THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Community,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data⁽¹⁾, and in particular Article 25(6) thereof,

Whereas:

(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer.

(2) The Commission may find that a third country ensures an adequate level of protection. In that case personal data may be transferred from the Member States without additional guarantees being necessary.

(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and in respect of given conditions. The Working Party on Protection of Individuals with regard to the processing of Personal Data established under that Directive⁽²⁾ has issued guidance on the making of such assessments⁽³⁾.

(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out and any decision based on Article 25(6) of Directive 95/46/EC should be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade taking into account the Community's present international commitments.

(5) The adequate level of protection for the transfer of data from the Community to the United States recognised by this Decision, should be attained if organisations comply with the Safe Harbor Privacy Principles for the protection of personal data transferred from a Member State to the United States (hereinafter "the Principles") and the Frequently Asked Questions (hereinafter "the FAQs") providing guidance for the implementation of the Principles issued by the Government of the United States on 21.07.2000. Furthermore the organisations should publicly disclose their privacy policies and be subject to the jurisdiction of the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, or that of another statutory body that will effectively ensure compliance with the Principles implemented in accordance with the FAQs.

(6) Sectors and/or data processing not subject to the jurisdiction of any of the government bodies in the United States listed in Annex VII to this Decision should fall outside the scope of this Decision.

(7) To ensure the proper application of this Decision, it is necessary that organisations adhering to the Principles and the FAQs can be recognised by interested parties, such as data subjects, data exporters and data protection authorities. To this end the US Department of Commerce or its designee should undertake to maintain and make available to the public a list of organisations self-certifying their adherence to the Principles implemented in accordance with the FAQs and falling within the jurisdiction of at least one of the government bodies listed in Annex VII to this Decision.

(8) In the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows should be justified, notwithstanding the finding of adequate protection.

(9) The "safe harbor" created by the Principles and the FAQs, may need to be reviewed in the light of experience, of developments concerning the protection of privacy in circumstances in which technology is constantly making easier the transfer and processing of personal data and in the light of reports on implementation by enforcement authorities involved.

(10) The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered Opinions on the level of protection provided by the "safe harbor" Principles in the United States which have been taken into account in the preparation of the present Decision⁽⁴⁾.

(11) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC,

HAS ADOPTED THIS DECISION:

1. For the purposes of Article 25(2) of Directive 95/46/EC, for all the activities falling within the scope of that Directive, the "Safe Harbor Privacy Principles" (hereinafter "the Principles"), as set out in Annex I to this Decision, implemented in accordance with the guidance provided by the Frequently Asked Questions (hereinafter "the FAQs") issued by the US Department of Commerce on 21.07.2000 as set out in Annex II to this Decision are considered to ensure an adequate level of protection for personal data transferred from the Community to organisations established in the United States, having regard to the following documents issued by the US Department of Commerce:

(a) the safe harbor enforcement overview set out in Annex III,

(b) a memorandum on damages for breaches of privacy and explicit authorisations in US law set out in Annex IV,

(c) a letter from the Federal Trade Commission set out in Annex V,

(d) a letter from the US Department of Transportation set out in Annex VI.

2. In relation to each transfer of data the following conditions shall be met:

(a) the organisation receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs, and

(b) the organisation is subject to the statutory powers of a government body in the United States listed in Annex VII to this Decision which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implemented in accordance with the FAQs.

3. The conditions set out in paragraph 2 are considered to be met for each organisation that self-certifies its adherence to the Principles implemented in accordance with the FAQs from the date on which the organisation notifies to the US Department of Commerce (or its designee) the public disclosure of the commitment referred to in paragraph 2(a) and the identity of the government body referred to in paragraph 2(b).

This Decision concerns only the adequacy of protection provided in the United States under the Principles implemented in accordance with the FAQs with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect the application of other provisions of that Directive that pertain to the processing of personal data within the Member States, in particular Article 4 thereof.
 
