Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Stormy Harbour: EU urges US to make personal data transfers safer

We, and other privacy advocates, have criticised the poor provisions of the so-called Safe Harbour agreement, which allows free transfers of personal information from European countries to companies in the United States that have signed up and promise to abide by its Principles. Now the European Commission, prompted by the recent mass surveillance scandals, has published an investigation into this agreement which provides overwhelming evidence that it is not fit for purpose. It urges the US authorities, with a number of concrete recommendations, to get their act together by next summer.

We welcome the recommendations but believe they just stick a plaster on an open wound. The only longterm solution is for US companies to respect EU privacy laws when handling EU citizen data or, better still, for the US to implement strong data protection laws for the benefit of all.

Major flaws

In its report, the Commission points out that all companies involved in the PRISM programme, and which grant US authorities access to data, are Safe Harbour certified - which means the scheme is a convenient way for intelligence authorities to collect personal data of EU citizens (page 16), with disregard for data protection, or what is necessary or proportionate. Moreover, companies do not, as a rule, indicate in their privacy policies that they grant intelligence or law access to their data, so people are not aware that their information may be accessed in this way. Worse still, there are no possibilities for reddress in case of wrong-doing because no safeguards are provided in US law for non-residents.

There are other evidenced key concerns regarding the effectiveness of the Safe Harbour deal: false claims of membership, lack of privacy policies, or obscure policies, poor enforcement by authorities and poor possibilities of reddress. Under the scheme companies are supposed to provide readily available and affordable alternative dispute resolution (ADR) possibilities, but in reality a large proportion of ADR providers charge hefty fees to those who file a complaint. Authorities claim there have been few complaints, but how would individual people know where to complain, even if they were made aware of breaches to their personal information?

As a result of these major flaws, the European Commission makes a set of recommendations to strengthen the Safe Harbor scheme by improving enforcement, transparency and reddress. It makes a conscious decision not to suspend the scheme because ”… its revocation would adversely affect the interests of member companies in the EU and in the US".

These strengthening measures, however good, come as too little too late. It is hard to see how a self-certifying scheme with so many loopholes can ever be made effective without major surgery. Even if it were perfect, the fact remains that its provisions are weaker than the current EU laws and even weaker than the laws currently in the pipeline. The only long-term solution in the interest of consumers and citizens is for the EU to revoke this agreement, and conclude the update of its data protection laws as speedily as possible. The US, as it has promised back in 2012, should implement its Obama Consumer Privacy Bill of Rights, by turning it into law.  In the absence of effective legislation on both sides, personal data stored or used by US companies will remain at risk.