Any organisation wishing to transfer personal data outside of the European Union must comply with the provisions of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Article 25 provides that personal data may only be transferred to countries outside the European Economic Area if the country to which they are transferred can guarantee an adequate level of protection. The United States is not considered by the European Commission to offer an adequate level of protection for the purposes of the Directive. This commentary, written by Ann Critchell-Ward, Senior Associate with Freeth Cartwright LLP, Nottingham, UK, analyzes the current status of the data exchange between the EU and the US and discusses the steps which must be taken on the part of organisations wishing to transfer personal data to the US for ensuring that an adequate level of protection is in place.
On 14 May 2004, the European Commission decided that trans-Atlantic flows of personal data can take place if the recipient organisation has adopted the “safe harbour” principles or if the transfer of data comprises the transfer of Air Passenger Name Records to the United States’ Homeland Bureau of Customs and Border Protection (Commission Decision 2004/535/EC, OJ 2004 L 235/11). The latter has proved to be controversial.
The “safe harbour” framework was developed by the United States Department of Commerce in consultation with the European Commission and was approved by the EU in 2000. Safe harbour was intended to help bridge the gap in the differences between the EU and US approaches to privacy and data protection and provide a streamlined means for US organisations to comply with the Directive. Organisations that wish to use the safe harbour must comply with its requirements and publicly declare that they do so. They must also annually self-certify in writing to the Department of Commerce that they agree to adhere to its principles.
There are seven safe harbour principles, and these reflect the data protection principles set out in the Directive. The safe harbour principles are choice (option for individuals to “opt out”), prohibition against onward transfer, individual access to data, security of data, data integrity, and enforcement of compliance with the principles.