On November 27, 2013, the European Commission published an analysis of the EU-U.S. Safe Harbor Framework, as well as other EU-U.S. data transfer agreements. The analysis includes the following documents:
- A communication on rebuilding trust in EU-U.S. data flows;
- An analysis of the functioning of Safe Harbor, including FAQs;
- A mid-term report on the Terrorist Finance Tracking Program (“TFTP”) prepared jointly with the U.S. Department of Treasury, including an overview of the TFTP agreement;
- A review of the EU-U.S. agreement on passenger name records (“PNR”) prepared jointly with the U.S. Department of Homeland Security, including FAQs; and
- A report on the findings of the EU-U.S. Working Group tasked with analyzing conflicts between EU and U.S. data protection laws, as well as a summary (see Section 7 of the European Commission’s press release).
Safe Harbor
The European Commission’s analysis of the Safe Harbor Framework concludes that the current Framework lacks transparency and active enforcement, resulting in some Safe Harbor self-certified companies not complying with the Safe Harbor Principles in practice. The European Commission believes the current Safe Harbor Framework should be revised. In particular, the Commission recommends that the following issues be addressed:
- The Safe Harbor Framework must become more transparent, by ensuring that:
- Safe Harbor self-certified companies publish their privacy policies;
- The website privacy policies of Safe Harbor self-certified companies link to the U.S. Department of Commerce’s Safe Harbor list;
- Safe Harbor self-certified companies publish the privacy provisions of their contracts with subcontractors and notify the U.S. Department of Commerce of onward transfers of personal data under the Safe Harbor Framework; and
- The U.S. Department of Commerce’s Safe Harbor website notes which companies’ Safe Harbor certificates are not current.
- Alternative dispute resolution (“ADR”) must be embedded in the Safe Harbor Framework, by ensuring that:
- Safe Harbor self-certified companies offer an ADR mechanism in their privacy policy and link to an ADR provider, as the U.S. Department of Commerce has already asked Safe Harbor self-certified companies to do;
- Safe Harbor-related ADR is readily available, and any participation fees are affordable to EU citizens; and
- The U.S. Department of Commerce monitors whether ADR providers are transparent and provide sufficient information regarding Safe Harbor disputes.
- Compliance with the Safe Harbor Framework must be more actively enforced and audited by:
- Regularly carrying out external audits of Safe Harbor self-certified companies to assess their actual compliance with the Safe Harbor Framework and their privacy policies;
- Following up with external audits of Safe Harbor self-certified companies that were found to not be in compliance with the Safe Harbor Framework;
- Ensuring that the U.S. Department of Commerce notifies the relevant EU data protection authority if it has indications of, or has received complaints about, a Safe Harbor self-certified company’s non-compliance; and
- Carrying out ad-hoc investigations of companies that falsely claim to comply with the Safe Harbor Framework.
- The circumstances under which U.S. authorities may access EU personal data processed by a Safe Harbor self-certified company must be made clear:
- The privacy policies of Safe Harbor self-certified companies must provide sufficient detail about U.S. laws requiring disclosure, and how U.S. authorities may use those laws to access EU personal data (including whether the relevant company applies any exceptions to the Safe Harbor Principles concerning U.S. national security, public interest and law enforcement); and
- The U.S. national security exception to the Safe Harbor Principles must be used only where proportionate and strictly necessary.
The amendments necessary to remedy these issues will be identified between now and the summer of 2014. This process will involve the European Commission, EU Parliament and the Council of the European Union, as well as relevant U.S. authorities. The European Commission will then review whether the identified shortcomings of the Safe Harbor Framework have been addressed adequately, and decide whether to maintain, modify, suspend or revoke its Safe Harbor Decision.
PNR Agreement
The European Commission’s joint review of the PNR Agreement concludes that there are no indications that the PNR Agreement was breached by U.S. surveillance programs. The next review of the PNR Agreement is scheduled for 2015.
TFTP Agreement
Following consultations triggered by allegations that the terms of the TFTP Agreement had been breached, the European Commission concludes that no such breaches occurred. This also follows written assurances from the U.S. Government that there is no direct access to EU personal data contrary to the terms of the TFTP Agreement.
The next review of the TFTP Agreement will be carried out in spring 2014. Notably, the European Commission also concluded that there is currently no clear case for establishing a European Terrorist Finance Tracking System.
Miscellaneous
In its analysis, the European Commission also discusses the ad-hoc EU-U.S. Working Group, tasked with solving direct conflicts between U.S. and EU laws in the context of data protection (e.g., where a company is required under the USA PATRIOT Act to transfer EU personal data to the U.S. in violation of EU data protection laws). In this context, the European Commission notes that the existing mutual legal assistance treaties, as well as the umbrella agreement on international transfers of personal data for criminal investigations that is currently being negotiated, are paramount. The European Commission states that the existing mutual legal assistance treaties should be used more and that the umbrella agreement should afford EU citizens who do not reside in the U.S. with some legal standing and access to legal redress in the U.S.
Finally, the European Commission emphasizes the importance of the proposed EU General Data Protection Regulation in the context of international data transfers, calling for the adoption of the proposed Regulation by spring 2014.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code