The Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995¹,

Having regard to Articles 29 and 30 (b) of the Directive,

Having regard to its Rules of Procedure and in particular to Articles 12 and 14 thereof

Has adopted the present Opinion 7/99:

Introduction

The Working Party reaffirms its general policy on the methodology for assessing the adequacy of data protection in any third country, summarised in its Working Document of 24 July 1998 (WP 12: "Transfers of personal data to third countries: applying Articles 25 and 26 of the EU Data Protection Directive"²).

The Working Party has followed closely the Commission's discussions with the US Department of Commerce, attaches importance to them and considers the "Safe Harbor" approach useful. It wishes to contribute to the successful outcome of these discussions and considers that a good result depends on a number of basic concerns being met.

In this context, the Working Party recalls that previous versions of the "Safe Harbor" principles and Frequently Asked Questions (FAQs) have been the subject of the following position papers:

1. Opinion 1/99 of 26 January 1999 (WP 15);

2. Opinion 2/99 of 19 April 1999 (WP 19);

3. Opinion 4/99 of 7 June 1999 (WP 21) and Working Document of 7 September 1999 concerning some of the FAQs (not public);

4. Working Document of 7 July 1999 (WP 23).

This Opinion refers to the latest version of the "Safe Harbor" principles, FAQs and related documents as published on 15 and 16 November 1999³. The Working Party regrets that, on such an important issue, the time left for taking a position was so short. It also notes that none of the documents is considered "final" and therefore reserves its position as regards any further development on the texts.

The Working Party notes that some progress has been made but deplores that most of the comments made in its previous position papers do not seem to be addressed in the latest version of the US documents. The Working Party therefore confirms its general concerns.

With a view to a possible finding of adequacy, and considering the particular impact that such positive finding would have as a reference point for other third countries, the Working Party considers that the "Safe Harbor" should offer legal security not only to the US organisations but also to the EU interested parties (data controllers wishing to transfer data to the US, data subjects whose data would be transferred, data protection authorities). Since its Opinion 1/99, the Working Party has constantly held the view that, in terms of substantive content, "any acceptable set of "Safe Harbor" principles must, as a minimum requirement, include all the principles set out in the OECD Privacy Guidelines" (adopted amongst others by the United States and recently re-endorsed at the OECD Ottawa Conference in October 1998).

Scope and Structure

The Working Party takes the view that the "Safe Harbor" principles are designed to govern the processing of data transferred to the US by a EU data controller. As regards the collection of personal data from individuals in the EU, the Working Party recalls that national provisions implementing the Directive will normally apply. The Working Party recalls that any adequacy finding made under Article 25(6) of the Directive can only refer to the protection of individuals with regard to the processing of data in the third country concerned and cannot affect the regime of applicable law under Article 4 (c) of the directive.

As regards the "Safe Harbor", the Working Party recommends that its scope be clearly and unambiguously defined with regard to both the beneficiaries and the categories of data transfers.

According to the fourth paragraph of the Principles, "Safe Harbor" benefits are assured from the date on which each organisation wishing to qualify for the "Safe Harbor" self-certifies to the Department of Commerce or its nominee its adherence to the principles". According to FAQ 6, such self-certification letters should be provided not less than annually; the Department of Commerce (or its designee) will "maintain a list of all organisations that file such letters, thereby assuring the availability of "Safe Harbor" benefits, and update such list on the basis of annual letters" and notifications concerning the findings of non compliance. According to FAQ 11, adverse findings against "Safe Harbor" participants will be recorded in the list. In this respect, the Working Party notes that:

1. No prior check is made by the Department of Commerce in order to determine whether an organisation in concrete meets the qualification criteria (adherence of the privacy policy to the principles, jurisdiction of an FTC-type of body for deceptive practices);

2. The requirement to self-certify annually is designed to improve the reliability of the list; however, because the renewal of such self-certification is not compulsory, an organisation could adhere to the principles for 1 year and subsequently withdraw from the "Safe Harbor"; in addition, undetected impostors may disappear from the list only after a significant period in the course of which personal data would normally continue to be transferred;.

