OPINION 2/99 ON

THE ADEQUACY OF THE « INTERNATIONAL SAFE HARBOUR PRINCIPLES » ISSUED BY THE US DEPARTMENT OF COMMERCE ON 19TH APRIL 1999

The discussions between the European Commission and the United States government have progressed since the Working Party issued its opinion on the level of data protection in the US in January 1999 . Recently, the Commission submitted to the Working Party a revised version of the Department of Commerce Principles with a view to obtaining an opinion on the level of data protection they provide.

The Commission has also indicated to the Working Party that it is envisaging the adoption of a decision based on Article 25.6 of the Directive with regard to these Principles, if they are found to provide an adequate level of protection for the transfer of data from the EU to US companies joining the Safe harbor scheme.

The present version of the Principles however cannot be considered final as it contains a number of footnotes indicating areas where a satisfactory understanding with the US has not yet been reached. Hence, the Working Party considers this opinion to be provisional and partial. Provisional insofar as the documents are not final yet and the status of the FAQs (Frequently asked questions) issued by the Department of Commerce has not been clearly indicated to the Working Party (its contents are therefore not taken into account in the present opinion). And partial because the Working Party does not have all the documents necessary for an overall examination of the US situation and namely an overview of the enforcement aspects of the Principles and analysis of the protection awarded by US sectoral laws.

The Working Party reiterates its view that the patchwork of narrowly focused sectoral laws and self-regulatory rules presently existent in the United States cannot be relied upon to provide adequate protection in all cases for personal data transferred from the European Union. It therefore considers the approach of the "Safe Harbour" useful and encourages the Commission to pursue its work towards a finding of a set of principles that the Department of Commerce will issue, thus providing a benchmark for US companies wishing to ensure that they meet the Directive's adequate protection requirement.

The Working Party considers it useful to examine the practical implications of this arrangement on the work of the National Supervisory authorities.

On the practical implications of the "Safe Harbour" for the work of the National Supervisory authorities

1. The Working Party considers it very important that US based companies adhering to the "Safe Harbour" Principles be unequivocally identified. Hence the Department of Commerce's recommendation that US companies wishing to join the scheme should notify their intention to the Department of Commerce itself, is indeed very welcome. But it is the Working Party's view that this notification should be as complete as possible, publicly available and should in particular contain an indication of the contact person within the company that is able to deal with requests from the individual and the monitoring body responsible for enforcing the Principles.

2. It is noted that to qualify for the "Safe Harbour" scheme, US organisations may "…join a private sector developed privacy program…." or do so by virtue of US law that effectively protects privacy to the extent that its activities are regulated by such laws. The Working Party seeks further clarification as to the identity of the privacy programs and their operational criteria. As far as the US sectoral laws are concerned, the Working Party also requests further clarification as to their exact content with regard to the protection of privacy.

3. The Working Party also notes that the Safe Harbour Principles only relate to the lawfulness of the international aspect of transfers of data, flowing from Articles 25 and 26 of the Directive. Data exporters based in Europe (whether or not they are affiliates of a US based company adhering to the Safe Harbor) are subject to the application of the other provisions of the directive, e.g. concerning notifications of processing to national supervisory authorities.

4. Moreover, the task of supervisory authorities would be facilitated by a comprehensive description of the powers of the various regulatory authorities. The Working Party has been informed that this document is in preparation by the US authorities.

5. Considering the role of national supervisory authorities in issuing authorisations for international transfers based on contracts, the Working Party seeks clarification on the meaning of the last phrase of paragraph 4 of the introduction, which reads "Organisations may also put in place the safeguards deemed necessary by the EU for transfers of personal data from the EU to the US by incorporating the relevant safe harbor principles into agreements entered into with parties transferring personal data from the EU".

6. Finally with regard to the possibility for organisations adhering to the Department of Commerce's principles to rely on National Supervisory authorities for the implementation of the Principles, the Working Party notes that National supervisory authorities do not have jurisdiction in third countries and consequently lack any enforcement powers which would allow them to oversee effectively the implementation of the Principles by US organisations.

On the content of the Principles themselves, the Working Party recognises that in comparison with the 4th November version, although the Principles have been weakened in some aspects, progress has been achieved in many areas. In particular:

- The definition of personal data refers now to an identified or identifiable individual;

- The exceptions to the Principles appear more coherent and in part reflect those envisaged in the directive. This is in particular the case with regard to the deletion of expressions such as "risk management", "information security," and "proprietary data".

- In "Notice" the individual is to be informed of a change of purpose;

- Sensitive information is now fully defined in Principle 2: " Choice";

- Onward transfers now differentiates between transfers amongst organisations adhering to the Principles and transfers to third parties outside the Safe harbor scheme.

The Working Party considers that the standard set by the OECD guidelines of 1980 cannot be waived as it constitutes a minimum requirement for the acceptance of an adequate level of protection in any third country. On the basis of the work previously carried out by the Working Party on the issue of transfer of data to third countries , the Department of Commerce 's "Safe Harbor" Principles of 19th April give rise to the following concerns:

1. In the introduction there is reference to the exceptions provided for in Member States' law. The Working Party does not believe this to be appropriate as it could open the door to the interpretation of national implementation measures by organisations adhering to a third country's self-regulatory scheme. Furthermore, it is the Working Party's view that limiting the application of the Safe Harbor Principles to the extent necessary to meet US regulatory provisions, is too wide an exemption, the limits of which are not foreseeable.

