European Union: EU Presents Strategy To Restore Consumer Confidence In Transatlantic Data Flows

On 27 November 2013, the European Commission (the "Commission") presented a package of initiatives intended to restore confidence in data flows between the European Union and the United States, following the revelations of U.S. intelligence personal data collection programmes. The package presented by the Commission identified six key areas.

The major contribution of this package aims at reviewing the current EU-U.S. Safe Harbour scheme that was agreed in 2000 and which allows for the transfer of personal data from the EU to companies in the U.S. that have self-certified with the U.S. Department of Commerce that they comply with certain privacy principles. The Safe Harbour scheme has proved to be a successful means of personal data transfers from the EU to the U.S. with over 3,200 companies having self-certified.

However, there is a growing concern among EU data protection authorities as to the effectiveness of this regime, in particular in the light of the role played by the U.S. authorities.

Therefore, the Commission calls for a modernisation of the Safe Harbour scheme. The Commission proposed 13 recommendations to strengthen the EU-U.S. Safe Harbour scheme. These recommendations include (i) increased transparency (in particular ensuring that privacy policies of self-certified companies are properly disclosed and available and that these privacy policies always include a link to the U.S. Department of Commerce's website); (ii) making redress affordable and readily available for data subjects (in particular through alternative dispute resolution mechanisms); (iii) more active enforcement by US authorities (in particular through ex officio investigations); and (iv) access to the data by U.S. authorities. On this last topic, the recommendations specify that disclosure to the U.S. authorities, under U.S. laws, for reasons of national security should only occur when such disclosure is strictly necessary or proportionate. The recommendations also encourage self-certified companies to indicate in their privacy policies under which circumstances they will apply exceptions to the Safe Harbour scheme to meet national security, public interest or law enforcement requirements. The Commission will review the Safe Harbour scheme based on the implementation of its 13 recommendations.

In addition to the modernisation of the Safe Harbour scheme, the Commission calls for action in the following areas:

• A swift adoption of the EU data protection reform that the Commission has proposed in January 2012 (See, VBB on Belgian Business Law, Volume 2012, No 2, p. 3, available at www.vbb.com) as this proposal provides (i) that the fundamental right to data protection will be respected independently of the geographical location of a company or of its processing facility; and (ii) that international transfers of data will only be allowed when specific conditions are satisfied. In a speech to the EU Parliament's Civil Liberties Committee on 9 December 2013, EU Commissioner Reding urged the committee to pressure the EU Council to accelerate its work so that negotiations can start and an agreement on the data protection reform will be concluded shortly.
• The completion of the negotiations on the framework agreement on data protection in the fields of police and judicial cooperation (the "Umbrella Agreement") which aims at ensuring a high level of data protection for citizens whose data are transferred across the Atlantic in the context of cooperation in the fights against crimes and terrorism. Despite the fact that the Umbrella Agreement, will not provide the legal basis for any specific transfers of personal data but only a general framework, it should cover the following issues: (i) a right to judicial redress for EU citizens that are not resident in the U.S.; (ii) explanations of the purpose of the data transfer and process; (iii) explanations on the conditions and duration of the retention of the data; and (iv) a limitation regarding the derogation based on national security. The EU and the U.S. have announced that the negotiations on the Umbrella Agreement will be completed by the Summer of 2014.
• The U.S. should commit to making effective use of existing mutual legal assistance and sectoral agreements concluded between the U.S. and the EU (such as the Passenger Name Records Agreement and the Terrorist Financing Tracking Programme).
• The announced U.S. reform of surveillance programmes should extend to EU citizens and provide increased transparency and better oversight.
• The U.S. should address the international promotion of privacy standards. In particular, the Commission would like the U.S. to accede to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the so-called "Convention 108").

The Commission made clear that the package on transatlantic data flows does not form part of the current negotiations for a Transatlantic Trade and Investment Partnership.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.