3. Mergers and take-overs are more and more frequent in the course of business in general and in the on-line business in particular. An organisation adhering to the principles may well be taken over by, or merge with, an organisation that can not or does not wish to qualify for the "Safe Harbor".

As it stands, the "Safe Harbor" is a voluntary approach offered to US organisations on the basis of self-certification (FAQ 6) and self-assessment (FAQ 7), underpinned by statutory provisions in case of misrepresentation/deceptive practices. This means that, unless and until a complaint is made and investigated, any US organisation claiming the benefits of the "Safe Harbor" would be entitled to receive personal data from the EU. Considering the above examples, the Working Party urges the Commission to consider the means of ensuring the continued protection of personal data which may be transferred to:

1. Organisations that should have never been on the list because they did not meet the qualification criteria;

2. organisations that, although being listed, do not comply with the principles;

3. organisations that, after being listed for 1 year, would no longer appear in the list of the following year, either because they do not renew their self-certification or because they do no longer qualify for the "Safe Harbor";

4. organisations that, after being listed, are taken over by a company which does not qualify for the "Safe Harbor" (either because it can not, or because it does not wish to adhere to the principles).

Among the possible means of ensuring continued protection, the Working Party invites the Commission to consider deletion or erasure of the data transferred to an organisation falling into one or other of the above categories. The Working Party would further welcome clarification of the possible continued applicability of the deceptive practices provisions of the Federal Trade Commission Act.

For reasons of legal certainty, the Working Party reiterates its concern that the list of beneficiaries be completely reliable, up to date and easily accessible to the public.

In its working document of 7 July 1999, the Working Party had already called for clarification on two specific points:

a) sectors that would be excluded from the scope of the "Safe Harbor" because they do not fall within the jurisdiction of an FTC-type public body (e.g.: employees data, non-profit sector);

b) activities which may be excluded by the organisation qualifying for the "Safe Harbor" as a matter of business choice.

As regards point a) the Working Party attaches the utmost importance to the FTC Chairman's letters of 23 September 1998 and 1 November 1999; according to these letters, it is clear that the FTC's jurisdiction covers unfair and deceptive acts only if they are "in or affecting commerce". This seems to exclude most of the data processed in connection with an employment relationship (FAQ 9) as well as the data processed without any commercial purpose (e.g.: non-profit, research). The Working Party therefore recommends that these categories of data transfers be expressly excluded from the "Safe Harbor".

As regards point b), the Working Party notes that FAQ 6 invites organisations to indicate the "activities of the organisation covered by its "Safe Harbor" commitments". This implies that the same organisation could enter the "Safe Harbor" with one foot and keep the other foot out of the "Safe Harbor". The Working Party takes the view that this creates legal uncertainty (in particular with regard to data sharing within an organisation) and urges clarification on the notion of "activities".

Exceptions and exemptions

The Working Party reiterates its concern that adherence to the principles may be limited by any "statute, government regulation or case law" (paragraph 5 letter b) of the Principles) without any further qualification. This seems to apply to State as well as to Federal law, be it present or future. To ensure legal certainty and non-discrimination in respect of other adequacy findings, the Working Party recommends that more precise criteria for, and concrete examples of, such exceptions and limitations be provided and that their impact be given proper consideration. As regards the need for more precise criteria, the Working Party recommends that a clear distinction be drawn between options and obligations: adherence to the principles should only be limited to the extent necessary to comply with statutory or regulatory obligations (which would in any case override the principles) but not as a result of options which may result from US law, as this would result in a serious weakening of the principles.

For reasons of transparency and legal certainty, the Working Party considers essential that the Commission be informed of any Statute or Government regulations that would affect adherence to the principles.

As regards paragraph 5 letter c), the Working Party recommends that the paragraph be confined to the exceptions allowed by the Directive, which covers any allowable exceptions in Member State law. In any case, the Working Party takes the view that no exception can be invoked out of its specific context, and that any exception can only be used to serve its specific purpose.

