Thank you for your letter of ... with which you enclosed the "safe harbor privacy principles" and the frequently asked questions and answers (the principles) issued by the Department of Commerce on ¼¼ and related material concerning enforcement by public bodies in the United States. I am pleased to inform you that the Commission, exercising the powers conferred on it by Article 25.6 of the Data Protection Directive (95/46/EC), has found that these arrangements would provide adequate protection for the purposes of Article 25.1 of the Directive regarding the transfer of personal data to countries outside the European Union. I enclose a copy of the Commission decision ¼¼../00 for your information. The Member States are required to comply with decisions of the Commission taken on the basis of Article 25.6.

The Commission decision

The decision provides that data controllers in the EU can transfer personal data processed in accordance with MS law, without providing additional safeguards to ensure their protection, to US-based organisations declaring their adherence to the "safe harbor" principles, provided that they are subject to the statutory powers of a public body empowered to investigate complaints and to obtain relief against unfair or deceptive practices⁾. The effect of this decision is also that any requirements for the prior authorisation of transborder data transfers as provided for under Member State law will be waived, or that approval will be automatically and promptly granted, as regards such transfers to organisations qualifying for the safe harbor. The Directive and Member States' laws implementing it still of course govern the lawfulness of processing in the EU, and Article 25.6 decisions do not affect that in any way. This means that violations of Member State laws by data exporters can result in the blocking of data transfers, notwithstanding the existence of relevant Article 25.6 decisions.

List of Participating US-based Organisations

The Commission welcomes the fact that the Department of Commerce will provide for the maintenance of a list, to be made publicly available and kept up to date on a regular basis, of the US-based organisations which have declared their adherence to the "safe harbor principles" and which notify this to the Department of Commerce or the organisation the Department designates for this purpose. We note also that the Department of Commerce or its designee will make public any proper and final adverse determinations notified to it pertaining to non-compliance with the principles by a safe harbor organisation or to other events that might bring to an end an organisation's participation in the "safe harbor", such as a takeover or a merger. This will ensure transparency and clarity about which US-based organisations enjoy "safe harbor" benefits.

Date of entry into effect

Member States are required to ensure that the decision is effective 90 days after its notification to them. After this, US organisations self-certifying their adherence to the "safe harbor" will be assured of "safe harbor" benefits from the date that they notify the Department of Commerce (or its designee) and publicly announce that they have taken the measures necessary to comply with the principles. The Commission and the Member States recognise that US organisations will need some time to consider whether to participate in the "safe harbor" and, if so, to implement privacy policies to put the principles into effect. During the course of our discussions, Member States have demonstrated their willingness to use the flexibility offered by Article 26 of the Directive to avoid interruptions in data flows, so as not to call into question the good faith efforts being made to secure adequate protection for data transferred from the EU. The Commission and the Member States have confirmed their willingness to continue to use this flexibility during the implementation phase of the "safe harbor", so that US organisations have time to decide whether to participate in the "safe harbor" and (if necessary) to update their information processing policies and practices accordingly. If Member States become aware that action needs to be taken which will interrupt data flows to the United States, they will inform the Commission immediately, if possible before such action is taken, and the Department of Commerce will be informed. The situation will be reviewed in the middle of 2001.
 

In deciding whether to participate in the "safe harbor", organisations should consider that the "safe harbor" represents clear advantages over the existing situation, in terms of speedier transfers, lighter administrative burdens and greater legal certainty. These advantages will benefit the EU transferers of data as well as the US recipients. US organisations may of course join the "safe harbor" at any time, but we consider that the resulting benefits represent strong arguments for their entering the "safe harbor" as quickly as possible.
 

The proposed review of the implementation phase will take into account the particular needs of the financial services sector. The EU side shares the US goal of identifying a predictable framework for data transfers in and bringing the benefits of the "safe harbor" to the financial services sector, given its economic importance and the high volume of personal data flows in this sector. More time is however needed for further examination of recent developments in US. laws governing privacy in the financial sector and of their interaction with the "safe harbor," and specifically for completion in the United States of the Financial Modernization Act regulations. On our side, we shall seek to maintain the momentum developed in the "safe harbor" discussions and, as indicated above, thanks to the flexibility allowed by the Directive itself we do not anticipate problems with interruptions in data flows while good faith efforts continue to address these issues.
 

