Gruppe 29:

The Working Party considers that important and significant progress has been made towards improved protection for personal data in two years of talks with the US Department of Commerce and that some last moves could be made on a limited number of fundamental issues. In particular, it notes that the latest amendments to the principles and the related documents incorporate several suggestions made by the Working Party in its previous Opinions.

The Working Party recalls that the protection of individuals with regard to the processing of their personal data is part of "the fundamental rights and freedoms": this dimension which is already enshrined in the European Convention on Human Rights and recalled by Article 1 of Directive 95/46, is confirmed by the orientation emerged in the work of the Convention on the EU Charter of Fundamental Rights. The Working Party reaffirms its view that, to qualify as adequate, a data protection system should meet the criteria summarised in its Working Document (WP 12) of 24 July 1998.

The Working Party wishes to highlight the impact of Directive 95/46 in the international context. The Working Party is aware of the economic and commercial importance of the Safe Harbor arrangement. However, the Working Party’s conviction is that such considerations can not override the fundamental rights of individuals with regard to the processing of their personal data. It is moreover important to bear in mind the consequences of any adequacy finding for future negotiations in international forums, such as WTO. The Working Party supports the statement made in the draft letter of the Commission services to the Department of Commerce, according to which the US legal system presents some very specific features and can not be regarded as a precedent : the Working Party agrees with the Commission services’ preference for binding rules, for which the Directive and the OECD Guidelines remain the principal benchmarks

1. SCOPE

In its Opinion 7/99, the Working Party had stressed the possible misunderstandings that could flow from the Notice principle and expressed its concern that data controllers may misconstrue the Safe Harbor principles as displacing Member States Law. The Working Party had therefore suggested to clarify the issue in a specific FAQ. This suggestion has not been followed, and paragraph 2 of the Principles (version of 28 April) has been amended in a way that does not clarify the issue. However, in its ”Response” to Opinion 7/99, the US Department of Commerce states that ”clearly, European law will govern all aspects of collection and use of personal information by companies operating in Europe”. The Working Party recalls that under the Directive (Article 4.1) Member States are under the obligation to apply their national provisions not only to the processing operations carried out by data controllers established on their territory, but also where data controllers (although not being established on their territory), make use of equipment situated on such territory in particular for the collection of personal data. The Working Party invites the Commission to make clear, in the draft decision or in its letter to the Department of Commerce, that the Safe Harbor does not affect the application of Article 4 of the Directive.

According to the draft decision established by the Commission Services (Article 1.1.b), being subject to FTC-type jurisdiction is one of the conditions to be met by US organisations that wish to assure safe harbor benefits. Since adherence to the Safe harbor is based on self-certification, without any kind of ex-ante verification, the supervisory powers of a public body are essential for the credibility of the arrangement.

In its Opinion 7/99, the Working Party had already noted that, according to the FTC letters addressed to the Commission Services, the FTC would have jurisdiction only on unfair or deceptive practices in or affecting commerce and that sectors such as financial services (banks and insurance), telecommunications, transportation, employment relationships and non-profit activities would not fall within the scope of its powers. The Working Party therefore agrees with the new wording of the Commission draft Decision (Article 1.1 letter b), according to which a new Annex 3 will list the US Government bodies that meet the criteria of Article 1.1 b, and agrees that the sectors or processing operations not subject to the jurisdiction of the listed bodies can not fall within the scope of the Decision (as stated by recital 9).

On the other hand, the Working Party notes that, in the 28 April version of the Principles, organisations that are not subject to the Federal Trade Commission Act can still qualify for the safe harbor benefits without being clearly required to self-certify to the Department of Commerce, and considers it necessary that this ambiguity be removed by reintroducing the deleted words.

