Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Nov. 27 --The European Commission Nov. 27 published a package of reports and assessments on data exchange programs between the European Union and the U.S., with the overall conclusion that no immediate action is needed to suspend or moderate trans-Atlantic data transfers in the wake of revelations about U.S. mass surveillance initiatives.
However, the commission, the EU's executive arm, said that one data transfer agreement, the U.S.-EU Safe Harbor program, should be updated by mid-2014 to assuage the fears of Europeans about the transfer of their data to the U.S. by U.S. companies, and to contribute to the restoration of trust in EU-U.S. data flows.
Under the Safe Harbor program, data transfers from the EU are permitted on the basis that U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the 1995 EU Data Protection Directive (95/46/EC).
European Commission Justice Commissioner and Vice-President Viviane Reding, speaking to reporters Nov. 27, said that the commission had put forward 13 recommendations for the improvement of Safe Harbor.
U.S. authorities should implement the recommendations, or the commission could decide to suspend Safe Harbor, Reding said. The latter possibility is the “Damocles sword that the commission has taken out and is hanging over Safe Harbor,” she added.
Other than the recommendations on Safe Harbor, the reports published by the commission had the effect of reaffirming the EU's position on a number of issues related to EU-U.S. data exchange in the context of leaks by U.S. National Security Agency contractor Edward Snowden of classified information relating to U.S. data surveillance.
The documents issued by the commission Nov. 27 were:
• an overall strategy paper on “rebuilding trust in EU-U.S. data flows”;
• an analysis of the operation of Safe Harbor;
• a summary of the activities of an EU-U.S. working group on data protection, which was set up in July in response to the Snowden revelations, and in the context of ongoing EU-U.S. talks about the transfer of data for law enforcement purposes.
The overall strategy paper said that “the EU, its member states and European citizens have expressed deep concerns at revelations of large-scale U.S. intelligence collection programs, in particular as regards the protection of personal data. Mass surveillance of private communication, be it of citizens, enterprises, or political leaders, is unacceptable.”
The commission said that by late September 2013, 3,246 U.S. companies had adopted Safe Harbor as a framework for trans-Atlantic data transfers, and that it relied on “commitments and self-certification of adhering companies.”
However, according to the commission report on the operation of Safe Harbor, there was a “growing concern” among EU data protection authorities about the “very general formulation of the principles and the high reliance on self-certification and self-regulation.”
According to the commission report on the operation of Safe Harbor, there was a “growing concern” among EU data protection authorities about the “very general formulation of the principles and the high reliance on self-certification and self-regulation.”
The commission's 13 recommendations to shore up Safe Harbor relate to greater transparency on the part of adhering companies, ensuring a right of redress for data subjects, stricter enforcement and the inclusion in corporate privacy policies of disclaimers relating to the possibility that mandatory disclosure of data to law enforcement bodies might be required.
On enforcement, the commission said that a proportion of companies participating in Safe Harbor should be inspected for “effective compliance” with the rules, rather than only for “compliance with formal requirements.”
In case of doubts about compliance, the U.S. administrator of the scheme, the Department of Commerce, should inform the relevant EU data protection authority, the commission said.
On TFTP, the commission rejected European Parliament calls for a possible suspension of the program. The Parliament in October adopted a nonbinding resolution calling for the suspension of TFTP (206 PRA, 10/24/13). Under the program, U.S. officials can request transfers of data held by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a Belgium-based consortium that provides financial data transfer communication services.
EU Commissioner for Home Affairs Cecilia Malmström, speaking to reporters Nov. 27, said suspension of TFTP was unnecessary because “I have received written assurances from the U.S. authorities that the agreement has not been breached.”
On the PNR program, Malmström said that the “implementation is in line with the conditions set out” in the EU-U.S. PNR agreement, which was approved by the EU in April 2012 (81 PRA, 4/27/12).
In a Nov. 27 statement, Cecilia Malmström added that “the commission will continue to carefully monitor the implementation of the EU-U.S. agreements on data transfers in order to uphold EU citizens' rights.”
On the activities of the post-Snowden EU-U.S. working group on data protection, the commission said that EU and U.S. officials had met four times since July to “establish the facts around U.S. surveillance programmes and their impact on personal data of EU citizens.”
The group had confirmed some EU concerns, including that U.S. Foreign Intelligence Surveillance Court orders to companies to disclose data offer “no opportunities for individuals to obtain access, rectification or erasure of data, or administrative or judicial redress,” the commission said.
To reinforce data protection safeguards in law enforcement, the commission reiterated its position that U.S. law should allow a right of redress for EU citizens, and that “as a general principle” the U.S. should use existing agreements, such as the EU-U.S. mutual legal assistance treaty, to obtain private data of citizens suspected of criminal activity.
In addition, the U.S. should sign up to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the commission said.
Some members of the European Parliament criticized the commission's approach.
Jan Philipp Albrecht, German Green lawmaker, said in a Nov. 27 statement that it was “seriously regrettable that the commission has completely ignored the demand of the European Parliament to suspend the EU-U.S. agreement on the transfer of SWIFT bank transaction data.”
“This slight by the commission in ignoring Parliament's demand must make members of the European Parliament more wary in the future about waving through far-reaching international agreements,” Albrecht said.
Albrecht is the Parliament's lead negotiator on the draft EU data protection regulation, which was published by the commission in January 2012 to replace the EU Data Protection Directive and is currently under discussion (205 PRA, 10/23/13).
Sophie In't Veld, Dutch liberal member of the European Parliament, said in a Nov. 27 statement that the commission “has not done a proper investigation” into the operation of the PNR and TFTP agreements.
The commission's conclusions “are based solely on reassurances by the U.S. In view of the seriousness of the allegations, that is unacceptable,” In't Veld said, adding that the commission's package of reports was “tantamount to a whitewash.”
However, Manfred Weber, a center-right German lawmaker who is vice-chairman of the European People's Party in the European Parliament, broadly backed the commission's analysis.
The commission had “scrutinised the implementation and operation of the existing agreements in a serious manner,” and it was right to highlight that there is “considerable room for improvement under the Safe Harbor Agreement,” Weber said in a Nov. 27 statement.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Katie W. Johnson at email@example.com
The commission paper on rebuilding trust in EU-U.S. data flows is available at http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf.
The commission report on the operation of Safe Harbor is available at http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf.
The commission report on the TFTP is available at http://ec.europa.eu/dgs/home-affairs/what-is-new/news/news/docs/20131127_tftp_en.pdf.
The commission's review of the EU-U.S. PNR agreement is available at http://ec.europa.eu/dgs/home-affairs/what-is-new/news/news/docs/20131127_pnr_report_en.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)