2. With regard to manual data, the Working Party considers that there should be equality of treatment for automated and manually processed data held in filing systems. The Working Party therefore endorses the Commission's reserve expressed in the footnotes. But it also believes that organisations adhering to the Safe harbor principles that apply these Principles to manually processed data, if they so wish, should be given the benefits of the "Safe Harbor" for such data collected from Europe.

3. Principles 1 and 2: Notice and Choice:

Considering that the protection offered by the Safe Harbor Principles pivots around "Notice and Choice", it is paramount that these principles offer comprehensive privacy protection both with regard to the use and the disclosure of the data.

With reference to the "Notice" Principle it is noted that in order for it to be coherent with the "Data security" Principle, the individual should be informed that data is collected only to the extent necessary to fulfil the purposes of collection.

Moreover, the phrase "what type of information" should be re-inserted as it is important that the individual is informed of the type of personal information that is being gathered about him/her.

It should also be explicitly indicated that the individual should receive notice of processing by a US organisation when the data was not provided directly by him/her but was gathered through a third party. This is important in relation to the opportunity to exercise "choice".

The Working Party also seeks clarification as to the exact meaning of the expression "or as soon thereafter practicable", as it considers that the individual should be informed at the time of collection and not at the discretion of each controller.

With regard to the Choice Principle: As noted in the Working Party's previous opinion on the Safe Harbor Principles, the purpose specification principle of the OECD guidelines is absent and only partly replaced by a "Choice" Principle which in effect allows data collected for one purpose to be used for another.

In addition, individuals have the possibility of opting out only if the new purpose is considered incompatible with that given in "Notice". In the Working Party's view, the individual should at least have an opt-out choice in all cases where his data is used for an unrelated purpose and for direct marketing. The standard of consent is higher, for example, when data is collected in a contractual relationship and is subject to express or implied terms of contract.

This is particularly important because, as inevitably in a self-regulatory system, there is no independent determination of what is an incompatible purpose or what are the criteria for establishing that a purpose is incompatible with that given in "Notice".

It is also the Working Party's view that whenever consent is required it should be informed, freely given and unambiguous and that the lack of response from the individual cannot be construed to mean consent.

Finally with regard to the last sentence of the "Choice" Principle, the Working Party seeks clarification as to the exact meaning of the word "or" in the expression "affirmative or explicit (opt in) choice" in the sense of "affirmative, that is, explicit choice".

4. Principle 3: Onward transfer - Although not present in OECD guidelines, this principle is necessary to ensure that data is not transferred by a US company that abides by the Safe Harbor Principles to another controller in the US or indeed elsewhere not offering adequate protection. But as presently drafted, it is not clear what the applicable rule is. We understand that the individual should be able to opt out of a transfer to a third party. To this end, he needs at least the information that data shall be transferred and whether or not the third party adheres to the safe harbor principles or how adequate protection is provided otherwise. The Working Party therefore supports the Commission's request expressed in footnote 5 that explicit notice and choice are to be provided when personal data is transferred to a third party that does not adhere to the Safe Harbor Principles.

5. Principle 6: Access - It is noted that there is no agreement on the text of Principle 6. In the view of the Working Party, Principle 6 should clearly state that the general rule is that access is to be given although some exceptions are possible. These exceptions should be clearly listed in the text of Principle 6. The Directive mentions a number of such exemption in Article 13. An example could be "trade secrets" although participants indicated that at Member States level this problem could never result in the data subject being refused all information. In its contacts with the Department of Commerce, the Commission should be guided by OECD guidelines on this question. The Working Party proposes the following text as a working basis

"Individuals must have access to information about them that an organisation holds and be able to correct and amend that information where it is inaccurate except where granting access would damage the organisation by the revelation of trade secrets or the non-respect of intellectual property rights or where the burden and cost to the organisation for retrieving the information or other consequences would be clearly disproportionate to the specific risks to the protection of individual's privacy that non-disclosure should entail."

In addition, the principle should clearly state the data subject's right to get data deleted if the processing of the data is unlawful. For the reasons indicated in the introduction, the Working Party did not examine the text of the Frequently Asked questions on Access.

6. Principle 7: Enforcement - It is not sufficiently clear from the text of the Principle itself and that of "Note" of the standard required from companies. In the Working Party's view, data protection rules only contribute to the protection of individuals to the extent to which they are followed in practice. In an entirely voluntary scheme such as this compliance with the rules must be at least guaranteed by an independent investigation mechanism for complaints and sanctions which must be, on the one hand dissuasive and, on the other hand give individuals compensation, where appropriate. The present text of the Principle 7 implies that compensation will be provided only where the "applicable law and private-sector initiatives so provide". Besides, the Working Party fully endorses the Commission's request to see all conditions listed in Principle 7 met before a company can be deemed to comply with the Safe harbor principles.

In addition, Principle 7 does not establish the rules to be followed for the verification of compliance nor does it indicate which authorities can enforce the Principles. Similarly, it should be indicated what type of sanctions are envisaged, who determines them and according to which procedure.

As indicated in the introduction, with regard to the co-operation between National Supervisory authorities and US based organisations wishing to join in the "Safe Harbor", the Working Party does not consider it feasible to rely on National Supervisory authorities for the implementation of the Principles. However if enforcement is ensured in the US by independent monitoring bodies, then co-operation between such bodies and the National supervisory authorities on a case by case basis, could be envisaged.

On the basis of the above, the Working Party encourages the Commission to pursue its efforts in the dialogue with the Department of Commerce with a view to reinforce the protection afforded in the" International Safe Harbor Principles".

In particular, the Working Party invites the Commission to take into account the issues raised and keep the Working Party informed of its contacts with the US Department of Commerce.