EU Justice Commissioner Viviane Reding did not miss the chance offered on Tuesday (28 January) by the celebration of the Data Protection Day to expose once again the flaws of the EU-US deal on data transfer.
In her usual outspoken style, she said: “We kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the US will have to service it.
”Washington is asked to provide “repairs” by next summer, otherwise the agreement “will be suspended,” she said in a speech at the CEPS think tank in Brussels.
The Safe Harbour agreement allows US companies to access EU citizens' data, in spite of the fact that US legislation on data protection is much less stringent than the EU’s.
To bridge this gap, US companies have the possibility to voluntary participate in the Safe Harbour scheme, which obliges them to provide “adequate” privacy protection, as requested by Brussels.
The evaluation of the respect of Safe Harbour’s principles is based on self-certification.
Thanks to Safe Harbour, US companies can transfer the personal data of EU citizens to the US. These transfers are at the core of the activities and the business models of many ICT giants.
Google, Facebook, Microsoft, Amazon, and many other US companies are part of the Safe Harbour compliance programme.
Revelations made last year by the former spy contractor Edward Snowden over the scope and width of the illegal monitoring activities of the National Security Agency (NSA), have increased EU leaders’ concerns over the US handling of EU citizens’ data.
Last November, Reding issued a list of 13 recommendations to the US on how to strengthen the Safe Harbour programme.
Reding asked for companies adhering to the scheme to “publish privacy conditions of any contracts they conclude with subcontractors”, including cloud computing services.
She also said that “the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour,” should be known.
Reding wants also evidences of the real enforcement of the principles of the scheme and therefore asked for “a certain percentage of these companies to be subject to ex officio investigations of effective compliance of their privacy policies.”
Moreover, “whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year,” she concluded.