EU will not suspend safe harbor data privacy agreement with the US

EU wants US to address privacy concerns and EU citizens' right to judicial redress

The European Commission said Wednesday it will not suspend the safe harbor data privacy agreement with the U.S. despite calls from the European Parliament.

However, following revelations of large-scale U.S. intelligence collection programs, the Commission has put forward a range of proposals to strengthen the agreement.

The bilateral safe harbor deal was reached in 2000, despite controversy at the time. Under the safe harbor agreement, which is purely voluntary, companies in the U.S. sign up to a set of rules to protect the data privacy of E.U. customers. They are then authorized to display a logo showing that they are part of the agreement, and the rules can be legally enforced by the U.S. Department of Commerce and the U.S. Federal Trade Commission.

At last count, in late September, 3,246 companies had signed up. However, hundreds of U.S.-based companies illegally use the logo without ever intending to follow the safe harbor code.

Under safe harbor, limitations to data protection rules are permitted where necessary on grounds of national security, but the Commission says that the large-scale collection and processing of personal information under U.S. surveillance programs has called this into question. Speaking at an event in Brussels on Tuesday night, E.U. Home Affairs Commissioner Cecilia Malmström said: "The NSA (U.S. National Security Agency) has grown into an uncontrollable monster."

The Commission has the right to suspend the safe harbor agreement in the case of a systemic failure on the U.S. side to ensure compliance. However, Malmström said on Wednesday that improving the system was preferable to suspending it and that she wanted concrete solutions from the U.S. by summer 2014.

The Commission wants self-certified companies to publicly disclose their privacy policies as well as those of any contracts with subcontractors, for example cloud computing services. Privacy policies should also include information on the extent to which U.S. law allows authorities to collect and process customers' data and under what circumstances the company will hand this data over -- for example, to meet national security, public interest or law enforcement requirements.

The Commission also wants the U.S. Department of Commerce to clearly flag on its website all companies that are not current members of the agreement and to inform the competent E.U. data protection authority in the case of doubts about a company's compliance or pending complaints.

"Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after one year," said the Commission statement. "As the revelations about U.S. intelligence collection programmes have shown, this is critical because these programmes affect data stored in the cloud," said Malmström.

The proposed new E.U. Data Protection Regulation, which is expected to be made final next year, will also strengthen consumer trust in non-E.U. companies according to the Commission, as it "establishes clear conditions under which data can be transferred outside the E.U. Transfers can only be allowed where conditions, which safeguard individuals' rights to a high level of protection, are met. It will also ensure that non-European companies, when offering goods and services to European consumers, respect E.U. data protection law."

Meanwhile the E.U. and the U.S. are currently negotiating a framework agreement on data protection in the field of police and judicial cooperation. These talks  were started in March 2011; both parties have now committed to completing the negotiations before summer 2014.

Revelations this year by former U.S. government contractor Edward Snowden about massive data collection efforts at the U.S. National Security Agency have sparked controversy on both sides of the Atlantic. The NSA has been collecting large numbers of U.S. phone records and overseas Internet communications for years, according to leaks from Snowden.

"European citizens' trust has been shaken by the Snowden case, and serious concerns still remain following the allegations of widespread access by U.S. intelligence agencies to personal data," Malmström said.

She therefore wants enforceable rights, notably the right to judicial redress, for E.U. citizens who are not resident in the U.S. Any framework agreement on data protection should also include details about how and for what purposes data can be transferred and processed and the conditions for and duration of the retention of the data, she said.

The Commissioner also said that data protection will not be part of the ongoing negotiations for the E.U.-U.S. Transatlantic Trade and Investment Partnership, a bi-lateral trade deal currently being negotiated in secret.

Follow Jennifer on Twitter at @BrusselsGeek or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags regulationeuropean commissionsecuritygovernmentprivacy

More about European CommissionEuropean ParliamentFederal Trade CommissionNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jennifer Baker

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place