DATE
 
 

Further toThank you for your letter of ... with which you enclosed the "international safe harbor privacy principles" and the frequently asked questions and answers (the principles) issued by the Department of Commerce on ……, and related material concerning enforcement by public bodies in the US. I am pleased to inform you that the Commission, exercising the powers conferred on it by Article 25.6 of the Data Protection Directive (95/46/EC), has found that these principles, if complied with by US organisations,arrangements would provide adequate protection for the purposes of Article 25.1 of the Directive regarding the transfer of personal data to countries outside the European Union. I enclose a copy of the Commission decision ……../00,Article 25.6 decision for your information. The Member States are required to comply with decisions of the Commission taken on the basis of Article 25.6.

The Commission decision Article 25.6 Decision

The decision under Article 25.6 provides that data controllers in the EU can transfer personal data processed in accordance with MS law,without providing additional safeguards to ensure their protection, to US-based organisations qualifying fordeclaring their adherence to the "safe harbor" arrangementsprinciples, provided that they are subject to the statutory powers of a public body empowered to investigate complaints and to obtain relief against unfair or deceptive practices⁽¹⁾. without providing additional safeguards to ensure their protection. The effect of this decision is also that any requirements for the prior authorisation of transborder data transfers as provided for under Member State law will be waived, or that approval will be automatically and promptly granted, as regards such transfers to organisations qualifying for the safe harbor. The Directive and Member States' laws implementing it still of course govern the lawfulness of processing in the EU and this Article 25.6 decisions does not affect that in any way. This means that violations of Member State laws by data exporters can result in the blocking of data transfers, notwithstanding the existence of relevant Article 25.6 decisions.

List of Participating US-based Organisations

The Commission welcomes the fact that the Department of Commerce will provide for the maintenance of a list, to be made publicly available and kept up to date on a regular basis, of the US-based organisations which have declared their adherence to the "safe harbor principles" and which notify this to the Department of Commerce or the organisation the Department nomindesignates for this purpose. We note also that the Department of Commerce or its nomidesignee will make public any proper and final adverse determinations notified to it pertaining to non-compliance with the principles by a safe harbor organisation or to other events that might bring to an end an organisation's participation in the "safe harbor", such as a takeover or a merger.notified to it by an enforcement body in the US. This will enhanceensure transparency and clarity about which US-based organisations enjoy "safe harbor" benefits.

Date of entry into effect

Member States are required to ensure that the decision is effective 90 days after its notification to them. After this, US organisations self-certifying their adherence to the "safe harbor" will be assured of "safe harbor" benefits from the date that they notify the Department of Commerce(or its nomidesignee) and publicly announce that they have taken the measures necessary to comply with the principles. The Commission and the Member States recognise that US organisations will need some time to consider whether to participate in the "safe harbor" and, if so, to implement privacy policies to put the principles into effect. During the course of our discussions, Member States have demonstrated their willingness to use the flexibility offered by Article 26 of the Directive to avoid interruptions in data flows, so as not to call into question the good faith efforts being made to secure adequate protection for data transferred from the EU. The Commission and the Member States have confirmed their willingness to continue to use this flexibility during the implementation phase of the "safe harbor", to provide so that US organisations with an opportunity have time to decide whether to participate in the "safe harbor" and (if necessary) to update their information processing policies and practices accordingly. In this connection I would draw your attention to the enclosed extracts from the minutes of the Article 31 Committee.⁽²⁾ The situation will be reviewed in the middle of 2001.

In deciding whether to participate in the "safe harbor", organisations should consider that the "safe harbor" represents clear advantages over the existing situation Article 26 treatment, in terms of speedier transfers, much lighter administrative burdens and greater legal certainty. These advantages will benefit the EU transferers of data as well as the US recipients. US organisations may of course join the "safe harbor" at any time, but we consider that the resulting benefits represent strong arguments for their entering the "safe harbor" as quickly as possible.

The proposed review of the implementation phase will take into account the particular needs of the financial services sector. The EU side shares the US goal of identifying a predictable framework for data transfers in and bringing the benefits of the "safe harbor" to the financial services sector, given its economic importance and the high volume of personal data flows in this sector. More time is however needed for further examination of recent developments in US laws governing privacy in the financial sector and of their interaction with the "safe harbor," and specifically for completion in the US of the Financial Modernization Act regulations. On our side, we shall seek to maintain the momentum developed in the "safe harbor" discussions and, as indicated above, thanks to the flexibility allowed by the Directive itself we do not anticipate problems with interruptions in data flows while good faith efforts continue to address these issues.

