THE EUROPEAN COMMISSION,

Having regard to Article 25, paragraph 6 of Directive 95/46/EC (hereinafter: "the Directive"),

Having regard to the Opinion of the Committee established by Article 31 of the Directive, adopted on 31 May 2000;

Taking into account that :

(1) Article 25, paragraph 1 of the Directive requires Member States to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer;

(2) Article 25, paragraph 6 of the Directive allows the Commission, assisted by the Committee established by Article 31, to find that a third country ensures an adequate level of protection. This finding allows personal data to be transferred from the Member States without additional guarantees being necessary. It is desirable, when that is justified, to make such positive findings in order to provide legal certainty and to simplify procedures for controllers intending to transfer data to third countries. For the same reason, these findings should if possible cover all the activities falling within the scope of the Directive. This includes telecommunications, for which the Directive is particularised and complemented by Directive 97/66/EC(1);

(3) Article 25, paragraph 2 of the Directive requires that the level of data protection be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and that particular consideration be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country; the Working Party established under Article 29 of the Directive has issued guidance on the making of such assessments(2);

(4) Given the different approaches to data protection in third countries, the adequacy assessment has to be carried out and any decision based on Article 25 paragraph 6 has to be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade taking into account the Community's present international commitments;

(5) On .. .. ¼. the Government of the United States of America (U.S.Department of Commerce) issued "The Safe Harbor Privacy Principles" for the protection of personal data transferred from a Member State to the United States (hereinafter: "the Principles": Annex 1) and a set of Frequently Asked Questions (hereinafter the FAQs : Annex 2) providing guidance for the implementation of the Principles as well as an enforcement overview (Annex 3) and a memorandum on damages for breaches of privacy and explicit authorisations in US law (Annex 4); letters from the Federal Trade Commission (Annex 5) and the US Department of Transportation (Annex 6) were also received.

(6) Adherence to these Principles and FAQs is entirely voluntary but in order to obtain and retain recognition that they provide an adequate level of protection for the transfer of data from the EU to the United States as provided for by this decision, organisations must comply with the Principles and the FAQs, publicly disclose their privacy policies and be subject to the jurisdiction of the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, or that of another statutory body that will effectively ensure compliance with the Principles implemented in accordance with the FAQs;

(7) The Federal Trade Commission Act empowers the Federal Trade Commission to obtain injunctive relief against unfair or deceptive practices in or affecting commerce, as well as redress for citizens of the United States and of other countries and in carrying out its statutory enforcement responsibilities within the area of its jurisdiction the Federal Trade Commission has indicated its readiness to investigate complaints, irrespective of the nationality or country of residence of the complainant;

(8) The jurisdiction of the Federal Trade Commission under Section 5 for unfair or deceptive acts or practices is excluded with respect to: banks, saving and loans and credit unions; telecommunications and interstate transportation common carriers, air carriers and packers and stockyard operators.. Although the insurance industry is not specifically included in the list of exceptions in Section 5, the McCarran-Ferguson Act(3) generally leaves the regulation of the business of insurance to the individual states. However, the provisions of the FTC Act apply to the insurance industry to the extent that such business is not regulated by State law. Similarly the FTC retains residual authority over unfair or deceptive practices by insurance companies when they are not engaged in the business of insurance.

(9) In respect of air carriers the Principles and the FAQs will be enforced by the U.S. Department of Transportation on the basis of its authority to act against unfair or deceptive practices and unfair methods of competition under Title 49 of the United States Code Section 41712. The U.S. Department of Transportation institutes cases based on its own investigations as well as formal and informal complaints received from individuals, travel agents, airlines, U.S. and foreign government agencies. It has stated that failure by an air carrier to comply with the undertaking to honour the Principles and the FAQs would be likely to cause consumer harm and be a violation of Section 41712 and has indicated its readiness to give high priority to the investigation and the prosecution of cases giving evidence of such activity.

(10) Sectors and/or data processing not subject to the jurisdiction of any of the government bodies in the United States listed in Annex 7 fall outside the scope of this decision;

(11) To ensure the proper application of this decision, it is necessary that organisations adhering to the Principles and the FAQs can be recognised by interested parties, such as data subjects, data exporters and data protection authorities and to this end the U.S. Department of Commerce or its designee has undertaken to maintain and make available to the public a list of organisations self-certifying their adherence to the Principles implemented in accordance with the FAQs and falling within the jurisdiction of at least one of the government bodies listed in Annex 7;

(12) The present decision concerns only the adequacy of protection provided in the United States under the Principles implemented in accordance with the FAQs with a view to meeting the requirements of Article 25, paragraph 1 of the Directive and does not affect the application of other provisions of the Directive that pertain to the processing of personal data within the Member States, including Article 4 thereof.

(13) In the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in the decision the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.