The Working Party is concerned that, in addition to the above mentioned exceptions, the FAQs provide for a long list of further exceptions, which result in some cases in the exemption of entire categories of data: this applies in particular to the broad category of "publicly available data", that may be "publicly available" as a matter of fact and irrespective of any consideration of legitimacy of processing or accuracy of the data. The Working Party notes that no such exemption is allowed by the OECD guidelines and believes that the acceptance of such an exemption would create a very large loophole in data protection coverage.

Notice

The Working Party maintains its view, reiterated in all its previous Opinions, that the "Safe Harbor" arrangement (and indeed any adequacy finding) can only concern the processing of data transferred by a data controller established in the EU to a third country: data controllers established in the EU are subject to the national provisions implementing the Directive, and the same would normally apply where personal data are collected directly from individuals in the EU by a US organisation that makes use of equipment situated on the territory of a Member State (Article 4 of the Directive).

This is now recognised by the US side under Q1 of FAQ 14 in relation to pharmaceutical and medical products, and in FAQ 9 concerning Human Resources Data. However, the Notice principle states that:

"this notice must be provided (…) when individuals are first asked to provide personal information to the organisation or as soon as practicable".

The above quoted sentence implies or could be misunderstood to mean that the collection of data from individuals in the EU by US organisations would be governed by the "Safe Harbor" principles, and not by the national provisions implementing the Directive. Its consequences would therefore go far beyond the notice principle.

The Working Party takes the view that this is not in line with the Directive (Article 4). The Working Party recommends that the above quoted sentence be deleted and replaced by a clear indication that:

1. Where a US organisation intends to collect personal data directly from individuals in the EU, it must comply with the applicable national provisions implementing the Directive (e.g.: Articles 6, 7, 10, 14 and, where relevant, Article 8);

2. Where personal data are transferred to the US organisation by a data controller established in the EU, the former should request the latter to indicate the purposes for which the data had been originally collected (this is essential to determine whether a change of purpose occurs after the transfer, thus triggering the notice and choice principles, and would contribute to allocating risk and liability).

The Working Party suggests that the above points be the subject of a new FAQ aimed at clarifying the Notice principle.

The Working Party also recommends the Notice principle to be amended so as to ensure that notice is given when data is used by a different organisation.

With regard to FAQ 4, the Working Party notes that there are no justifications for headhunters to process data without the individual's consent. Also there is reference to "other circumstances in which the application of the "Safe Harbor" principles may prejudice the legitimate interests of the organisation" which the Working Party considers as being too wide a let-out.

The Working Party notes that FAQ 14 on Pharmaceutical and Medical products has only recently arrived and that the present text raises several questions, notably the use of data for purposes incompatible with those related to scientific research.

Choice

The Working Party reiterates the view expressed in its working document of 7 July 1999: since the principles do not include any "legitimacy of processing" criteria, the Choice principle needs to be strengthened. In its current version, the combination of Notice and Choice results in the possibility of using data for a purpose other than those notified without having to offer choice (unless the purpose is incompatible or the data are sensitive)and this falls short of the OECD Guidelines ("Use Limitation Principle")⁴. The Working Party supports the idea that Choice should be offered when data is used for a compatible but different purpose.

The Working Party shares the views of the Commission as expressed in the footnote to the Choice principle. It recommends that the definition of sensitive data be aligned with the Directive (Article 8) and considers that choice can only be a basis for legitimate processing if it is based on adequate information.

Onward transfer

The Working Party notes with some concern the addition to this Principle of the last sentence which totally relieves organisations of liability when information is transferred to certain third parties. The individual might have no ready legal remedy except against the transferor who might indeed have acted recklessly in transferring the information. The Working Party recommends that consideration be given to reducing the relief from liability to preserve the transferor's liability in cases of negligence and recklessness and to require the transferor to assist the individual to secure a remedy.

Security

The Working Party recommends that FAQ N° 10 be amended to remove the statement that security measures are not needed in the contract, since the law of several Member States requires such provisions even in contracts for processing within the same Member State.