Complaint Procedures

It can be expected that claims will arise from time to time that an organisation which has entered the "safe harbor" is not in fact complying with the "safe harbor" principles. As for all cases where complaints concern recipients falling within the scope of a decision taken on the basis of Article 25.6 of the Directive, it will be for the appropriate US bodies to determine whether such claims are founded and if so, to ensure that the organisation takes the measures necessary to come into compliance with the principles as quickly as possible, or is removed from the "safe harbor". Reliance on US enforcement arrangements to ensure a good general level of compliance with the principles is a fundamental aspect of the "adequacy" finding. As indicated by Article 2 of the decision, evidence that any enforcement body in the US responsible for compliance with the principles is failing to secure compliance may trigger action by the Commission, in consultation with the Member States through the Article 31 Committee, and after informing the Department of Commerce, to reverse, suspend or limit the scope of the decision with respect to such enforcement bodies. 2 Measures to block suspendspecific data transfers for reasons connected with compliance problems in the US can be taken at the national level only in the circumstances and in the manner set out in Article 2, paragraph 1. Moreover, such measures can have only a temporary effect, pending a resolution of the problem by the appropriate enforcement bodies in the US. These arrangements as a whole reflect our shared twin objectives of avoiding the interruption of transborder data flows and maintaining high data protection standards.

Jurisdiction

During our dialogue, you raised with me the concerns of US industry about the possible effects of the "safe harbor" as regards jurisdiction and applicable law in the European Union. I would like to confirm that it is the Commission's intention that participation in the "safe harbor" does not change the status quo ante for any organisation with respect to jurisdiction or liability in the European Union. Moreover, our discussions with respect to the "safe harbor" have not resolved nor prejudged the question of whether or when US based websites may be subject to Member State or European Union jurisdiction or applicable law issues. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the "safe harbor" arrangement.

Use of Contracts - Commission decisions based on Article 26 of the data protection DirectiveDecisions

I should also add that the establishment of the "safe harbor" does not affect the ability of Member States to authorise transfers on the basis of safeguards adduced by the data exporter in accordance with Article 26.2. This means organisations not wishing to qualify for the "safe harbor" could put in place the safeguards necessary for transfers of personal data from the EU to the US by means of binding written agreements between the transferers and the recipients of data. The Commission may approve model clauses for such agreements under Article 26.4 of the Directive which are binding on the Member States. The Commission and the Member States are of the view that the "safe harbor" principles may be used in such agreements for the substantive provisions on data protection. Such agreements may need to include other provisions on issues such as liability and enforcement, on which decisions have not yet been taken. The Commission has initiated discussions with the Member States in the Article 31 Committee regarding these other provisions, with the aim of adopting a decision under Article 26.4 authorising model agreements which rely on the "safe harbor" principles for the provisions on data processing and other contractual provisions as necessary.Such a decision would mean that transfers covered by contracts in the approved form would be automatically authorised. The Commission is working with the Article 31 Committee to finalise such a decision as soon as possible.

Our dialogue has proved extremely useful in clarifying rules and practices on both sides, identifying much common ground and exchanging information on procedures. The continuation of this dialogue would seem desirable, on a periodic basis and/or when a particular problem makes it necessary. This will allow us to continue to exchange information on relevant developments concerning the implementation of Articles 25 and 26. As you know, the Commission and the Member States are committed to implementing and enforcing these provisions and any decisions based on them in an even-handed and non-discriminatory manner as between US organisations and those located in other third countries and in the EU and agree that we should monitor whether they have been implemented and enforced in this manner in our continuing dialogue (I enclose a further extract from the minutes of the Article 31 Committee on this point, together with a text adopted by the working party established under Article 29 of the Directive⁽³⁾.

[In addition, we may agree that it would be helpful from time to time to consult other entities, as appropriate. This could mean representatives of both the Article 31 Committee and the working group set up under Article 29 of the directive on our side and of various enforcement bodies or their representatives on the US side.]

The European Commission and the Member States have committed themselves to conducting a first reviewan evaluation of the implementation of the decision in early 2003 as indicated in Article 3 of the decision, and we hope that the US Government will participate in this review. In any event, the European Commission will informconsult the US Government before taking any action to modify the decision.

This letter is for your information only and of itself creates no legally binding effects.
 
 

¹ It will be necessary to adapt this wording if, as seems likely, the powers of some of the government bodies to be listed in the decision, which will effectively ensure compliance with the Principles, rest on a basis other than relief against unfair or deceptive practices.

2. The Working party of Data Protection Commissioners set up under Article 29 of the Directive is also expected to address this issue when it examines the proposed "safe harbor" arrangements at its meeting on 2/3 December.

The period during which flexibility will be applied remains under discussion.

3 The Working party of Data Protection Commissioners set up under Article 29 of the Directive is also expected to address this issue when it examines the proposed "safe harbor" arrangements at its meeting on 2/3 December.