(14) The "safe harbor" created by the Principles and the FAQs, underpinned by well-established government and private sector mechanisms in the United States, represents an innovative approach which may need to be reviewed in the light of experience, of developments concerning the protection of privacy in circumstances in which technology is constantly making easier the transfer and processing of personal data and of reports on implementation by enforcement authorities involved;

(15) The Working Party established under Article 29 of the Directive has delivered Opinions on the level of protection provided by the "safe harbor" arrangements in the United States which have been taken into account in the preparation of the current decision(4).

HAS ADOPTED THE FOLLOWING DECISION
 

1. For the purposes of Article 25, paragraph 2 of Directive 95/46/EC, for all the activities falling within the scope of the Directive, the "Safe Harbor Privacy Principles", hereinafter "the Principles" implemented in accordance with the guidance provided by the Frequently Asked Questions (FAQs) issued by the U.S. Department of Commerce on …… and annexed to this decision are considered to ensure an adequate level of protection for personal data transferred from the European Union to organisations established in the United States, if and insofar as the following conditions are met, in relation to the data to be transferred :

(a) the organisation receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs, and

(b) the organisation is subject to the statutory powers of a government body in the United States listed in Annex 7 which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implemented in accordance with the FAQs.
 
 
 

2. The conditions mentioned in paragraph 1 are considered to be met for each organisation that self-certifies its adherence to the Principles implemented in accordance with the FAQs from the date on which the organisation notifies to the U.S. Department of Commerce (or its designee) the public disclosure of the commitment referred to under paragraph 1 letter a) and the identity of the government body referred to under paragraph 1 letter b).
 

1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of the Directive, the competent authorities in Member States may exercise their existing powers to suspend data flows to an organisation that has self-certified its adherence to the Principles implemented in accordance with the FAQs in order to protect individuals with regard to the processing of their personal data in cases where:

a) the government body in the United States referred to under Article 1, paragraph 1 letter b) or an independent recourse mechanism within the meaning of letter a) of the Enforcement Principle has determined that the organisation is violating the Principles implemented in accordance with the FAQs, or

b) there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

The suspension shall cease as soon as compliance with the Principles implemented in accordance with the FAQs is assured and the competent authorities concerned in the EU are notified thereof.

2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1.

3. The Member States and the Commission shall also inform each other of cases where the action of bodies responsible for ensuring compliance with the Principles implemented in accordance with the FAQs in the United States fails to secure such compliance.

4. If the information collected under the previous paragraphs of the present Article provides evidence that any body responsible for ensuring compliance with the Principles implemented in accordance with the FAQs in the United States is not effectively fulfilling its role, the Commission shall inform the U.S. Department of Commerce and, if necessary, present draft measures in accordance with the procedure established by Article 31 of the Directive with a view to reversing or suspending the present decision or limiting its scope.
 
 

1. The present decision may be adapted at any time in the light of experience with its implementation and/or if the level of protection provided by the Principles and the FAQs is overtaken by the requirements of U.S. legislation . The Commission shall in any case evaluate the implementation of the present decision on the basis of available information three years after its notification to the Member States and report any pertinent findings to the Committee established under Article 31 of the Directive, including any evidence that could affect the evaluation that the arrangements set out in Article 1 of this decision provide adequate protection within the meaning of Article 25 of the Directive and any evidence that the decision is being implemented in a discriminatory way.

2. The Commission shall, if necessary, present draft measures in accordance with the procedure established by Article 31 of the Directive.
 

Member States shall take all the measures necessary to comply with this decision at the latest at the end of a period of ninety days from the date of its notification to the Member States.
 

This decision is addressed to the Member States.
 
 
 

Annex 7
 

With reference to Article 1 (b), the government bodies in the United States empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implented in accordance with the FAQs are:
 

1. The Federal Trade Commission on the basis of its authority under Section 5 of the Federal Trade Commission Act
 

2. The U.S. Department of Transportation on the basis of its authority under Title 49 United States Code Section 41712
 
 

¹ OJ L24 of 30 January 1998, p.1

² WP12: Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive, adopted by the Working Party on 24 July 1998

³ 15 U.S.C. § 1011 et seq.

⁴WP 15: Opinion 1/99 concerning the level of data protection in the United States and the ongoing discussions between the European Commission and the United States.

WP 19: Opinion 2/99 on the Adequacy of the "International Safe Harbor Principles" issued by the US Department of Commerce on 19^th Abril 1999

WP 21: Opinion 4/99 on the Frequently Asked Questions to be issued by the US Department of Commerce in relation to the proposed "Safe Harbor Principles" on the Adequacy of the "International Safe Harbor Principles"

WP 23: Working document on the current state of play of the ongoing discussions between the European Commission and the United States Government concerning the "International Safe Harbor Principles"

WP 27: Opinion 7/99 on the Level of Data Protection provided by the "Safe Harbor" Principles as published together with the Frequently Asked Questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Deparment of Commerce

WP 31: Opinion 3/2000 on the EU/US dialogue concerning the "Safe Harbor" arrangement

WP 32: Opinion 4/2000 on the level of protection provided by the "Safe Harbor Principles"