As regards FAQ 13 (airline passenger reservations) the Working Party has considered the 9 May draft letter of the Department of Transportation and notes that it mentions the possibility of individual recourse, as well as the intention to notify the Department of Commerce of any action taken. As things stand, the Working Party is therefore not opposed to the inclusion of the Department of Transportation in the list referred to by Article 1.1.b, provided that the conditions set out in Article 1 of the draft decision are met

As regards employment data, the Working Party notes that, according to the 28 April version of FAQ 6, ”where the organisation wishes its safe harbor benefits to cover human resources information (...) the organisation must indicate this in its letter and declare its commitment to cooperate with the EU authority (...) in conformity with FAQ 9 and FAQ 5”. However, the answer to Question 1 in FAQ 9 states that ”the SH principles are relevant only” for the transfer of individually identified records. The Working Party recalls that, in line with the Directive, the SH principles define personal data as data about identified or identifiable individuals, and considers it necessary that FAQ 9 be aligned with the right definition. The Working Party is also concerned that enforcement for employment data relies only on the cooperation of the DPAs rather than ADR bodies.

As a general rule, legislative rules apply to any organisation established on the territory of a given country or state. The ”safe harbor” rules will apply only to those organisations that have voluntary adhered, and this raises some specific issues that were summarised by the Working Party in its Opinion 7/99. The Working Party welcomes the improvements made to FAQ 6 (new paragraph added on 28 April). In the "new economy", mergers, take-overs and bankruptcies occur every day. In its Opinion 7/99 (page 3) the Working Party had invited the Commission to consider deletion or erasure of the data transferred to ”past harborites”, and is satisfied that this suggestion has been taken into account.

2. EXCEPTIONS

2.1 The Working Party regrets that the Safe Harbor standards are weakened on the one hand, by a number of exceptions introduced by the "Frequently Asked Questions" and, on the other, by paragraph 5 of the principles ("adherence to these principles may be limited ... by statute, government regulation, or case law that create conflicting obligations or explicit authorisations").

As regards the latter point, the Working Party reiterates its view[3] that adherence to the principles should only be limited to the extent necessary to comply with conflicting obligations and that, for reasons of transparency and legal certainty, the Commission should be notified by the Department of Commerce of any statute or government regulations that would affect adherence to the principles . Explicit authorisations as a reason for exceptions could be accepted only as far as the overriding legitimate interests underlying such authorisations do not substantially differ from exemptions or derogations applied in comparable contexts by EU Member States in accordance with their laws implementing the Directive.

The Working Party considers that the use of exceptions will need to be carefully monitored, and that the cooperation of the US authorities should be sought to ensure that the exceptions are not used in a way that undermines the protection afforded by the principles. In particular, the Working Party takes the view that in an adequate system of data protection the right of access can not be limited or denied in a way that would be incompatible with the Directive.

3. PRINCIPLES

3.1. ACCESS

The Safe harbor principle does not include the right to receive data ”in a form that is readily intelligible”, although such right is recognised by the OECD Guidelines (”Individual Participation Principle”). The Working Party notes the assurance given by the Department of Commerce (in its Response to Opinion 7/99) that this is implied in the Principle.

The access principle provides for the right to have data deleted only in the case of inaccurate data, and not where data is collected or processed without the data subject’s consent or in a way that is incompatible with the principles. The requirement to delete data in the latter case, which was recommended by the Working Party in its Opinion 7/99, is now one of the ”possible sanctions” under the section on ”remedies and sanctions” of FAQ 11. The Working Party recommends that, instead of being left to the discretion of the dispute resolution bodies (as stated by the relevant footnote of FAQ 11), deletion be recognized as an individual right or, as an obligation of the Safe Harbor organization.

As regards changes of use, opt-out choice is currently provided to data subjects where their personal information is used for a purpose that is incompatible with the purpose for which it was originally collected. This principle should be extended to cover all different use of personal data.

