European Parliament Resolution on Safe Harbor (7/5/00)

1. Safe harbour privacy principles
A5-0177/2000

European Parliament resolution on the Draft Commission Decision on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce (C5-0280/2000 - 2000/2144(COS))

The European Parliament,

-- having regard to European Parliament and Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data , (hereinafter referred to as "the Directive"), in particular Article 25 thereof,

-- having regard to the draft Commission Decision (C5-0280/2000),

-- having regard to the opinion (WP 32) on this subject adopted unanimously on 16 May 2000 by the working party provided for in Article 29 of the Directive and to the opinions delivered previously on the same question (WP12 and WP27),

-- having regard to the opinion of 31 May 2000 delivered by the Committee provided for in Article 31 of the Directive,

-- having regard to Council Decision 1999/468/EC laying down the procedures for the exercise of the implementing powers conferred on the Commission, and in particular Article 8 thereof concerning implementing measures,

-- having regard to Rule 88 of its Rules of Procedure,

-- having regard to the report by the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs (A5-0177/2000),

The meaning of data protection in the framework of the competences of the Union

A. whereas

(a) the development of the information society and electronic commerce have led at global level to an exponential increase in the movement of data and the risks involved in the misuse of such data;
(b) such abuses not only act as a brake on the development of e-commerce in that they undermine the confidence of consumers, but also often constitute an infringement of the rights and freedoms of persons and, in particular, an invasion of privacy;

(c) protecting data means protecting the people to whom the information being processed relates, and such protection is one of the fundamental rights recognised by the Union (Article 8 of the European Convention for the Protection of Human Rights, referred to in Article 6 of the Treaty on European Union and Article 286 of the Treaty establishing the European Community);

(d) the Directive, which is modelled on Council of Europe Convention No. 108 (1981) and the OECD (1980) and UN (1990) guidelines, is based on identifying rights for the data subject and corresponding obligations on those who process data or who exercise control over such processing;

(e) such protection would be useless if it were confined to the territory of the Union and did not also provide adequate protection, as provided for by the Directive, in the third countries to which the data is transferred;

(f) an adequate level of protection for personal data in all the countries to which data can be transferred is also required, in order to avoid a situation where different levels of protection allow distortions in the use of data and relocation of its processing in violation of the GATS agreements;

(g) the Commission must ensure, on behalf of the citizens of the Union and its Member States, that 'adequate' protection exists in the third countries;

The role of the Commission and the measures and criteria that it must adopt in order to evaluate the 'adequacy' of the protection provided by third countries

B. whereas:

(a) in evaluating the 'adequacy' of the protection provided by third countries, the Commission must take account of the varying levels of legal, economic and technological development of the third countries in relation to European standards;
(b) 'adequate' protection does not mean per se that the third country should have the same rules as the Union but that, regardless of the type of legislative protection in force in the third country, the data subject must be effectively protected;

(c) in a third country protection should be considered effective when its effectiveness can be measured with reference to objective data, such as the possibility of identifying the person on whom the obligations are incumbent, the type of data processed, the uses that may be made of it and the mechanisms created to guarantee protection;

(d) in this context, the protection provided by a third country must comply with the following minimum requirements set out by the data control authorities of the EU Member States (opinion WP12 of June 1998):

"(1) the purpose limitation principle - data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions to this rule would be those necessary in a democratic society on one of the grounds listed in Article 13 of the Directive.
(2) the data quality and proportionality principle - data should be accurate and, where necessary, kept up to date. The data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred or further processed.

(3) the transparency principle - individuals should be provided with information as to the purpose of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fairness. The only exemptions permitted should be in line with Articles 11(2)³ and 13 of the Directive.

(4) the security principle - technical and organisational security measures should be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.

(5) the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all data relating to him/her that are processed, and a right to rectification of those data where they are shown to be inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to him/her. The only exemptions to these rights should be in line with Article 13 of the Directive.

