Date
 
 

Further to your letter of ____ with which you enclosed the "international safe harbor privacy principles" and the frequently asked questions and answers (the principles) issued by the Department of Commerce on ___, I am pleased to inform you that the Commission, exercising the powers conferred on it by Article 25.6 of the Data Protection Directive, has found that these principles, if complied with by US organisations, would provide adequate protection for the purposes of Article 25.1 of the Directive regarding the transfer of personal data to countries outside the European Union. I enclose a copy of the Article 25.6 decision for your information. The Member States are required to comply with decisions of the Commission taken on the basis of Article 25.6.

Article 25.6 Decision

The decision under Article 25.6 provides that data controllers in the EU can transfer personal data processed in accordance with MS law to US-based organisations qualifying for the "safe harbor" arrangements without providing additional safeguards to ensure their protection. The effect of this decision is also that any requirements for the prior authorisation of transborder data transfers as provided for under Member State law will be waived, or that approval will be automatically and promptly granted, as regards such transfers to organisations qualifying for the safe harbor. The Directive and Member States' laws implementing it still of course govern the lawfulness of processing in the EU and this decision does not affect that in any way.

List of Participating US-based Organisations

The Commission welcomes the fact that the Department of Commerce will provide for the maintenance of a list, to be made publicly available and kept up to date on a regular basis, of the US-based organisations which have declared their adherence to the principles and which notify this to the Department of Commerce or the organisation the Department nominates for this purpose. We note also that the Department of Commerce or its nominee will make public any proper and final adverse determinations pertaining to a safe harbor organisation notified to it by an enforcement body in the US. This will enhance transparency and clarity about which US-based organisations enjoy "safe harbor" benefits.

Date of entry into effect

US organisations will be assured of "safe harbor" benefits from the date that they notify the Department of Commerce or its nominee and publicly announce that they have taken the measures necessary to comply with the principles. The Commission and the Member States recognise that US organisations will need some time to implement privacy policies to put the principles into effect. During the course of our discussions, Member States have demonstrated their willingness to use the flexibility offered by Article 26 of the Directive to avoid interruptions in data flows. The Commission and the Member States have confirmed their willingness to continue to use this flexibility to provide US organisations with an opportunity to decide whether to participate in the "safe harbor" and (if necessary) to update their information processing policies and practices accordingly. In this connection I would draw your attention to the enclosed extracts from the minutes of the Article 31 Committee.⁽¹⁾ [Article 31 Committee extracts to be supplied before letters are finalized.]

In deciding whether to participate in the "safe harbor", organisations should consider that the "safe harbor" represents clear advantages over Article 26 treatment, in terms of speedier transfers, much lighter administrative burdens and greater legal certainty. These advantages will benefit the EU transferers of data as well as the US recipients. US organisations may of course join the "safe harbor" at any time, but we consider that the resulting benefits represent strong arguments for their entering the "safe harbor" as quickly as possible.

Complaint Procedures

It can be expected that claims will arise from time to time that an organisation which has entered the "safe harbor" is not in fact complying with the principles. As for all cases where complaints concern recipients falling within the scope of a decision taken on the basis of Article 25.6 of the Directive, it will be for the appropriate US bodies to determine whether such claims are founded and if so, to ensure that the organisation takes the measures necessary to come into compliance with the principles as quickly as possible, or is removed from the "safe harbor". Reliance on US enforcement arrangements to ensure a good general level of compliance with the principles is a fundamental aspect of the "adequacy" finding. As indicated by Article 2 of the decision, evidence that any enforcement body in the US responsible for compliance with the principles is failing to secure compliance may trigger action by the Commission, in consultation with the Member States through the Article 31 Committee, and after informing the Department of Commerce, to reverse or limit the scope of the decision with respect to such enforcement bodies.⁽²⁾ Measures to block specific data transfers can be taken at the national level only in the circumstances and in the manner set out in Article 2, paragraph 1. Moreover, such measures can have only a temporary effect, pending a resolution of the problem by the appropriate enforcement bodies in the US. These arrangements as a whole reflect our shared twin objectives of avoiding the interruption of transborder data flows and maintaining high data protection standards.
 