Moreover the opt-out possibility offered by the choice principle should be extended to cases of data transfers to other controllers, even where there is no change in the use or purpose. The Working Party welcomes the current standard of opt-in for sensitive data, but considers it necessary that the category of data that qualifies as sensitive be clearly and unconditionally defined in the principles. The last sentence of the choice principle needs to be clarified: the words ”in any case” should be replaced by ”in addition”. . The Working Party also recommends that the purpose principle and the notion of choice be the subject of additional clarifications.

The current version of the Safe harbor Principles allow transfers to third parties not subscribing the Safe Harbor if that third party signs an agreement to protect the data. This approach is inconsistent with the general rules set out for guaranteeing the enforcement and the liability of organisations under the Safe Harbor system. The Working Party takes the view that, in these conditions, onward transfers should only be permissible with data subjects’ consent.

4. ENFORCEMENT

As recalled by the Directive (Article 1) and by the European Convention of Human Rights, the right to privacy is a fundamental right and any person has the right to be heard before an independent body. The ”safe harbor” would allow the transfer of personal data that are currently processed in the EU, to a country in which the above guarantees may not apply. A key question is therefore to know how the fundamental right to privacy would be protected in relation to the data transferred to the US if the "safe harbor" principles were not complied with.

The "bridge" between the two layers is very uncertain: according to FAQ 11, the ADR bodies should notify to the FTC cases of failure to comply with the principles, but there is no obligation for them to do so. Although the individuals concerned can complain directly to the FTC, there is no guarantee that the FTC will examine their case (its powers are discretionary). In concrete, individuals would not have the right to be heard before the FTC: neither to enforce the ADR bodies’ decisions, nor to challenge such decisions (or the lack of decisions). As a result, the individuals concerned by an alleged violation of the principles would not be assured of the right to stand before an independent instance[6].

Overall, the Working Party takes the view that this enforcement regime is weak as regards two of the three conditions indicated in its Working Document of 24 July 1998 (page 7): the need ”to provide support and help to individual data subjects” (letter b) and ”to provide appropriate redress to the injured party where rules are not complied with” (letter c).

The Working Party notes that the proposed adequacy ”finding” refers to a system that is not yet operational. In this respect, the Working Party welcomes the revision clause in the Commission’s draft Decision so that any adequacy finding on the Safe Harbor can be reviewed in the light of experience; moreover, the Working Party deems it necessary to reaffirm its Opinion 7/99 as regards the so-called ”grace period”, and confirms its reservations on this part of the draft exchange of letters. (The Working Party notes that the draft letter of the Commission services makes reference to ”enclosed extracts from the minutes of the article 31 Committee”, that are not been made available until now, and would be interested to receive this document).

Having considered all the above issues, and bearing in mind the US commitment to the protection of privacy referred to in the Department of Commerce ”Response” to Opinion 7/99, the Working Party remains concerned on a number of issues on which it believes a better standard in terms of data protection is achievable. The Working Party is particularly concerned to see improvements to meet the following objectives:

Finally, and irrespective of the decision to be taken on the ”safe harbor”, the Working Party urges the Commission Services to finalise their work and present a decision on model contractual clauses (Article 26.4 of the Directive) in order to create a predictable, secure and non-discriminatory framework for international data transfers that is not confined to one single third country. In addition, the Working Party invites the Commission to consider as a matter of urgency the creation of a EU seal system for Internet sites, based on common criteria of data protection assessment that could be determined at the Community level.

[5] TACD submission, page 4: ”The exceptions for providing access are too broad and unfairly limit individual access in favor of business interests. While rights to access should be weighed in balance with other considerations, the current access principles allow the entities least likely to consider the rights of the data subject – the data collector – to make that determination” (... ).

[6] According to the already mentioned submission made by the Trans Atlantic Consumer Dialogue, ”despite past cases where individual privacy has been compromised, no self-regulatory group has ever referred a member company for investigation”: In its conclusions, the TACD recommends that ”the Safe Harbor negotiators should consider the provision of an individual right of remedy a priority”.