Slide 1
The Commission’s View On Safe Harbor
and other Options for International Data Transfers
Workshop - Safe Harbor Framework
Bridging Differences in Approaches to Data Protection
Washington, DC, Dec. 7th, 2005
Rosa Barcelo
European Commission
DG Justice, Liberty and Security
1
Overview
Overview
§ Overview of the Legal Framework on International Data Transfers
§ Issues perceived in the 2003 Commission Report on the Implementation of the Directive
§ 2005: Assessing the Results of the 2003 Proposed Measures
§ The Safe Harbor Scheme
2
Overview of the Legal Framework on International Data Transfers
§ Prohibition of data transfers to non-EU countries (Art. 25)
§ Prohibition does not apply to non-EU countries deemed “adequate”: (e.g. US-Safe Harbor, Canada, Switzerland, Argentina, Guernsey, Isle of Man)
§ Exceptions to the prohibition (Art. 26.1)
§ Data controller may adduce adequate safeguards (Art. 26.2) (ad hoc/model contracts and BCRs)
3
Issues Perceived
in the 2003 Commission Report
§ Content with legal framework (Art. 25 and 26)
§ Concerns regarding the Control and Enforcement by DPAs of IDT:
Overly lax or too tight controls
§ Simplification of the conditions for international transfers desirable & recommended:
More extensive use of findings of adequate protection
Wider choice of standard contractual clauses
Definition and endorsement of binding corporate rules
More uniform interpretation of Article 26(1)
4
2005: Assessing the Results of the 2003 Proposed Measures
Concerns regarding the Control and Enforcement by DPAs of IDT
§ Concerns remain (see 2005 Commission report on the functioning of the standard contractual clauses)
§ A few positive developments:
Ø Enhanced controls in the form of DPA’s new engagements towards auditing specific sectors (United Kingdom, Ireland)
Ø Perceived relaxed controls when standard contractual clauses are used
2005: Assessing the Results of the 2003 Proposed Measures
5
2005: Assessing the Results of the 2003 Proposed Measures
Simplification of the Conditions for International Transfers Desirable: a More Extensive Use of Findings of Adequate Protection
§ A few positive developments:
Ø Argentina, Guernsey, Isle of Man
Ø Australia: under assessment
Ø Informal assessment of various legal frameworks on-going and to be started. But, no real draft adequacy findings in the pipeline
§ More could be done but inherent limits exist
2005: Assessing the Results of the 2003 Proposed Measures
6
2005: Assessing the Results of the 2003 Proposed Measures
Wider choice of standard contractual clauses
§ New set of clauses put forward by industry have been adopted:
Ø Commission Decision C(2004/5271 (from controller to controller)
Ø Existing two Decisions (controller to controller and controller to processor)
§ Other recent Developments:
Ø Commission’s report on the first two sets of Clauses
7
2005: Assessing the Results of the 2003 Proposed Measures
Ø Reveals need to clarify certain concepts such as «onward transfers »
Ø Reveals that in some MS Notification of data transfers are almost « de facto authorisations»
8
2005: Assessing the Results of the 2003 Proposed Measures
Role of Binding Corporate Rules in Providing Safeguards
2005: Assessing the Results of the 2003 Proposed Measures
Role of Binding Corporate Rules in Providing Safeguards
PAST
 | Member States’ legislation did not recognise BCRs as providing « adequate safeguards » (for a variety of legal reasons). |
| DPA: entitled to require changes to the content of the BCR in order to deem that it provides « adequate safeguards » and authorise the transfers. Defeating the purpose of having a single BCR governing the processing for the corporate group. |
PRESENT
üGenerally speaking, MS are moving towards recognising BCRs.
üWP 29 Developments towards a single procedure to adopt pan-EU BCRs: (i) Working Party 29 paper N. 74 (June 2003); (ii) Working Party 29 paper N. 108 (April 2005) and (iii) Working Party 29 paper N.107 (April 2005).
9
2005: Assessing the Results of the 2003 Proposed Measures
More uniform interpretation of Article 26(1)
§ Working Party 29 paper on exceptions:
Ø Provide DAPs and data controllers with harmonised views on the exceptions
Ø Maintains the proper balance between protection of data and protection of international trade
2005: Assessing the Results of the 2003 Proposed Measures
10
Safe Harbor Scheme
Safe Harbor Scheme
11
§ Current views on SH, embodied in Commission’s SH report of October 2004
Background
üReport about implementation, not about the adequacy itself
üWritten because:
–Article 4 of the SH Decision
–Political Commitment of Commissioner Bolkestein to report on Safe Harbour implementation
Safe Harbor Scheme (II)
Safe Harbor Scheme (II)
§ Current views on SH, embodied in Commission’s SH report of October 2004:
Implementation of the Safe Harbor Decision in essence ensures the protection of individuals’ privacy rights, but improvements are necessary. In particular:
Ø Regarding Harborites:
üNeed to improve the understanding of some SH Principles
üModels of privacy policies drafted by WP 29 and DoC
Ø Regarding DoC’s role:
üImprovements of its website & Commitment to comply with EU panel advice
üProper checks whether privacy policies are visible
12
Safe Harbor Scheme (III)
Safe Harbor Scheme (III)
§ Current views on SH, embodied in Commission’s SH report of October 2004:
Ø Regarding ADRs:
üDo not contemplate mandatory sanctions
üLack of transparency
üRecommendations?
Ø Regarding FTC:
üLack of ex officio investigations
üRequest to self-initiate investigations
13
Safe Harbor Scheme (III)
Safe Harbor Scheme (III)
§ Commission and Working Party 29 are currently working to address these concerns.
§ Progress has already been made. We are moving in the right direction.
14
Thank you for your attention. Questions?
Thank you for your attention. Questions?
Rosa BARCELO
Data Protection Unit
DG JLS
European Commission
Tel: 00/32/2-2986488
Fax: 00/32/2-2998094
E-mail: rosa.barcelo@cec.eu.int
http://europa.eu.int/comm/justice_home/fsj/privacy/
15