International Safe Harbor Privacy Principles

Last updated

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. [1] US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland. [2]

Contents

Within the context of a series of decisions on the adequacy of the protection of personal data transferred to other countries, [3] the European Commission made a decision in 2000 that the United States' principles did comply with the EU Directive [4] – the so-called Safe Harbor decision. [5] However, after a customer complained that his Facebook data were insufficiently protected, the ECJ declared in October 2015 that the Safe Harbor decision was invalid, leading to further talks being held by the commission with the US authorities towards "a renewed and sound framework for transatlantic data flows". [6]

The European Commission and the United States agreed to establish a new framework for transatlantic data flows on 2 February 2016, known as the "EU–US Privacy Shield", [7] which was closely followed by the Swiss-US Privacy Shield Framework.

Background history

In 1980, the OECD issued recommendations for protection of personal data in the form of eight principles. These were non-binding and in 1995, the European Union (EU) enacted a more binding form of governance, i.e. legislation, to protect personal data privacy in the form of the Data Protection Directive. [8]

According to the Data Protection Directive, companies operating in the European Union are not permitted to send personal data to "third countries" outside the European Economic Area, unless they guarantee adequate levels of protection, "the data subject himself agrees to the transfer" or "if Binding Corporate Rules or Standard Contractual Clauses have been authorised." [8] [9] The latter means that privacy protection can be at an organizational level, where a multinational organization produces and documents its internal controls on personal data or they can be at the level of a country if its laws are considered to offer protection equal to the EU.

The Safe Harbor Privacy Principles were developed between 1998 and 2000. Key player was the Art. 29 Working Party, at that time chaired by the Italian Data Protection Authority www.garanteprivacy.it. President Prof. Stefano Rodotà, one of the fathers of the privacy framework in Europe, helped by the Italian Data Protection Authority Secretary General Mr. Giovanni Buttarelli, lately appointed as European Data Protection Supervisor (EDPS). Safe Harbor Principles were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive. [10] In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called "safe harbor scheme", were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbor decision. [11]

On 6 October 2015, the European Court of Justice invalidated the EC's Safe Harbor Decision, because "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life" [emphasis in original]. [1] :2–3

According to the European Commission, the EU–US Privacy Shield agreed on 2 February 2016 "reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbor framework invalid. The new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission, including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the US that possibilities under US law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson". [12]

Principles

The seven principles from 2000 are: [11]

Scope, certification and enforcement

Only US organizations regulated by the Federal Trade Commission or the Department of Transportation may participate in this voluntary program. This excludes many financial institutions (such as banks, investment houses, credit unions, and savings & loans institutions), telecommunication common carriers (including internet service providers), labor associations, non-profit organizations, agricultural co-operatives, and meat processors, journalists and most insurances, [13] although it may include investment banks. [14]

After opting in, an organization must have appropriate employee training and an effective dispute mechanism in place, and self re-certify every twelve months in writing that it agrees to adhere to the EU–US Safe Harbor Framework's principles, including notice, choice, access, and enforcement. [15] It can either perform a self-assessment to verify that it complies with the principles, or hire a third-party to perform the assessment. Companies pay an annual $100 fee for registration except for first time registration ($200). [16]

The US government does not regulate Safe Harbor, which is self-regulated through its private sector members and the dispute resolution entities they pick. The Federal Trade Commission "manages" the system under the oversight of the US Department of Commerce. [17] To comply with the commitments, violators can be penalized under the Federal Trade Commission Act by administrative orders and civil penalties of up to $16,000 per day for violations. If an organization fails to comply with the framework it must promptly notify the Department of Commerce, or else it can be prosecuted under the False Statements Act. [15]

In a 2011 case, the Federal Trade Commission obtained a consent decree from a California-based online retailer that had sold exclusively to customers in the United Kingdom. Among its many alleged deceptive practices was representing itself as having self-certified under Safe Harbor when in fact it had not. It was barred from using such deceptive practices in the future. [18]

Criticism and evaluation

EU evaluations

The EU–US Safe Harbor Principles 'self certification scheme' has been criticised in regard to its compliance and enforcement in three external EU evaluations:

Galexia recommended the EU to renegotiate the Safe Harbor arrangement, provide warnings to EU consumers and consider to comprehensively review all list entries. They recommended to the US to investigate the hundreds of organisations making false claims, revising its statements about the number of participants, to abandon the use of the Safe Harbor Certification Mark, to investigate the unauthorised and misleading use of its Departmental logo and automatically suspend an organisation’s membership if they failed to renew their Safe Harbor certification. [21]

Patriot Act's reach

In June 2011, Microsoft UK's managing director Gordon Frazer said that "cloud data, regardless of where it is in the world, is not protected against the Patriot Act." [22]

