Revelations of systematic mass surveillance of EU citizens’ data by the United States did little for transatlantic relations generally, and even less for the EU-US Safe Harbor scheme in particular. The European Commission (the ‘Commission’) conducted a review into whether Safe Harbor was still fit for the purpose of preserving EU citizens’ data protection rights when their data flowed to the United States, and in November published a strategy paper aimed at rebuilding trust in EU-US data flows.
The Commission also published an analysis of the existing operation of Safe Harbor. The Commission offer 13 recommendations to make the Safe Harbor framework ‘safer,’ focusing on greater transparency, with particular regard to the extent of U.S. government access, and more effective enforcement and application of privacy principles. The recommendations require:
- Self-certified companies (SCCs) must publicly disclose privacy policies.
- SCCs privacy policies should set out the extent to which U.S. law permits public authorities to collect data under the Safe Harbor.
- SCCs must include a link to the Department of Commerce Safe Harbor website on website privacy policies.
- SCCs must include a link to an ADR (alternative dispute resolution) provider or EU panel for redress.
- SCCs must publish the privacy conditions contained in any contracts concluded with subcontractors or third-party vendors, e.g., cloud service providers.
- SCCs should flag all companies on the Department of Commerce Safe Harbor list that are not current members.
- ADR bodies in the Safe Harbor scheme must make ADR readily available and affordable.
- The U.S. Department of Commerce should monitor ADR providers for accessibility and transparency.
- Complaints or findings of non-compliance should be subject to follow-up investigations.
- The U.S. Department of Commerce should inform competent EU data protection authorities in the event of doubts on compliance or complaints.
- False claims of Safe Harbor adherence should be investigated thoroughly.
- The national security exception should be limited to use that is strictly necessary or proportionate.
The U.S. Department of Commerce has commented that it is ‘delighted with the genuine willingness on the part of the Commission to save the mechanism and look forward to further constructive dialogue with the EU on the operational aspects of the Safe Harbor framework’. However, the Commission Vice-President, Viviane Reding, reiterated that if recommendations are not implemented by the next review in mid-2014, the Commission will have to resort to the ‘Damocles sword that the Commission has taken out and is hanging over Safe Harbor.’