Other available languages: none
Vice-President of the European Commission, EU Justice Commissioner
Future of the Safe Harbour Agreement in the light of the NSA affair
15 January 2014
We have had the opportunity to debate the implication of the NSA revelations this summer on several occasions, both in this Chamber and in the LIBE Committee.
These exchanges have been very useful, and I am looking forward to seeing the important conclusions of the LIBE inquiry Committee.
It is essential to speak with one voice to our US partners and to ensure that the protection of data protection rights of EU citizens is properly addressed in the US debate.
The exchanges and meetings of the Commission with the US authorities, the visits of delegations of this Parliament to the US and the work done with Member States in the EU-US Ad hoc expert group have all been opportunities to highlight our common concerns. We all agree on the need to rebuild trust in our transatlantic relationship and in transatlantic data transfers.
Safe Harbour is an important arrangement in this context. It deals with the transfer of personal data from the EU to companies in the U.S. The aim of this scheme put in place in 2000 was to make sure that our rights are protected at all times according to EU standards, while securing the business advantages which flow from the ability to transfer personal data to the US for processing there.
The Commission is addressing the deficiencies in the Safe Harbour. As requested by the European Parliament, we have analysed the Safe Harbour regime and on 27 November, we issued our analysis and were clear that we must make Safe Harbour safer.
As a result of a lack of transparency and enforcement on the US side, some companies do not, in practice, comply with the scheme. This has a negative impact on individuals' rights. And it may create an unfair competitive advantage for those companies in relation to European companies operating on the same market.
We are also taking seriously the risk that Safe Harbour, as a conduit for transfers of personal data, facilitates access to such data by US national security authorities under large scale surveillance programmes.
While the Safe Harbour decision allows limitations of protection when justified by national security, they must comply with the principles of proportionality and necessity.
Massive collection of data by the authorities on anybody, without suspicion goes beyond what is proportionate and necessary. I made it very clear to the US partners that this issue needs to be addressed in a satisfactory manner if we want to ensure the continuity of the scheme.
EU data subjects must have clarity and thus must be able to trust that if their data is transferred to the US, it is not routinely screened by the NSA. After all, the purpose of the Safe Harbour was to provide EU data subjects with a higher level of protection than available under the law in the US, in order to meet EU standards of data protection. Safe Harbour is meant to be an island of EU-style data protection within the US.
The Commission Communication to the Parliament and the Council on the functioning of Safe Harbour identifies 13 crucial points necessary to ensure the continuity of data protection according to EU standards. The Commission made concrete recommendations on four major areas of improvement: transparency, possibility of effective redress, effective enforcement and limitations of access by public authorities.
With these 13 points, the US authorities have a real to-do list. I expect them to deliver and to seriously improve the scheme. We should have a first meeting with US authorities in Brussels very soon.
The US Department of Commerce and the US Federal Trade Commission should improve the functioning and enforcement of the Safe Harbour arrangement. The national security exemption in Safe Harbour must work in a clear and narrow way to ensure that it is only used in cases where it is necessary and proportionate according to our standards.
Our Communication on Rebuilding Trust in EU-US Data Flows makes clear that remedies must be identified by summer this year and should be implemented as soon as possible. We will then review the functioning of the Safe Harbour scheme based on the implementation of these recommendations. This broader review process should involve open consultation and a debate in the European Parliament.
Making Safe Harbour truly safer should not, however, distract us from our focus on data protection reform. A strong legislative framework with clear rules that are enforceable, also when data is transferred and processed abroad is, more than ever, a must. It will provide legal certainty and protection for data subjects and companies.
Therefore let me congratulate those who have worked on the data protection reform so hard. You adopted a strong text which makes clear the Union's determination. Together, we have to apply pressure on the Council to accelerate its work so that negotiations can start and an agreement will be concluded in line with the European Council conclusions.
Since the Snowden revelations, the Commission has been proactive. It has made its voice heard. It has asked difficult questions, it has defended the rights of EU citizens. It has set out the ways in which trust in data flows between the EU and the US can be rebuilt. The past months have shown that when the EU speaks with a single voice, it is heard.
Let's continue to work together on this fundamental issue of our time.