Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

European Parliament rejects Safe Harbour [2000] PLBIRp 25; (2000) 54 Privacy Laws and Business International Report 9

European Parliament rejects Safe Harbour

THE EUROPEAN PARLIAMENT wants the European Commission to renegotiate the Safe Harbour package approved by the Member States at the end of May. The Parliament considers that the Commission has exceeded its powers with the agreement, and finds several areas that require improvement.

The Safe Harbour package was expected to be adopted as soon as by the end of July. However, a resolution adopted by the European Parliament on 5th July suggests that the Commission ought to return to the negotiating table and change the agreement.

The Commission will take a decision on how to proceed on 19th July. The Parliament's powers in this case were mainly to check that the Commission has used its powers correctly in agreeing the package. It considers that the Commission has exceeded its powers. Under article 8 of the Council decision on comitology procedures, the Parliament may call the Commission to re-examine its decision, but the Commission does not have to change its position.

However, it would be a politically difficult decision for the Commission just to go ahead. The resolution was adopted by 279 votes to 259 with 22 abstaining from the vote. During the Parliament's plenary debate, the Legal Affairs Commissioner, Frits Bolkestein said that renegotiating would not be helpful as the EU had already obtained the best possible result. Bolkestein denied that the Commission had exceeded its powers, pointing out that, according to the 1995 Data Protection Directive it is up to the European Commission to determine if the protection of data which are transferred to non-EU countries is adequate.

CHANGES SUGGESTED INCLUDE A SUPERVISORY AUTHORITY

The Parliament's resolution calls for many changes to the current agreement, for example providing a right of appeal to an independent public body, and making participating companies obliged to compensate damage to individuals who have suffered as a result of a violation of the Safe Harbour principles. The Parliament also criticises the Commission for having failed to draw up standard contractual clauses which EU citizens could invoke in third countries, and gives the Commission until 30th September to do so.

The Parliament also points out that the situation in the US as regards privacy protection is likely to change soon as there are many legislative initiatives. New legislation could introduce a level of protection that is higher than that provided by the Safe Harbour agreement. The agreement needs, therefore, to be changed now in order not to be immediately overtaken by new legislation.

MEMBER STATES ALREADY APPROVED SAFE HARBOUR

The European Commission adopted a draft decision on the Safe Harbour package on 31st May (the latest version of the Safe Harbour package is available to view on the Internet at http://www.ita.doc.gov/td/ecom).

The decision was taken unanimously by the European Union Member States. In the US, the Department of Commerce was going to continue to consult with the private sector on questions related to implementation of the package. It was expected that implementation could start this autumn.

SAFE HARBOUR EXCLUDES FINANCIAL SECTOR

The Safe Harbour principles, in their current form, are supplemented by Frequently Asked Questions that introduce many exceptions as regards publicly available data such as electoral rolls and the land register.

A cause for concern for the US has been that financial services are not included in the Safe Harbour agreement. A statement adopted at the EU-US Summit on 31st May states, however, that separate arrangements will be considered for this sector.

Other areas in the agreement that have been widely criticised include the fact that the Safe Harbour principles would be voluntary, and that it is uncertain whether the enforcement regime would be effective. In an opinion, adopted on 16th May, the EU Data Protection Working Party stresses that although individuals can complain to the Federal Trade Commission (FTC), there is no guarantee that the FTC will examine their case.

Privacy advocates on the other side of the Atlantic also consider the enforcement regime weak. Groups such as the Electronic Privacy Information Centre (EPIC) are continuously campaigning for Europeanstyle data protection laws.

SAFE HARBOUR IS NOT THE ONLY SOLUTION

Similar arrangements may be made with other "third countries", but this is not the only solution to ensuring that international data flows continue. The EU has also been evaluating whether other countries' data protection laws can be regarded as providing European-standard protection for individuals. The EU Data Protection Working Party has recommended that Hungary and Switzerland should be considered to have adequate protection, and the EU Commission adopted, on 31st May, a draft decision stating their adequacy (the draft decisions are available at the European Commission's Internal Market website at http://europa.eu.int/comm/internal_market/en/ media/dataprot/index.htm).

The EU Data Protection Working Party and the EU Commission have also studied model contractual clauses that have been submitted for approval by the Confederation of British Industries (CBI) and the International Chamber of Commerce (ICC). The ICC document is a revised version of its existing 1992 code that is already used by some companies.

UK PUBLISHED CLEAR GUIDANCE

While waiting for EU-level contractual clauses to be adopted, the UK Data Protection Commissioner's Office has published useful guidance on transborder flows. Following the preliminary guidance (PL&B Oct '99 p.3-4) which was a legal analysis, this approach is more practical. Although the guidance was been written before the 1998 Act entered into force on 1st March, it addresses the problem from the point of view of complying with the new law's 8th data protection principle.

The eighth principle prohibits data controllers from transferring personal data outside of the European Economic Area (EEA), unless the country provides for adequate protection of data. The EEA countries are: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden and the UK . UK data controllers should note that the Channel Islands and the Isle of Man are not included, but they are in the process of amending their current laws to satisfy the adequacy requirement (PL&B April 2000 p.3-8).

The UK Commissioner takes the view that there are circumstances when the controller may assume adequacy without a detailed analysis of data protection in the recipient country. This is the case, for example, when the nature of the data is not particularly sensitive and the data controller has previous knowledge of the recipient. An example could be gathering names of well known athletes and putting it on a website. The Commissioner advises that there should not be a problem with adequacy as the data are already in the public domain and there is little scope for misuse.

Another example discusses the situation when an employee travels abroad with his laptop, which includes personal data gathered at work. If the data remains in the control of the employee and there are adequate security measures in place, it is reasonable to assume that the data is adequately protected even if abroad.

A press release on the European Parliament's Resolution on Safe Harbour can be seen at http://www.europarl.eu.int/dg3/ sdp/journ/en/nj000705_en2.htm#9. The latest version of the Safe Harbour principles is at http://www.ita.doc.gov/td/ecom. News about the Commission's decision with regard to the Parliament's decision should appear at http://europa.eu.int/comm/ internal_market/en/media/ dataprot/index.htm

Correction:

The Data Protection Roundup, published in the April issue (no 53) had some inaccurate information on Norway and Belgium. The date when Norway’s new Act was formally adopted was 14th April, not 7th March.

Please also note that Belgium’s new law has NOT entered into force yet. It is expected to be in force by the end of the year.

Privacy Laws & Business apologises for any inconvenience caused by these errors.