On 27 November 2013, the European Commission finally published its Communication on the “Safe Harbor” agreement as part of a broader package on EU/US data flows.
Perhaps the most disappointing aspect of the Communication was the statement that the PNR agreement and other data sharing agreements work without substantiating any of those claims. Simply asking the United States if they breached the existing rules and blandly stating, in the absence of any credible evidence, that the agreements on passenger name records (PNR) and financial data tracking (TFTP) “meet the common security interests of the EU and US, whilst providing a high level of protection of personal data” provides no new information and offers no new insights. Indeed, the only thing that is new is the apparent belief of the European Commission that politely asking the US if they have been breaking any rules constitutes an investigation.
The claim about a high level of protection of personal data rings particularly hollow in the face of the revelations made public by Edward Snowden. These revelations that show a level of data collection by US agencies that has absolutely no regard for the fundamental principles of necessity and proportionality as international law.
It does not get much better when we look at the Commission's thirteen recommendations for the implementation of Safe Harbor. They are nothing more than recommendations. Instead of giving a clear signal on what must change in order to make the Safe Harbor exception tenable and credible in the light of the Commission's legal duties to protect the fundamental rights of EU citizens, the Commission leaves uncertainty on what may happen next. This is not good for citizens and it is not good for business.
The Commission veers of in the surreal with its recommendations regarding access to personal data by US authorities. It recommends that privacy policies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In light of the fact that, so far, several US based human rights organisations have had to resort to courts (with limited success) in order to get the US government to even disclose exactly this, one can but wonder about the basis for the Commission's faith in the ability of corporate entities to provide such disclosure.
Equally detached from reality are the Commission's recommendations on enforcement: none of them mentions the possibility of a loss of self-certification or wider implications for the Safe Harbour regimes in case of structural failures to meet compliance to its already too relaxed protections for EU citizens.
As it stands now, the US Safe Harbor regime is neither safe nor a harbour – more of a jagged rock sticking out of a stormy sea. The Commission's recommendations can logically only lead to a continuation of this charade. It has been said before: Safe Harbor is dead, so far we have not got around burying it. Time for a burial at sea?
Restoring Trust in EU-US data flows - Frequently Asked Questions
European Commission calls on the U.S. to restore trust in EU-U.S. data