The transfer of personal data outside the UK or other EU countries is severely limited by the Data Protection Directive of 1995 that prevents transfers to countries without adequate data protection laws. This includes the US, which has no equivalent legislation and instead largely relies on a self-regulatory system.
In order to ensure that personal data flows to the US were not interrupted by the implementation of the Directive, the US Department of Commerce (under the Clinton administration) and the European Commission developed what is known as a "Safe Harbor" framework that allows US organisations to satisfy the Directive.
Under the Safe Harbor, since November 2000 US companies have been able to voluntarily adhere to a set of seven principles (Notice, Choice, Transfers to Third Parties, Access, Security, Data integrity and Enforcement) that meet the requirements of the EU as regards transfers of data to the US.
The Commission is obliged to assess the implementation of the Agreement at specified intervals. The latest of these assessments has now taken place and late last month the Commission Services published a report, known as a Staff Working Document, on its findings.
The report assessed three main issues:
The compliance of registered US organisations.
The report found that by the end of last year over 400 companies had registered under the Agreement, representing a steady but disappointingly low growth in membership.
On top of this the Commission services found that a substantial minority of members did not "identify in its publicly available privacy policy that it adheres to the [Data Protection] Principles and actually does comply with the Principles" – as required under the Agreement.
This is important because a "lack of a public self-statement in itself means that Safe Harbor participants are falling short of what the decision requires." Furthermore, says the report:
"The FTC's authority to enforce the Principles upon a given organisation is triggered by such an organisation's public commitment to comply with the Principles. Without such a public commitment, the FTC would not have the authority to enforce the Principles."
The Commission services are also concerned that while organisations registered under the Agreement seem to be trying to implement the Data Protection Principles, in practice the implementation is not always successful.
In particular the report found that organisations were having problems in implementing the Principles relating to notice, opting out, access and complaints procedure.
To tackle their concerns, the Commission services suggest that a rigorous respect for the Principles be highlighted in all contact with the relevant US authorities; that the US Department of Commerce be more proactive in encouraging awareness; and that the DoC and a panel of EU data protection authorities (DPAs) work together to provide guidelines on drafting privacy policies.
The report also encourages the EU panel and EU DPAs to suspend the transfer of data if there is non-compliance by a registered organisation.
Whether the bodies and processes (such as the Department of Commerce, FTC and the panel of EU data protection authorities) that support the implementation are working effectively.
The report is generally complimentary about the role of the DoC, but suggests a few amendments to the information on its web site.
As yet the EU panel has not been involved in complaints from individuals over transfers to the US, and so the report has little to suggest in this regard. However, the FTC could be more proactive in ensuring compliance, suggests the Commission services.
Whether the Agreement is being implemented in a discretionary manner.
According to the report:
"The Commission does not perceive any sign of discrimination, for example discrimination of one company or economic sector versus others, in the effective implementation of the Safe Harbor decision."
Nor, says the report, has there been any discrimination against the US in, for example, the recognition by the EU of the adequacy of another country's data protection laws that were less stringent than the US Safe Harbor agreement.