 

(a) the government body in the United States referred to in Annex VII to this Decision or an independent recourse mechanism within the meaning of letter a) of the Enforcement Principle set out in Annex I to this Decision has determined that the organisation is violating the Principles implemented in accordance with the FAQs; or

(b) there is a substantial likelihood that the Principles are being violated,

there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue,

the continuing transfer would create an imminent risk of grave harm to data subjects, and

the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

The suspension shall cease as soon as compliance with the Principles implemented in accordance with the FAQs is assured and the competent authorities concerned in the Community are notified thereof.

2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1.

3. The Member States and the Commission shall also inform each other of cases where the action of bodies responsible for ensuring compliance with the Principles implemented in accordance with the FAQs in the United States fails to secure such compliance.

4. If the information collected under paragraphs 1, 2 and 3 provides evidence that any body responsible for ensuring compliance with the Principles implemented in accordance with the FAQs in the United States is not effectively fulfilling its role, the Commission shall inform the US Department of Commerce and, if necessary, present draft measures in accordance with the procedure referred to in Article 31 of Directive 95/46/EC with a view to reversing or suspending the present Decision or limiting its scope.

1. This Decision may be adapted at any time in the light of experience with its implementation and/or if the level of protection provided by the Principles and the FAQs is overtaken by the requirements of US legislation.

The Commission shall in any case evaluate the implementation of the present Decision on the basis of available information three years after its notification to the Member States and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the evaluation that the provisions set out in Article 1 of this Decision provide adequate protection within the meaning of Article 25 of Directive 95/46/EC and any evidence that the present Decision is being implemented in a discriminatory way.

2. The Commission shall, if necessary, present draft measures in accordance with the procedure referred to in Article 31 of Directive 95/46/EC.

Member States shall take all the measures necessary to comply with this Decision at the latest at the end of a period of ninety days from the date of its notification to the Member States.

This Decision is addressed to the Member States.
 
 
 

Done at Brussels, For the Commission
 
 
 

Member of the Commission
 
 

With reference to Article 1(2)(b), the government bodies in the United States empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implemented in accordance with the FAQs are:

1. The Federal Trade Commission, and

2. The US Department of Transportation.

The Federal Trade Commission acts on the basis of its authority under Section 5 of the Federal Trade Commission Act. The jurisdiction of the Federal Trade Commission under Section 5 is excluded with respect to: banks, saving and loans and credit unions; telecommunications and interstate transportation common carriers, air carriers and packers and stockyard operators. Although the insurance industry is not specifically included in the list of exceptions in Section 5, the McCarran-Ferguson Act⁽⁵⁾ leaves the regulation of the business of insurance to the individual states. However, the provisions of the FTC Act apply to the insurance industry to the extent that such business is not regulated by State law. The FTC retains residual authority over unfair or deceptive practices by insurance companies when they are not engaged in the business of insurance.

The US Department of Transportation acts on the basis of its authority under Title 49 United States Code Section 41712. The US Department of Transportation institutes cases based on its own investigations as well as formal and informal complaints received from individuals, travel agents, airlines, US and foreign government agencies.
 

¹ OJ L 281, 23.11.1995, p. 31.

²The web address of the Working Party is: http://www.europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/index.htm

 ³ WP12: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, adopted by the Working Party on 24 July 1998.

⁴ WP 15: Opinion 1/99 concerning the level of data protection in the United States and the ongoing discussions between the European Commission and the United States.

WP 19: Opinion 2/99 on the Adequacy of the "International Safe Harbor Principles" issued by the US Department of Commerce on 19 April 1999.

WP 21: Opinion 4/99 on the Frequently Asked Questions to be issued by the US Department of Commerce in relation to the proposed "Safe Harbor Principles" on the Adequacy of the "International Safe Harbor Principles".

WP 23: Working document on the current state of play of the ongoing discussions between the European Commission and the United States Government concerning the "International Safe Harbor Principles".

WP 27: Opinion 7/99 on the Level of Data Protection provided by the "Safe Harbor" Principles as published together with the Frequently Asked Questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Department of Commerce.

WP 31: Opinion 3/2000 on the EU/US dialogue concerning the "Safe Harbor" arrangement.

WP 32: Opinion 4/2000 on the level of protection provided by the "Safe Harbor Principles".

⁵ 15 USC. § 1011 et seq.