TheInternational Safe Harbor Privacy Principles orSafe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within theEuropean Union or United States which storecustomer data from accidentally disclosing or losingpersonal information. They were overturned on October 6, 2015, by theEuropean Court of Justice (ECJ), which enabled some US companies to comply withprivacy laws protectingEuropean Union andSwiss citizens.[1] US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EUData Protection Directive and with Swiss requirements. TheUS Department of Commerce developed privacy frameworks in conjunction with both the European Union and theFederal Data Protection and Information Commissioner of Switzerland.[2]
Within the context of a series of decisions on the adequacy of the protection ofpersonal data transferred to other countries,[3] theEuropean Commission made a decision in 2000 that the United States' principles did comply with the EU Directive[4] – the so-calledSafe Harbor decision.[5] However, after a customer complained that hisFacebook data were insufficiently protected, the ECJ declared in October 2015 that the Safe Harbor decision was invalid, leading to further talks being held by the commission with the US authorities towards "a renewed and sound framework for transatlantic data flows".[6]
The European Commission and the United States agreed to establish a new framework for transatlantic data flows on 2 February 2016, known as the "EU–US Privacy Shield",[7] which was closely followed by theSwiss-US Privacy Shield Framework.
In 1980, theOECD issued recommendations for protection ofpersonal data in the form of eight principles. These were non-binding and in 1995, theEuropean Union (EU) enacted a more binding form of governance, i.e. legislation, to protect personaldata privacy in the form of theData Protection Directive.[8]
According to the Data Protection Directive, companies operating in the European Union are not permitted to send personal data to "third countries" outside theEuropean Economic Area, unless they guarantee adequate levels of protection, "the data subject himself agrees to the transfer" or "ifBinding Corporate Rules or Standard Contractual Clauses have been authorised."[8][9] The latter means that privacy protection can be at an organizational level, where a multinational organization produces and documents its internal controls on personal data or they can be at the level of a country if its laws are considered to offer protection equal to the EU.
The Safe Harbor Privacy Principles were developed between 1998 and 2000. Key player was the Art. 29 Working Party, at that time chaired by the Italian Data Protection Authoritywww.garanteprivacy.it. President Prof. Stefano Rodotà, one of the fathers of the privacy framework in Europe, helped by the Italian Data Protection Authority Secretary General Mr. Giovanni Buttarelli, lately appointed as European Data Protection Supervisor (EDPS). Safe Harbor Principles were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive.[10] In July 2000, theEuropean Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called "safe harbor scheme", were allowed to transfer data from the EU to the US. This is referred to as theSafe Harbor decision.[11]
On 6 October 2015, the European Court of Justice invalidated the EC's Safe Harbor Decision, because "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded ascompromising the essence of the fundamental right to respect for private life"[emphasis in original].[1]: 2–3
According to the European Commission, theEU–US Privacy Shield agreed on 2 February 2016 "reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbor framework invalid. The new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce andFederal Trade Commission, including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the US that possibilities under US law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson".[12]
The seven principles from 2000 are:[11]
Only US organizations regulated by theFederal Trade Commission or theDepartment of Transportation may participate in this voluntary program. This excludes many financial institutions (such as banks, investment houses, credit unions, andsavings & loans institutions), telecommunicationcommon carriers (includinginternet service providers), labor associations, non-profit organizations,agricultural co-operatives, andmeat processors, journalists and most insurances,[13] although it may include investment banks.[14]
After opting in, an organization must have appropriate employee training and an effective dispute mechanism in place, and self re-certify every twelve months in writing that it agrees to adhere to the EU–US Safe Harbor Framework's principles, including notice, choice, access, and enforcement.[15] It can either perform a self-assessment to verify that it complies with the principles, or hire a third-party to perform the assessment. Companies pay an annual $100 fee for registration except for first time registration ($200).[16]