The Netherlands promptly ruled out US cloud suppliers from Dutch government contracts, and even considered a ban on Microsoft- and Google-provided cloud contracts. A Dutch subsidiary of the US based Computer Sciences Corporation (CSC) runs the electronic health records of the Dutch national health service system and warned, that unless CSC could assure it was not subject to the Patriot Act, it would end the contract. [23]

One year later in 2012, a legal research paper supported the notion that the Patriot Act allowed US law enforcement to bypass European privacy laws. [23]

Citizen complaint about Facebook data safety

In October 2015, the ECJ responded to a referral from the High Court of Ireland in relation to a complaint from Austrian citizen Maximillian Schrems regarding Facebook's processing of his personal data from its Irish subsidiary to servers in the US. Schrems complained that "in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular, the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities". The ECJ held the Safe Harbor Principles to be invalid, as they did not require all organizations entitled to work with EU privacy-related data to comply with it, thus providing insufficient guarantees. US federal government agencies could use personal data under US law, but were not required to opt in. The court held that companies opting in were "bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest and law enforcement requirements". [1]

In accordance with the EU rules for referral to the ECJ for a preliminary ruling, the Irish Data Protection Commissioner since then has had to "examine Mr. Schrems's case 'with all due diligence' and ... decide whether ... the transfer of Facebook's European subscribers' personal data to the United States should be suspended". [1] EU regulators said that if the ECJ and United States did not negotiate a new system within three months, businesses might face action from European privacy regulators. On October 29, 2015, a new "Safe Harbor 2.0" agreement appeared close to being finalized. [24] However, Commissioner Jourova expected the US to act next. [25] American NGOs were quick to expand on the significance of the decision. [26]

Response to EU–US Privacy Shield Agreement

German MEP Jan Philipp Albrecht and campaigner Max Schrems have criticized the new ruling, with the latter predicting that the Commission might be taking a "round-trip to Luxembourg" (where the European Court of Justice is located). [27] EU Commissioner for Consumers, Vera Jourova, expressed confidence that a deal would be reached by the end of February. [28] Many Europeans were demanding a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens data did not fall into the hands of US intelligence agencies. [29] The Article 29 Working Party has taken up this demand, and stated it would hold back another month until March 2016 to decide on consequences of Commissioner Jourova's new proposal. [30] The European Commission's Director for Fundamental Rights Paul Nemitz stated at a conference in Brussels in January how the commission would decide on the "adequacy" of data protection. [31] The Economist newspaper predicts that "once the Commission has issued a beefed-up 'adequacy decision', it will be harder for the ECJ to strike it down." [32] Privacy activist Joe McNamee summed up the situation by noting the commission has announced agreements prematurely, thus forfeiting its negotiating right. [33] At the same time, the first court challenges in Germany have commenced: the Hamburg data protection authority was during February 2016 preparing to fine three companies for relying on Safe Harbor as the legal basis for their transatlantic data transfers and two other companies were under investigation. [34] From the other side a reaction looked imminent. [35]

On 25 March 2021 the European Commission and US Secretary of Commerce reported that "intensified negotiations" were taking place. [36] Discussions continued at the EU–US Summit in Brussels in June 2021. [37]

See also

Further reading

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

A safe harbor or harbour is literally a "place of shelter and safety, esp. for ships". It is used in many contexts:

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

TrustArc Inc. is a privacy compliance technology company based in Walnut Creek, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws and best practices. Their privacy seal or certification of compliance can be used as a marketing tool.  

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

Binding Corporate Rules (BCRs) were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. BCRs are a framework for having different elements that allow compliance with EU data protection regulations and privacy protection. The BCRs were developed as an alternative to the "standard contractual clauses" (SCCs) and the now defunct U.S. Department of Commerce EU Safe Harbor.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

A safe harbor is a provision of a statute or a regulation that specifies that certain conduct will be deemed not to violate a given rule. It is usually found in connection with a more-vague, overall standard. By contrast, "unsafe harbors" describe conduct that will be deemed to violate the rule.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories in some circumstances. The issue has arisen from desires of individuals to "determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past". The right entitles a person to have data about them deleted so that it can no longer be discovered by third parties, particularly through search engines.

<span class="mw-page-title-main">Max Schrems</span> Austrian author and privacy activist

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II. In 2022, leaders of the US and EU announced that a new data transfer framework called the Trans-Atlantic Data Privacy Framework had been agreed to in principle, replacing Privacy Shield. However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

The EU–US Data Privacy Framework is a European Union–United States data transfer framework that was agreed to in 2022 and declared adequate by the European Commission in 2023. Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. The EU-US Data Privacy Framework is intended to address these concerns.