Data Integrity

The Working Party recalls that under paragraph 8 of the OECD Guidelines "data must be relevant for the purposes for which they are to be used and to the extent necessary for those purposes should be accurate, complete and up to date". The "Safe Harbor" principle should reflect this.

Access

The Working Party recalls that Access is a fundamental principle of any meaningful data protection regime, because Access is the gateway which triggers all the rights of the data subject; it stresses that the exceptions to this fundamental principle are allowed only in exceptional circumstances; it reiterates the concern expressed in all its previous position papers with regard to the extent and the open-endedness of the exceptions and conditions attached by the US side to the exercise of this fundamental right.

The Working Party reiterates its view that cost considerations are relevant to determine the conditions in which the right can be exercised but cannot be a condition to the right itself.

Unlike the OECD Guidelines⁵, the "Safe Harbor" principles do not recognise the individual right to receive information "in a form that is readily intelligible". In addition, the access principle confines the right to delete to cases where data are inaccurate (which is obvious); in its Opinion 2/99 the Working Party has already taken the view that to be meaningful, the right to delete should apply to all cases of unlawful processing and that it should be included in the principles and not in an FAQ.

FAQ 8 lists a long number of exceptions to the access principle; the Working Party welcomes the fact that some of these exceptions, if compared to the previous version of the FAQ, have been narrowed or clarified. However, the overall picture still gives the impression that this FAQ weakens the principle rather than giving guidance on its application. In particular, the Working Party reiterates its objections to Q2 (unclear notion), and Q7. As regards Q5, the Working Party reiterates its view that the circumstances for denying access are too broad and open ended and that the text implies that such considerations automatically override the right to access. It is concerned that this would result in a serious weakening of the overall level of data protection.

As regards Q6, the Working Party considers the wording of the second paragraph inappropriate and recommends either its deletion or its narrower definition so that it is confined to ruling out the abuse of the right of access.

The Working Party reiterates as well its opposition to Q8, for the reasons already given in the Working Document of 7 September 1999; in addition, the fact that information is publicly available does not deprive the data subject of his right of access.

Enforcement

The Working Party welcomes the detailed information provided by the US side in the last weeks of talks (in particular: FTC letter, comparison of US Private Sector Privacy Dispute Resolution Mechanisms, FAQ 11, Memorandum on the Fair Credit Reporting Act). Such information is valuable and has allowed the Working Party to have a better picture of the enforcement facilities which could be made available to data subjects. Having considered the above information, the Working Party is concerned that:

1. The existing Private Sector Mechanisms deal exclusively with on-line activities: BBB Online; Web Trust; TRUSTe: (emphasis added)⁶;

2. A similar emphasis can be found in the FTC Chairman's letter of 1 November 1999 (paragraph 2: "online privacy", "Internet environment"; paragraph 3: online marketplace, survey of web sites; paragraph 4: "online privacy policies" and so on; emphasis added)⁷.

3. According to paragraph 4 of the principles, "Safe Harbor" benefits would also be assured to organisations subject to any "statutory, regulatory, administrative or other body of law (or body of rules issued by national security exchanges, registered securities associations, registered clearing agencies, or a Municipal Securities Rule-making Board) that effectively protects personal privacy". However, no information has been provided as regards the public bodies that would ensure enforcement of such a wide range of legal sources.

In these circumstances, the Working Party considers that the scope of any adequacy findings should be expressly restricted to those sectors for which sufficient and unambiguous information has been gathered and assessed as to the existence of enforcement mechanisms. In fact, extending the scope of an adequacy finding beyond this limit would open the decision to legal challenge and this is not desirable to any of the interested parties.

As regards the enforcement principle, the Working Party considers that to be meaningful, the principle must include compensation for any damage suffered by individuals as a result of violation of the principles: this is a general view of the Working Party and applies to any third country (Working Document on Transfers of personal data to third countries: WP 12 of 24 July 1998, page 14: "appropriate redress") . Where damages are not provided by existing US legislation, the private organisation should be prepared to offer this possibility as a condition to qualify for the "Safe Harbor".

