Summary and implications

On 27 November the European Commission published the results of its review of the Safe Harbor scheme. The Safe Harbor scheme is of key importance to transatlantic trade as it is one of the main methods by which personal data may be lawfully transferred from the EU to the US.

The review was announced on 19 July this year following the controversy this summer over US intelligence surveillance. Click here for our alert of
6 August entitled "Is 'Safe Harbor' no longer safe?".

The European Commission has found "a number of weaknesses" with the Safe Harbor scheme. "Given the weaknesses identified", the European Commission states, "the current implementation of Safe Harbor cannot be maintained." The European Commission has published a list of 13 urgent recommendations for the US to consider and implement by summer 2014. The European Commission will then conduct a further review of the Safe Harbor scheme.

What is the Safe Harbor scheme?

The US/EU Safe Harbor scheme was developed in 2000 following the US Department of Commerce's consultation with the European Commission. It enables US companies that self-certify that they comply with certain Safe Harbor principles to be deemed to provide "adequate protection" for personal data transferring from the EU to the US. As such, the Safe Harbor scheme is of key importance for EU/US trade. Over 3,000 companies have now joined the Safe Harbor scheme including Microsoft and Amazon. The Safe Harbor scheme is enforced in the US by the Federal Trade Commission (FTC).

What are the European Commission's recommendations?

The European Commission makes a total of 13 recommendations to improve the Safe Harbor scheme. These are summarised below.


  1. Safe Harbor companies should publicly disclose their privacy policies.
  2. Privacy policies of Safe Harbor websites should always include a link to the US Department of Commerce Safe Harbor website which lists all current members of Safe Harbor.
  3. Safe Harbor companies should publish privacy conditions of any contracts they conclude with subcontractors (e.g. cloud computing services).
  4. The US Department of Commerce should clearly flag on its website all companies which are not current members of Safe Harbor.


  1. The privacy policies on companies' websites should include a link to the alternative dispute resolution (ADR) provider.
  2. ADR should be readily available and affordable.
  3. The US Department of Commerce should monitor ADR providers more systematically regarding the transparency and accessibility of information they provide, the procedure they use and the follow-up they give to complaints.


  1. A certain percentage of Safe Harbor companies should be investigated for compliance purposes.
  2. Where there is a finding of non-compliance, the company should be subject to a follow-up investigation after one year.
  3. If there are any doubts about a company's compliance, the US Department of Commerce should inform the competent data protection authority.
  4. False claims of Safe Harbor compliance should continue to be investigated.

Access by US authorities

  1. The privacy policies of Safe Harbor companies should include information on the extent to which US law allows public authorities to collect and process data transferred under Safe Harbor.
  2. It is important that the national security exception is used only to the extent strictly necessary or proportionate.

Response from the US and next steps

The FTC has given a cautious welcome to the European Commissions's report and recommendations. Federal Trade Commissioner, Julie Brill, has stated that she is "reviewing the report and particularly its recommendations carefully. I think some of the recommendations â€" increasing transparency and making ADR easily accessible and affordable â€" would be helpful. I look forward to continuing the dialogue about these important issues with my European counterparts".

Many of the recommendations are uncontroversial and reflect the FTC's strong approach to enforcement. FTC Chairwoman Edith Ramirez is on record for stating that the FTC "remains committed to vigorous enforcement against those who violate its requirements". However, some of the recommendations are more controversial. The FTC might rightly question why some of the requirements (such as publication of confidential subcontractor contracts) have been called for when they are not required under EU law.

What does this mean for business?

Whilst transatlantic businesses will be relieved that the European Commission has not suspended Safe Harbor, real concerns remain over its long-term viability. For the reasons given above, it is doubtful whether the US will wish to implement all of the European Commission recommendations.

US businesses that are already members of Safe Harbor or that are considering joining Safe Harbor âÆ' may start to consider their options. In particular, will Safe Harbor membership continue to be worthwhile? Some businesses may wish to look again at other options for international personal data transfer (such as the European Commission model contracts) or Binding Corporate Rules.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.