Complaint Procedures

It can be expected that claims will arise from time to time that an organisation which has entered the "safe harbor" is not in fact complying with the "safe harbor" principles. As for all cases where complaints concern recipients falling within the scope of a decision taken on the basis of Article 25.6 of the Directive, it will be for the appropriate US bodies to determine whether such claims are founded and if so, to ensure that the organisation takes the measures necessary to come into compliance with the principles as quickly as possible, or is removed from the "safe harbor". Reliance on US enforcement arrangements to ensure a good general level of compliance with the principles is a fundamental aspect of the "adequacy" finding. As indicated by Article 2 of the decision, evidence that any enforcement body in the United States responsible for compliance with the principles is failing to secure compliance may trigger action by the Commission, in consultation with the Member States through the Article 31 Committee, and after informing the Department of Commerce, to reverse, suspend or limit the scope of the decision with respect to such enforcement body. Measures to suspend specific data transfers for reasons connected with compliance problems in the United States can be taken at the national level only in the circumstances and in the manner set out in Article 2, paragraph 1. Moreover, such measures can have only a temporary effect, pending a resolution of the problem by the appropriate enforcement bodies in the United States. These arrangements as a whole reflect our shared twin objectives of avoiding the interruption of transborder data flows and maintaining high data protection standards.

Jurisdiction
 

During our dialogue, you raised with me the concerns of US industry about the possible effects of the "safe harbor" as regards jurisdiction and applicable law in the European Union. I would like to confirm that it is the Commission's intention that participation in the "safe harbor" does not change the status quo ante for any organisation with respect to jurisdiction, applicable law or liability in the European Union. Moreover, our discussions with respect to the "safe harbor" have not resolved nor prejudged the questions of jurisdiction or applicable law with respect to websites. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the "safe harbor" arrangement.
 

Use of Contracts - Commission decisions based on Article 26 of the data protection Directive

I should also add that the establishment of the "safe harbor" does not affect the ability of Member States to authorise transfers on the basis of safeguards adduced by the data exporter in accordance with Article 26.2. This means organisations not wishing to qualify for the "safe harbor" could put in place the safeguards necessary for transfers of personal data from the EU to the United States by means of binding written agreements between the transferers and the recipients of data. The Commission may approve model clauses for such agreements under Article 26.4 of the Directive which are binding on the Member States. The Commission and the Member States are of the view that the "safe harbor" principles may be used in such agreements for the substantive provisions on data protection. Such agreements may need to include other provisions on issues such as liability and enforcement, on which decisions have not yet been taken. The Commission has initiated discussions with the Member States in the Article 31 Committee regarding these other provisions, with the aim of adopting a decision under Article 26.4 authorising model agreements which rely on the "safe harbor" principles for the provisions on data processing and other contractual provisions as necessary. Such a decision would mean that transfers covered by contracts in the approved form would be automatically authorised. The Commission is working with the Article 31 Committee to finalise such a decision as soon as possible.
 

Our dialogue has proved extremely useful in clarifying rules and practices on both sides, identifying much common ground and exchanging information on procedures. The continuation of this dialogue would seem desirable, on a periodic basis and/or when a particular problem makes it necessary. This will allow us to continue to exchange information on relevant developments concerning the implementation of Articles 25 and 26 and developments in the USUnited States. Thank you for the confirmation in your letter that you believe that privacy legislation should not discriminate on the basis of nationality and your assurance that you will work within the legislative process to avoid any such discrimination resulting from legislation proposed in Congress. We shall of course do the same. We also welcome your offer to continue your efforts to keep us informed about legislative and other developments in the United States in the privacy field of which you may be aware. We shall of course do the same as regards EU legislation and developments in the privacy field. We have accepted the language in the introduction to the principles on explicit authorizsations in US law permitting exceptions to be made to the principles in the expectation that these will in practice most frequently reflect a public interest concern and not fall outside the scope of exceptions allowed by the Directive. We would wish the matter to be taken up through the review arrangement in the event that this expectation proved to be incorrect or in the event that discriminatory privacy legislation were adopted in the United States.
 

As you know, the Commission and the Member States are committed to implementing and enforcing these provisions and any decisions based on them in an even-handed and non-discriminatory manner as between US organisations and those located in other third countries and in the EU and agree that we should monitor whether they have been implemented and enforced in this manner in our continuing dialogue (I enclose an extract from the minutes of the Article 31 Committee on this point, together with a text adopted by the working party established under Article 29 of the Directive). It is also important to recall that they "safe harbor" reflects a number of features which may be unique to the US constitutional model and legal system and which were taken into account in the US context, but which are not necessarily present outside this context. We continue to prefer legally binding data protection rules, for which the Directive and the OECD guidelines must remain our principal benchmarks and any proposal to regard the "safe harbor" as providing adequate protection outside the US context would have to be examined by the Commission in the light of all the relevant circumstances.
 

The European Commission and the Member States have committed themselves to conducting an evaluation of the implementation of the decision in 2003 as indicated in Article 3 of the decision, and we hope that the US Government will participate in this review. In any event, the European Commission will inform the US Government before taking any action to modify the decision.
 

This letter is for your information only and of itself creates no legally binding effects.