References

  1. 1 2 3 4 "Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner: The Court of Justice declares that the Commission's US Safe Harbour Decision is invalid" (Press release). Court of Justice of the European Union. October 6, 2015. p. 3. Retrieved October 7, 2015.
  2. Welcome to the U.S.-Swiss Safe Harbor accessed 1 November 2015
  3. Commission decisions on the adequacy of the protection of personal data in third countries accessed 1 November 2015
  4. 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441), accessed 1 November 2015
  5. statement of the Data Protection Working Party on the EU US Privacy Shield, additional text.
  6. Vera Jourova, "Commissioner Jourová's remarks on Safe Harbour EU Court of Justice judgement before the Committee on Civil Liberties, Justice and Home Affairs (LIBE)", 26 October 2015
  7. The new transatlantic data “Privacy Shield”, accessed 25 February 2016
  8. 1 2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  9. European Commission (15 June 2001)Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC15 June 2001, Official Journal L 181 of 04.07.2001.
  10. "U.S.–EU Safe Harbor Framework Documents". US government. Archived from the original on April 5, 2015.
  11. 1 2 European Court of Justice 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) 25 August 2000, retrieved 30 October 2015
  12. EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield, issued 2 February 2016
  13. U.S. Department of Commerce Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks 9 October 2015, retrieved 30 October 2015
  14. U.S. Department of Commerce FAQ – Investment banking and audits 29 January 2009, retrieved 30 October 2015
  15. 1 2 U.S. Department of Commerce U.S.–EU Safe Harbor Overview, 18 December 2013, retrieved 30 October 2015
  16. U.S. Department of Commerce Safe Harbor Fees 9 April 2015, retrieved 30 October 2015
  17. Zach Whittaker Safe Harbor: Why EU data needs 'protecting' from US law Failure Zdnet, 25 April 2011
  18. Staff writer (June 9, 2011). "FTC Settlement Bans Online U.S. Electronics Retailer from Deceiving Consumers with Foreign Website Names" (Press release). Washington. Federal Trade Commission. Retrieved March 5, 2015.
  19. European Commission (2002) The application of Commission Decision on the adequate protection of personal data provided by the Safe Harbour Privacy Principles 11 pages, retrieved 30 October 2015
  20. European Commission (2004) The implementation of Commission Decision on the adequate protection of personal data provided by the Safe Harbour Privacy Principles 11 pages, retrieved 30 October 2015
  21. Chris Connolly (Galexia) US Safe Harbor - Fact or Fiction? Privacy Laws and Business International, issue 96, December 2008, published on Galexia.com, retrieved 30 October 2015
  22. Zack Whittaker, Microsoft admits Patriot Act can access EU-based cloud data Zdnet.com, June 28, 2011, retrieved 30 October 2015
  23. 1 2 Zack Whittaker, Patriot Act can "obtain" data in Europe, researchers say CBS News December 4, 2012
  24. Georgina Prodhan (October 29, 2015). "U.S. sees new EU data-sharing pact within reach". Reuters. Retrieved October 30, 2015.
  25. Peter Sayer (November 6, 2015). "E.U. tells U.S. it must make next move on new Safe Harbor deal, Nov. 6, 2015". Computerworld. Retrieved November 9, 2015.
  26. NGOs (October 13, 2015). "Digital Privacy, in the U.S. and Europe". New York Times. Retrieved November 13, 2015.
  27. Schrems, Max (February 2, 2016). "EU US Privacy Shield (Safe Harbor 1.1)" (PDF). Retrieved February 3, 2016. European Commission may be issuing a round-trip to Luxembourg
  28. "Jourová: The new EU-US bridge [Interview]". New Europe. Retrieved February 3, 2016.
  29. Lomas, Natasha (February 3, 2016). "EU-US Data Transfers Won't Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29". TechCrunch. Retrieved February 3, 2016.
  30. "Statement on the consequences of the Schrems judgement" (PDF). February 2, 2016. Retrieved February 6, 2016.
  31. Bracy, Jedidiah (January 28, 2015). "New data transfer deal could come by Monday". The Privacy Advisor. Retrieved February 3, 2016.
  32. "Charlemagne: "Swords and shields". America and the European Union have reached a deal on data protection". The Economist. February 6, 2016. Retrieved February 8, 2016.
  33. "What's behind the shield? Unspinning the "privacy shield" spin". European Digital Rights initiative (EDRi). February 2, 2016. Retrieved February 10, 2016.
  34. Meyer, David. "Here Comes the Post-Safe Harbor EU Privacy Crackdown, Feb.25, 2016". Fortune magazine. Retrieved February 26, 2016.
  35. Martin, Alexander J. (June 13, 2016). "US plans intervention in EU vs Facebook case caused by NSA snooping". The Register. Retrieved June 16, 2016.
  36. European Commission, Intensifying Negotiations on transatlantic Data Privacy Flows: A Joint Press Statement by European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Gina Raimondo, published 25 March 2021, accessed 23 July 2021
  37. Department of Commerce, U.S. Secretary of Commerce Gina M. Raimondo Joins President Biden at U.S.-EU Summit and Advances Tech and Trade Issues with European Union and Private Sector Leaders, published 23 June 2021, accessed 28 July 2021