurances by the U.S. In view of the seriousness of the allegations, that is unacceptable,” In't Veld said, adding that the commission's package of reports was “tantamount to a whitewash.”

However, Manfred Weber, a center-right German lawmaker who is vice-chairman of the European People's Party in the European Parliament, broadly backed the commission's analysis.

The commission had “scrutinised the implementation and operation of the existing agreements in a serious manner,” and it was right to highlight that there is “considerable room for improvement under the Safe Harbor Agreement,” Weber said in a Nov. 27 statement.

 

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com


The commission paper on rebuilding trust in EU-U.S. data flows is available at http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf.

The commission report on the operation of Safe Harbor is available at http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf.

The commission report on the TFTP is available at http://ec.europa.eu/dgs/home-affairs/what-is-new/news/news/docs/20131127_tftp_en.pdf.

The commission's review of the EU-U.S. PNR agreement is available at http://ec.europa.eu/dgs/home-affairs/what-is-new/news/news/docs/20131127_pnr_report_en.pdf.