The US government does not regulate Safe Harbor, which is self-regulated through its private sector members and the dispute resolution entities they pick. The Federal Trade Commission "manages" the system under the oversight of the US Department of Commerce.[17] To comply with the commitments, violators can be penalized under theFederal Trade Commission Act by administrative orders and civil penalties of up to $16,000 per day for violations. If an organization fails to comply with the framework it must promptly notify the Department of Commerce, or else it can be prosecuted under the False Statements Act.[15]
Ina 2011 case, theFederal Trade Commission obtained aconsent decree from a California-based online retailer that had sold exclusively to customers in theUnited Kingdom. Among its many alleged deceptive practices was representing itself as having self-certified under Safe Harbor when in fact it had not. It was barred from using such deceptive practices in the future.[18]
The EU–US Safe Harbor Principles 'self certification scheme' has been criticised in regard to its compliance and enforcement in three external EU evaluations:
In June 2011,Microsoft UK's managing directorGordon Frazer said that "cloud data, regardless of where it is in the world, is not protected against thePatriot Act."[22]
The Netherlands promptly ruled out US cloud suppliers from Dutch government contracts, and even considered a ban on Microsoft- and Google-provided cloud contracts. A Dutch subsidiary of the US basedComputer Sciences Corporation (CSC) runs theelectronic health records of the Dutch national health service system and warned, that unless CSC could assure it was not subject to the Patriot Act, it would end the contract.[23]
One year later in 2012, a legal research paper supported the notion that the Patriot Act allowed US law enforcement to bypass European privacy laws.[23]
In October 2015, the ECJ responded to a referral from theHigh Court of Ireland in relation to a complaint fromAustrian citizenMaximillian Schrems regardingFacebook's processing of his personal data from its Irish subsidiary to servers in the US. Schrems complained that "in the light of the revelations made in 2013 byEdward Snowden concerning the activities of theUnited States intelligence services (in particular, theNational Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities". The ECJ held the Safe Harbor Principles to be invalid, as they did not requireall organizations entitled to work with EU privacy-related data to comply with it, thus providing insufficient guarantees. US federal government agencies could use personal data under US law, but were not required to opt in. The court held that companies opting in were "bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest and law enforcement requirements".[1]
In accordance with the EU rules for referral to the ECJ for apreliminary ruling, the IrishData Protection Commissioner since then has had to "examine Mr. Schrems's case 'with all due diligence' and ... decide whether ... the transfer of Facebook's European subscribers' personal data to the United States should be suspended".[1] EU regulators said that if the ECJ and United States did not negotiate a new system within three months, businesses might face action from European privacy regulators. On October 29, 2015, a new "Safe Harbor 2.0" agreement appeared close to being finalized.[24] However, Commissioner Jourova expected the US to act next.[25] American NGOs were quick to expand on the significance of the decision.[26]
 | This section needs to beupdated. Please help update this article to reflect recent events or newly available information.(April 2020) |
GermanMEPJan Philipp Albrecht and campaignerMax Schrems have criticized the new ruling, with the latter predicting that the Commission might be taking a "round-trip to Luxembourg" (where the European Court of Justice is located).[27] EU Commissioner for Consumers, Vera Jourova, expressed confidence that a deal would be reached by the end of February.[28] Many Europeans were demanding a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens data did not fall into the hands of US intelligence agencies.[29] TheArticle 29 Working Party has taken up this demand, and stated it would hold back another month until March 2016 to decide on consequences of Commissioner Jourova's new proposal.[30] The European Commission's Director for Fundamental Rights Paul Nemitz stated at a conference in Brussels in January how the commission would decide on the "adequacy" of data protection.[31]The Economist newspaper predicts that "once the Commission has issued a beefed-up 'adequacy decision', it will be harder for the ECJ to strike it down."[32] Privacy activist Joe McNamee summed up the situation by noting the commission has announced agreements prematurely, thus forfeiting its negotiating right.[33] At the same time, the first court challenges in Germany have commenced: theHamburg data protection authority was during February 2016 preparing to fine three companies for relying on Safe Harbor as the legal basis for their transatlantic data transfers and two other companies were under investigation.[34] From the other side a reaction looked imminent.[35]
On 25 March 2021 the European Commission and US Secretary of Commerce reported that "intensified negotiations" were taking place.[36] Discussions continued at theEU–US Summit in Brussels in June 2021.[37]
European Commission may be issuing a round-trip to Luxembourg
