November 27, 2013, 10:05 AM — The European Commission said Wednesday it will not suspend the safe harbor data privacy agreement with the U.S. despite calls from the European Parliament.
However, following revelations of large-scale U.S. intelligence collection programs, the Commission has put forward a range of proposals to strengthen the agreement.
The bilateral safe harbor deal was reached in 2000, despite controversy at the time. Under the safe harbor agreement, which is purely voluntary, companies in the U.S. sign up to a set of rules to protect the data privacy of E.U. customers. They are then authorized to display a logo showing that they are part of the agreement, and the rules can be legally enforced by the U.S. Department of Commerce and the U.S. Federal Trade Commission.
At last count, in late September, 3,246 companies had signed up. However, hundreds of U.S.-based companies illegally use the logo without ever intending to follow the safe harbor code.
Under safe harbor, limitations to data protection rules are permitted where necessary on grounds of national security, but the Commission says that the large-scale collection and processing of personal information under U.S. surveillance programs has called this into question. Speaking at an event in Brussels on Tuesday night, E.U. Home Affairs Commissioner Cecilia Malmström said: "The NSA (U.S. National Security Agency) has grown into an uncontrollable monster."
The Commission has the right to suspend the safe harbor agreement in the case of a systemic failure on the U.S. side to ensure compliance. However, Malmström said on Wednesday that improving the system was preferable to suspending it and that she wanted concrete solutions from the U.S. by summer 2014.
The Commission wants self-certified companies to publicly disclose their privacy policies as well as those of any contracts with subcontractors, for example cloud computing services. Privacy policies should also include information on the extent to which U.S. law allows authorities to collect and process customers' data and under what circumstances the company will hand this data over -- for example, to meet national security, public interest or law enforcement requirements.
The Commission also wants the U.S. Department of Commerce to clearly flag on its website all companies that are not current members of the agreement and to inform the competent E.U. data protection authority in the case of doubts about a company's compliance or pending complaints.
"Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after one year," said the Commission statement. "As the revelations about U.S. intelligence collection programmes have shown, this is critical because these programmes affect data stored in the cloud," said Malmström.