On FAQ 11 (dispute resolution and enforcement), the Working Party notes that this text addresses a series of aspects on enforcement that are so essential that they should be included in the Enforcement principle itself. To make the link between the different enforcement levels, it is particularly important to make it the rule that dispute resolution bodies refer unresolved cases to the FTC. The requirements that dispute resolution mechanisms be transparent and expeditious might also be added to the principle.

According to FAQ 11, dispute resolution bodies may introduce eligibility requirements for the acceptance of complaints. The Working Party considers that such requirements should be explicit, objective and reasonable. Also refusals to pursue complaints should be duly motivated.

Overall the Working Party notes that the enforcement arrangements in the US make up a very confusing picture in which it is not possible to identify easily what rights a citizen has in case of violation of the Principles. FAQ 11 offers simply a series of recommendations which can lead to a fragmented and uneven implementation.

FAQ 5 - Role of Data protection authorities

The Working Party has discussed the proposed US text of FAQ 5 and concludes that the role for data protection authorities described in this text is not legally or practically realisable. In particular, the Working Party notes that national law does not give national authorities the competence to deal with complaints concerning violations of data protection rules outside their jurisdiction.

The Working Party notes on the other hand the readiness of national authorities to offer their co-operation in the form of information and advice, if this can be useful in the context of the "Safe Harbor". It understands that such co-operation has been sought by the US for a limited period following the launching of the "Safe Harbor".

In this context, the Working Party invites the Commission to investigate whether this offer to provide information and advice, combined with a unilateral undertaking by the US organisation concerned to comply with the advice of national authorities - an undertaking which, if not complied with, would trigger FTC action for deception - could play a part in meeting the requirements of part (a) of the enforcement principle of the "Safe Harbor". If so, it notes that national authorities might be prepared to co-operate in this way for an initial period of 3 years. The Working Party further notes that national authorities would wish to review this arrangement before the end of that period if the numbers of US organisations choosing this option was such that it was clearly being treated as the substitute for proper enforcement arrangements in the US, rather than as a temporary arrangement to fill a limited gap⁸.

The Working Party further invites the Commission to investigate what role could be played by a mechanism at the European level, which might inter alia provide a forum to help ensure a co-ordinated and harmonised approach.

The draft Commission decision (dated 24 November 1999)

The Working Party would like to draw the attention of the Commission to the following:

1. There is no reference to the work carried out by the Working Party to establish the criteria for the assessing adequacy in third countries (WP 12). It is the Working Party's view that it is against these criteria that the assessment of adequacy should be carried out in order to guarantee a balanced, even-handed approach to all third countries - regardless of the fact that they follow a legislative or regulatory approach to data protection. In addition specific reference should be made to the opinions issued by the Working Party on the US "Safe Harbor" as well as to where they have been published.

2. On the substance of the decision, the Working Party notes that the criteria for joining the "Safe Harbor" are not the same in the US texts and in the draft decision. According to introductory paragraphs 3 and 4 of the US Principles, organisations may join the "Safe Harbor" either by:

"a) joining a self-regulatory privacy program that adheres to the principles,
b) developing their own self-regulatory privacy policy provided that they confirm to the principles,
c) being subject to a statutory, regulatory, administrative or other body of law that effectively protects privacy."

According to Article 1 of the draft Commission decision, are considered to be in the "Safe Harbor", organisations that:

"publicly declare that they abide by the Principles and are subject to the powers of a statutory body empowered to investigate complaints and obtain relief against unfair or deceptive practises."

The Principles need to be aligned on the decision.

3. The Working Party also notes that recital 8 states that jurisdiction of the Federal Trade Commission is subject to a number of statutory exclusions. However there is no specific indication of the excluded sectors nor is indicated that all excluded sectors are covered by another public body. Similarly there should be a reference to the relevant provisions conferring the powers to act against deceptive practice or misrepresentation on the few public bodies mentioned.