(6) restrictions on onward transfers - further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted should be in line with Article 26(1) of the Directive.

³ Article 11(2) stipulates that when data are collected from someone other than the data subject, information need not be provided to the data subject if this proves impossible, involves a disproportionate effort, or if the recording or disclosure of the data is expressly required by law.";

C. whereas, with reference to the guarantees concerning effective implementation, it is also necessary to secure the following objectives, particularly if the rules relating to the processing of data subject to assessment are based on a system of self-regulation:

"- The instrument must have mechanisms which effectively ensure a good level of general compliance. A system of dissuasive and punitive sanctions is one way of achieving this. Mandatory external audits are another.
- The instrument must provide support and help to individual data subjects who are faced with a problem involving the processing of their personal data. An easily accessible, impartial and independent body to hear complaints from data subjects and adjudicate on breaches of the code must therefore be in place.

- The instrument must guarantee appropriate redress in cases of non-compliance. A data subject must be able to obtain a remedy for his/her problem and compensation as appropriate";

The data protection system used in the United States

D. whereas in the United States:

(a) there is not at present any generally applicable legal data protection in the private sector and virtually all data are currently processed without specific guarantees of judicial protection;
(b) there are, however, numerous legislative proposals pending before Congress and the President of the United States himself recently referred to the need for further legislative measures, while the Federal Trade Commission expressed the same opinion in its third report to Congress on the functioning of the system of self-regulation in the electronic marketplace;

(c) the guidelines approved by the OECD (signed by the USA in 1980 and ratified at the Ottawa OECD Conference in September 1998) must in any case be applied in the area of personal data protection;

The nature and scope of the enforceability of the safe harbour

E. whereas, rather than encouraging a legislative approach, the US Department of Commerce intends to propose to companies 'safe harbour privacy principles' (and the Frequently Asked Questions (FAQs) arising from such principles), which:

(a) will apply only to personal data of EU origin, with the status of the voluntary 'standard' suggested to the businesses intending to receive data from the EU, but are binding on those businesses that opt to adhere to them and are enforceable by private dispute resolution bodies and government bodies with powers to obtain relief against unfair or deceptive practices;
(b) relate only to firms which fall within the competence of the Federal Trade Commission and the Department of Transportation (so that, for example, firms in the banking and telecommunications sectors are excluded);

(c) are subject to exceptions (FAQ 15) as regards public record and publicly available data (e.g. land register, telephones, tax declarations, electoral rolls), which are protected by Community legislation;

(d) use ambiguous terms such as 'organisation' (which may refer both to businesses and business conglomerates) and 'explicit authorisations' (which allow exemptions to the principles);

(e) do not provide a right of effective, personal appeal to a public body (FAQ 11);

(f) do not allow it to be concluded with certainty that it will be possible to obtain compensation for individual damage suffered as a result of possible violations of the safe harbour principles;

1. As a preliminary matter, and irrespective of the question of the draft decision submitted to Parliament:

(a) Notes with concern that, almost two years after the Directive's entry into force, data relating to EU citizens are circulating in third countries without any effective control by the Commission or the Member States;

(b) Wonders to what extent data relating to EU citizens may have been misused already;

(c) Requests the Member States and the Commission to inform EU citizens of the risks attached to the circulation of data in countries where data protection is not ensured or the Commission has not yet completed the process of assessing the adequacy of any such protection;

(d) Considers that the Commission was responsible for a serious omission in failing to draw up, before the Directive's entry into force, standard contractual clauses that EU citizens could invoke in the courts of third countries;

(e) Establishes 30 September 2000 as the date by which the proposed standard clauses should be submitted to the Committee set up under Article 31 of the Directive;

(f) Reserves the right, in the event of failure to comply, to launch the procedures provided for in the Treaty in respect of failure to act;

