Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

The European Commission adopts Safe Harbour [2000] PLBIRp 39; (2000) 55 Privacy Laws and Business International Report 12

The European Commission adopts Safe Harbour

THE SAFE HARBOUR AGREEMENT, designed to ensure adequate protection for personal data transferred from the EU to the US, will take effect in November. As joining the scheme is voluntary, it is now up to US companies to make the arrangement work.

The European Commission decided, despite the opinion of the European Parliament (PL&B July 2000 p.9-10), to go ahead with the Safe Harbour, and adopted the agreement on 27th July. The agreement has been much debated, not least because of uncertainties with its enforcement. While participation is voluntary, the Safe Harbour principles are binding on those who join. The US Federal Trade Commission (FTC) will be in charge of enforcing the rules. Its powers are based on the FTC Act, which makes it illegal to make misrepresentations to consumers, an example of which could be adopting a privacy policy but not abiding by it.

WHAT DOES IT MEAN IN PRACTICE?

The Safe Harbour agreement means that there is a presumption of adequate level of protection in those US organisations that have joined the Safe Harbour. US companies may join by self-certification. The certification is required annually, and it needs to demonstrate that the company agrees to follow the principles. These self-certifications will form a list to be posted on the Department of Commerce website. EU companies can then easily check whether the organisation to which they are sending personal data is committed to following the Safe Harbour principles or not. The list will be regularly updated, and will also include any deletions.

Transfers of personal data to companies that have not joined the agreement will be possible if certain requirements have been met, for example, if the individual in question have given his consent, the transfer has been authorised by a data protection authority, or there are contracts in place.

Model contracts are currently being developed, for example, the Confederation of British Industries (CBI) has redrafted its contract and submitted it to the EU Data Protection Working Party on 30th June. If a model contract were to be approved, it may allow companies to transfer data without seeking an authorisation (they are planned only in some EU countries).

PREPARING FOR SAFE HARBOUR

To qualify for the Safe Harbour, an organisation needs to

1. Join a self-regulatory privacy programme that adheres to the Safe Harbour principles (such programmes could be TrustE, BBBOnline etc)

2. Develop its own privacy policy that mentions self-certification to the principles, and comply with the principles

3. Be subject to a statutory, regulatory, administrative or other body of law that effectively protects personal privacy.

FINANCIAL SECTOR NOT INCLUDED

The Safe Harbour agreement does not apply to the financial sector as the FTC's remit does not cover financial services. However, it may be that proposed legislation (Gramm/Leach/ Bailey Financial Modernisation Act 1999) will establish adequate data protection rules for this sector.

The FTC does not have enforcement powers for transport or telecommunications either. However, if other government enforcement bodies are recognised, these areas can also be covered by the Safe Harbour agreement. The US Department of Transportation has already been chosen as the enforcement body for airlines.

SWITZERLAND AND HUNGARY ALSO SAFE DESTINATIONS

The European Commission has also taken a decision on the adequacy of Switzerland's and Hungary's data protection regimes. The positive decision, published at the end of July, paves the way for other findings of adequacy. The Commission will now study Canada's new private sector privacy law. Discussions have also taken place with Japan and Australia.

For more information, see the EU Internal Market Directorate's website at http://www.europa.eu. int/comm/internal_market, or US Department of Commerce website at http://www.ita.doc.gov/td/ecom.