Since falling within the jurisdiction of a public body capable of acting against unfair or deceptive practices is a conditio sino qua non for organisations wishing to join the "Safe Harbor", the Working Party considers that it is fundamental to seek clarification on this point and that the scope of the "Safe Harbor" should be limited to sectors covered by such a public body.

4. There is no mention in the draft Commission decision of the way in which organisations may lose "Safe Harbor" benefits - or to simplify, procedures for being struck off the list kept by the DoC.

The only undertaking in the US texts is to post "any notification it receives from any dispute resolution, self regulatory, and/or government bodies of any persistent failure of any "Safe Harbor" organization to comply with the "Safe Harbor" principles or any decision of such bodies, but only after first providing thirty (30) days' notice to such organization and an opportunity to respond".(FAQ 11)

According to the draft decision, adverse postings by the US DoC, may only trigger a suspension of the data transfer in accordance to Article 2.2.(a). And presently even if data is suspended to a organisation on the basis of Article 2.2 (a), this would not be reflected in the list because the US list will not show any adverse findings carried out in the EU. Yet there is a need to ensure that EU operators can rely on the list.

Moreover, in the Working Party's view, the conditions set out in Article 2.2⁹ for suspending data transfers, risk proving burdensome to comply with in practice, which would be unacceptable when individual rights are being violated. To meet this point, the words "irreparable damage" in Article 2.2 should be replaced by "serious and imminent damage".

5. The Working Party notes that in Article 1 paragraph 3 there is a proposed US text which reads "Compliance with the US Fair Credit Reporting Act or the US Financial Modernization Act is considered to ensure an adequate level of protection, as regards an organisation's activities falling within the scope of those Acts". In respect to these US laws, the Working Party draws the attention of the Commission to the fact that an analysis of the FCRA was entered on the agenda of the 17th meeting of 7th June but that there was no time to discuss either the law or its adequacy assessment. And, as far as the Financial Modernization Act is concerned, the Working Party has only very recently received a text.

In the light of the above, the Working Party can issue an opinion on the level of adequacy of these two laws only after a thorough discussion has taken place in the Working Party. Unless there is an adequacy finding with regard to these Acts, any reference to them should be deleted from the decision .

6. It is also the Working Party's view that Article 2.1 should be modified as follows:

"Article 1 is without prejudice to the powers of the competent authorities in Member States to take action to ensure compliance with the national provisions adopted pursuant to provisions other than Articles 25 and 26 of the Directive"

The exchange of letters
(not dated but posted on the website on 15 November)

The Working Party would like to draw the Commission attention to the following:

1. The so-called grace period or date of entry into effect: Both in the draft US letter and the draft Commission reply include wording to the effect that Commission and the Member States will use the flexibility of Article 26 to avoid disrupting data flows to U.S. organizations for a given period following the Article 25.6 decision on the "Safe Harbor" framework. This will give U.S. organizations an opportunity to decide whether to enter the "Safe Harbor", and (if necessary) to align their information practices with the requirements of the "Safe Harbor".

Considering that on the basis of the directive, the Commission may act in relation to third countries transfers only when: a) a third country does not provide adequate protection and the Commission enters into negotiations to remedy the situation - Article 25, paragraphs 4, 5 and 6 or b) when the Commission decides that certain standard contractual clauses offer sufficient safeguards - Article 26.4, the Working Party wonders on what basis the Commission intends to use the flexibility of Article 26 of the directive to allow sufficient time for US organisations to decide whether or not to join the "Safe Harbor".

2. Use of contracts - Article 26 decision: In the Draft EU letter it is stated that "The Commission and the Member States are of the view that the (US "Safe Harbor") principles may be used in such agreements for the substantive provisions on data protections… The Commission has initiated discussion with the Member States in the Article 31 Committee… with the objective of adopting a decision under Article 26.4 authorising model agreement…"

Considering that the Working Party has consistently held the view that the analysis of adequacy of contractual solutions requires the consideration of a broader set of questions that those dealt with in framework solutions, such an engagement would be premature. It goes without saying that the "Safe Harbor" principles must first be improved and found adequate before they can be taken into consideration for part of the content of model contracts.

