Following months of uncertainty about the future of the EU-U.S. Safe Harbor Framework, political leaders from the EU and the United States reiterated their commitment to the regime in a joint statement issued 26 March (the Statement).
EU-U.S. Safe Harbor is designed to essentially transpose EU data protection law into U.S. law so that organisations certified to the program are deemed to adequately protect personal data transferred from the EU to them in the United States.
The future of the Safe Harbor regime was cast into doubt last year, following Edward Snowden’s revelations about the extent of NSA information gathering. In November 2013, the European Commission released a Strategy Paper which noted that “the current implementation of Safe Harbor cannot be maintained.” In particular, the paper pointed to shortcomings in transparency, enforcement and the use of the national security exception.
The situation became worse at the beginning of last month when a resolution of the EU Parliament drastically called for the “immediate suspension” of the Safe Harbor regime on the ground that it provides an insufficient level of protection to EU citizens.
The Statement is the latest development in the saga, with officials pledging to maintain the Safe Harbor framework subject to a commitment to strengthening it “in a comprehensive manner by summer 2014”. This demonstrates a slightly more diplomatic approach, which should be reassuring to businesses that currently rely on the Safe Harbor exception.
The Statement also confirms the commitment of the EU to introducing a new “umbrella agreement” for the transfer and processing of data in the context of police and judicial proceedings. The aim of this agreement is to provide citizens with the same level of protection on both sides of the Atlantic, with judicial redress mechanisms open to EU citizens who are not resident in the United States. Negotiations around this agreement commenced in March 2011, and are still on-going.