Jurisdiction

During our dialogue, you raised with me the concerns of US industry about the possible effects of the "safe harbor" as regards to jurisdiction and applicable law in the European Union. I would like to confirm that it is the Commission's intention that participation in the "safe harbor" does not change the status quo ante for any organisation with respect to jurisdiction or liability in the European Union. Moreover, our discussions with respect to the "safe harbor" have not resolved nor prejudged the question of whether or when US based websites may be subject to Member State or European Union jurisdiction or applicable law issues. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the "safe harbor" arrangement.

Use of Contracts - Article 26 Decisions

I should also add that the establishment of the "safe harbor" does not affect the ability of Member States to authorise transfers on the basis of safeguards adduced by the data exporter in accordance with Article 26.2. This means organisations not wishing to qualify for the "safe harbor" could put in place the safeguards necessary for transfers of personal data from the EU to the US by means of binding written agreements between the transferers and the recipients of data. The Commission may approve model clauses for such agreements under Article 26.4 of the Directive which are binding on the Member States. The Commission and the Member States are of the view that the principles may be used in such agreements for the substantive provisions on data protection. Such agreements may need to include other provisions on issues such as liability and enforcement, on which decisions have not yet been taken. The Commission has initiated discussions with the Member States in the Article 31 Committeeregarding these other provisions, with the aim of adopting a decision under Article 26.4 authorising model agreements which rely on the principles for the provisions on data processing and other contractual provisions as necessary. Such a decision would mean that transfers covered by contracts in the approved form would be automatically authorised.⁽³⁾

Our dialogue has proved extremely useful in clarifying rules and practices on both sides, identifying much common ground and exchanging information on procedures. The continuation of this dialogue would seem desirable, on a periodic basis and/or when a particular problem makes it necessary. This will allow us to continue to exchange information on relevant developments concerning the implementation of Articles 25 and 26. As you know, the Commission and the Member States are committed to implementing and enforcing these provisions and any decisions based on them in an even-handed and non-discriminatory manner as between US organisations and those located in other third countries and in the EU and will monitor whether they have been implemented and enforced in this manner in our continuing dialogue.⁽⁴⁾
 

In addition, we may agree that it would be helpful from time to time to consult other entities, as appropriate. This could mean representatives of both the Article 31 Committee and the working group set up under Article 29 of the directive on our side and of various enforcement bodies or their representatives on the US side.
 

The European Commission and the Member States have committed themselves to conducting a first review of the decision in early 2003⁽⁵⁾ as indicated in the decision, and we hope that the US Government will participate in this review. In any event, the European Commission will consult the US Government before taking any action to modify the decision.
 

This letter is for your information only and of itself creates no legally binding effects.
 
 
 

1. The period during which flexibility will be applied remains under discussion.
The Working party of Data Protection Commissioners set up under Article 29 of the Directive is also expected to address this issue when it examines the proposed "safe harbor" arrangements at its meeting on 2/3 December. Any relevant minutes from the working party's meeting will also be enclosed with the final version of this letter.

2. The US side has asked that provision also be made for any US enforcement bodies to be able to exercise their rights of defence ("due process").

3. In relation to the contracts paragraph, the US wishes to add: "The Commission is working with the Article 31 Committee to finalise such a decision as soon as possible, but in any event will do so within one year of the date of the Article 25.6 decision. If the Article 26.4 decision authorising model agreements based on the safe harbor is delayed beyond one year, the Commission and the Member States will extend the transition period for a length of time equal to the delay in order to provide US organisations with requisite time to make an informed decision about whether to enter the safe harbor or rely on contractual safeguards."

4. The Working party of Data Protection Commissioners set up under Article 29 of the Directive is also expected to address this issue when it examines the proposed "safe harbor" arrangements at its meeting on 2/3 December. Any relevant minutes from the working party's meeting will also be enclosed with the final version of this letter.

5. The US side has a reserve on this time-frame, pending the results of the discussion about the length of the interim period.