The draft decision submitted to the European Parliament

2. Points out that the draft decision does not describe a situation currently in existence in the United States, but is based on a draft of the safe harbour principles (with the relevant explanations) which the US Department of Commerce will issue for the guidance of companies wishing to meet the adequate protection requirement of the Directive;

3. Draws the Commission's attention to the risk that the exchange of letters between the Commission and the US Department of Commerce on the implementation of the 'safe harbour' principles could be interpreted by the European and/or United States judicial authorities as having the substance of an international agreement adopted in breach of Article 300 of the Treaty establishing the European Community and the requirement to seek Parliament's assent (Judgment of the Court of Justice of 9 August 1994: French Republic v. the Commission -- Agreement between the Commission and the United States regarding the application of their competition laws (Case C-327/91));

4. Regrets that, in the course of the last two years, there has been no consultation of European undertakings with regard to the risk of discrimination in relation to US undertakings which would be subject to less onerous data protection requirements than those with which European undertakings must comply;

5. Regrets that, in contrast with the US authorities' consultation of NGOs active in the field of consumer protection, the Commission has not embarked on any such consultation of European NGOs;

6. Insists on the importance of providing the best possible level of consumer protection and, in this regard, urges the Commission to ensure and assist continuous monitoring of the safe harbour principles;

7. Calls into question the existence in the US of two different protection systems depending on whether or not the owners of the data are European, and wonders whether such a dual system complies with the clause prohibiting discrimination on the grounds of nationality contained in the relevant international (OECD) agreements;

8. Considers that the situation in the US as regards privacy protection is likely to evolve rapidly over the coming few years, that new legislation is likely to be enacted there which could introduce standards of protection that are higher than those required by the safe harbour principles and that the safe harbour arrangement will therefore need to be adapted in order not to be overtaken by these developments;

9. Takes the view that, if issued and implemented by individual firms, such principles and the relevant explanations could be considered adequate protection under the terms of Article 25 of the Directive provided that the following changes are made to them:

- recognition of an individual right of appeal to an independent public body instructed to consider any appeal relating to an alleged violation of the principles;
- an obligation on participating firms to compensate for the damage, whether moral or to property, suffered by those involved, in the event of violations of the principles, and an undertaking by the firms to cancel personal data obtained or processed in an unlawful manner;

- ease of identification of the steps to be taken to ensure data are cancelled and to obtain compensation for any damage suffered;

- provision of a preliminary check by the Commission on the proper functioning of the system within six months of its entry into force and presentation of a report on the outcome of the check and any problems encountered to the working party provided for in Article 29 and the Committee provided for in Article 31 of the Directive, as well as to the relevant committee of the European Parliament;

10. Calls on the Commission to ensure that the operation of the safe harbour system is closely monitored, especially but not only as regards the points raised in Paragraphs 8 and 9 above and to make periodic reports to the working party provided for in Article 29 and the Committee provided for in Article 31 of the Directive, as well as to the relevant committee of the European Parliament;

11. Takes the view that the free movement of data cannot be authorised until all the components of the safe harbour system are operational and the United States authorities have informed the Commission that these conditions have been fulfilled;

12. Calls on the Commission and the Member States:

- to provide appropriate information (in the Official Journal and via the Internet) for European citizens on the 'safe harbour', making clear that differences may continue to exist between the 'safe harbour' and European law as regards the processing of personal data;
- to set up help-lines (freephone numbers, advice centres) to the relevant national authorities and the Commission to deal with any practical difficulties encountered (e.g. translations of appeals, forms, etc.);

- to review the decision in good time in the light of experience and of any legislative developments;

13. Insists that the European Commission append this resolution to its transmission letter to the United States authorities, thereby clearly emphasising Parliament's concern about the absence of an individual right of judicial appeal and the failure of an agreement to oblige companies to pay compensation for unlawfully processed data;
0
0 0

14. Instructs its President to forward this resolution to the Commission and the Parliaments and Governments of the Member States.