The European Commission raised the stakes in the confrontation with the US over data protection, and menaced suspending the bilateral deal on access to data, known as Safe Harbour, if Washington did not strengthen its security provisions by the summer.
EU Justice Commissioner Viviane Reding did not miss the chance offered on Tuesday (28 January) by the celebration of the Data Protection Day to expose once again the flaws of the EU-US deal on data transfer.
In her usual outspoken style, she said: “We kicked the tyres and saw that repairs are needed. For Safe Harbour to be fully roadworthy the US will have to service it.
”Washington is asked to provide “repairs” by next summer, otherwise the agreement “will be suspended,” she said in a speech at the CEPS think tank in Brussels.
The Safe Harbour agreement allows US companies to access EU citizens' data, in spite of the fact that US legislation on data protection is much less stringent than the EU’s.
To bridge this gap, US companies have the possibility to voluntary participate in the Safe Harbour scheme, which obliges them to provide “adequate” privacy protection, as requested by Brussels.
The evaluation of the respect of Safe Harbour’s principles is based on self-certification.
Thanks to Safe Harbour, US companies can transfer the personal data of EU citizens to the US. These transfers are at the core of the activities and the business models of many ICT giants.
Google, Facebook, Microsoft, Amazon, and many other US companies are part of the Safe Harbour compliance programme.
Revelations made last year by the former spy contractor Edward Snowden over the scope and width of the illegal monitoring activities of the National Security Agency (NSA), have increased EU leaders’ concerns over the US handling of EU citizens’ data.
Last November, Reding issued a list of 13 recommendations to the US on how to strengthen the Safe Harbour programme.
Reding asked for companies adhering to the scheme to “publish privacy conditions of any contracts they conclude with subcontractors”, including cloud computing services.
She also said that “the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour,” should be known.
Reding wants also evidences of the real enforcement of the principles of the scheme and therefore asked for “a certain percentage of these companies to be subject to ex officio investigations of effective compliance of their privacy policies.”
Moreover, “whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year,” she concluded.
"There is considerable room for improvement under the Safe Harbour Agreement. If action to remedy the situation is not taken quickly, the EU will have to suspend the Agreement", said Manfred Weber who is Vice President of the European People’s Party (EPP) in the European Parliament.
“We must continue to work towards protecting the rule of law and the fundamental right to privacy of EU citizens and work with our US partners to ensure that these rights are respected and upheld,” said British MEP Claude Moraes (Socialists & Democrats), Rapporteur for the European Parliament committee on civil liberties for the inquiry into the mass electronic surveillance of EU citizens.
“The revelations by Edward Snowden over the past 7 months have highlighted the crucial need for the US to restore trust with the EU and strengthen our transatlantic partnerships. One key aspect of this is for the European Commission to conclude negotiations on the ongoing EU-US agreement on data transfer for law enforcement purposes that will finally provide judicial redress for EU citizens,” he added.
Luigi Gambardella, chairman of the executive board of the European Telecommunications Network Operators' association ETNO, said in a statement: “The future EU legal framework should allow responsible companies to unlock the value of personal data through new digital services that consumers are demanding. In turn these services will generate growth and jobs throughout the EU. Excessive administrative burdens on industry which do not provide real benefits for the users should be removed."
Whistleblower Edward Snowden revealed earlier in 2013 that the US authorities had tapped the servers of internet companies for personal data.
Europeans have reacted angrily to allegations that a US intelligence agency had tapped the servers of internet companies for personal data, saying such activity confirmed their fears about the reach of the government and American web giants and showed that tighter regulations were needed just as the EU and US have launched landmark trade talks.
Data Protection Directive – 24 October 1995
Data protection day press release – 28 January 2014
13 recommendations to the US on Safe Harbour – 27 November 2013