Conclusions

The Working Party concludes, in the light of the above observations and recommendations, that the proposed "Safe Harbor" arrangements as reflected in the current versions of the various documents remain unsatisfactory. The Working Party invites the Commission to urge the US side to make a number of key improvements, notably:

• to clarify the scope of the "Safe Harbor" and in particular to remove any possible misunderstanding that US organisations can choose to rely on the "Safe Harbor" principles in circumstances when the Directive itself applies;
• to provide more reliable arrangements allowing "Safe Harbor" participants to be identified with certainty and avoiding the risk that "Safe Harbor" benefits will continue to be accorded after "Safe Harbor" status has, for one reason or another, been lost;
• to make it absolutely clear that enforcement by an appropriately empowered public body is in place for all participants in the "Safe Harbor";
• to make it the rule that private sector dispute resolution bodies must refer unresolved complaints to such a public body;
• to make the allowed exceptions and exemptions less sweeping and less open-ended, so that exceptions are precisely that - that is, they apply only where and to the extent necessary, and are not general invitations to override the principles; this is particularly important as regards the right of access;
• to strengthen the Choice principle, which is the lynchpin of the US approach.

These points have been developed in greater detail in the preceding sections of this opinion and the Working Party would like to see the relevant considerations taken into account.

The Working Party further invites the Commission to revise Article 2 of the draft decision to make it clear that the enforcement powers of the competent national authorities as regards national law implementing provisions of the directive other than Articles 25 and 26 are unaffected by the decision; and to make it possible to intervene in accordance with Article 2 paragraph 2 when "serious and imminent" damage to the individual will otherwise result.

The Working Party finally emphasises the importance of continuing and indeed accelerating work on model contract clauses, with a view to a decision or decisions under Article 26 paragraph 4, which is an important part of simplifying and making more transparent the safeguards needed for transfers to areas where adequate protection is not otherwise guaranteed.

Done at Brussels, 3 December 1999

For the Working Party

The Chairman

Peter J. HUSTINX

¹OJ N° L 281 of 23 November 1995, p. 31, available at: http://europa.eu.int/comm/dg15/en/media/dataprot/index.htm

²WP 12 (5025/98): Working Document on Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive. Adopted on 24 July 1998 (11 languages), available at the address indicated in footnote 1.

³Draft International Safe Harbor Principles - November 15, 1999; Draft Frequently Asked Questions - November 15, 1999 (FAQs 1 to 15), Summary of Article 25.6 Decision; Letter from David Aaron to John Mogg transmitting safe harbor principles and FAQs etc. - November 16, 1999; Letter from John Mogg to David Aaron transmitting the Article 25.6 Decision etc.- November 16, 1999. Available at: http://www.ita.doc.gov/td/ecom/menu.htm

⁴"Personal Data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with paragraph 9 (Purpose Specification) except: a) with the consent of the data subject; or
b) by the authority of law."

⁵"Individual Participation Principle", point a) iv.

⁶As mentioned before, on-line activities may fall under EU law where they concern the collection of personal data directly from the individual in the EU (see above Scope and Structure, Notice).

⁷Same comment as in footnote 6.

⁸Some delegations indicated that they reserved their positions on this paragraph.

⁹Article 2.2: "The competent authorities in Member States may in addition exercise their existing powers to suspend data flows to an organisation adhering to the principles in order to protect individuals with regard to the processing of their personal data in cases where:

a) the US public body referred to under Article 1, paragraph 1 letter b) or a US independent recourse mechanism within the meaning of indent a) of the Enforcement Principle has made a finding that the principles are being violated, or

b) there is a reasonable basis for believing that the US enforcement mechanism is not taking or will not take adequate and timely steps to settle the case at issue, there is a substantial likelihood that the principles are being violated, and the competent authorities in the Member State have made reasonable efforts to provide the organisation with notice and an opportunity to respond,