THE EUROPEAN COMMISSION,

Having regard to Article 25, paragraph 6 of Directive 95/46/EC (hereinafter: "the Directive"),

Having regard to the Opinion of the Committee established by Article 31 of the Directive, adopted on .. .. ¼.;

Taking into account that :

(1) Article 25, paragraph 1 of the Directive requires Member States to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer;

(2) Article 25, paragraph 6 of the Directive allows the Commission, assisted by the Committee established by Article 31, to find that a third country ensures an adequate level of protection. This finding allows personal data to be transferred from the Member States without additional guarantees being necessary. It is desirable, when that is justified to make such positive findings in order to provide legal certainty and to simplify procedures for controllers intending to transfer data to third countries. For the same reason, these findings should if possible cover all the activities falling within the scope of the Directive. This includes telecommunications, for which the Directive is particularised and complemented by Directive 97/66/EC⁽¹⁾.

(3) Article 25(2) of the Directive requires that the level of data protection be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and that particular consideration be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country ; the working party established under Article 29 of the Directive has issued guidance on how such assessments should be made⁽²⁾;

(4) Given the different approaches to data protection in third countries, the adequacy assessment has to be carried out and any decision based on Article 25 paragraph 6 has to be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade taking into account the Community's present international commitments

(5) On .. .. ¼. the Government of the United States of America (Department of Commerce) issued "The International Safe Harbor Privacy Principles" for the protection of personal data transferred from a Member State to the USA (hereinafter:"the Principles": annex 1) and a set of Frequently Asked Questions (hereinafter the FAQs : annex 2) providing guidance for the implementation of the Principles;

(6) Adherence to these Principles is entirely voluntary but in order to obtain and retain recognition that they provide an adequate level of protection for the transfer of data from the EU to the US as provided for by this decision, organisations must comply with the Principles, publicly disclose their privacy policies and be subject to the jurisdiction of the Federal Trade Commission under Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, or that of another statutory body that will effectively ensure compliance with the Principles;

(7) The Federal Trade Commission Act empowers the Federal Trade Commission to obtain injunctive relief against unfair and deceptive practices, as well as redress for citizens of the United States and of other countries and in carrying out its statutory enforcement responsibilities within the area of its jurisdiction the Federal Trade Commission has indicated its readiness to investigate complaints, irrespective of the nationality or country of residence of the complainant;

(8) The jurisdiction of the Federal Trade Commission is subject to a number of statutory exclusions, but in respect of some of the excluded sectors, the Principles will be enforced by …… in the areas of their respective competence on the basis of … ⁽³⁾;

(9) Sectors and/or data processing not subject to the jurisdiction of the government bodies within the US referred to in recitals 7 and 8 fall outside the scope of this decision;

(10) To ensure the proper application of this decision, it is necessary that organisations adhering to the Principles can be recognised by interested parties, such as data subjects, data exporters and data protection authorities and to this end the US Department of Commerce or its designee has undertaken to maintain and make available to the public a list of organisations self-certifying their adherence to the Principles and falling within the jurisdiction of at least one of the government bodies referred to in recitals 7 and 8;

(11) The present decision concerns only the adequacy of protection provided in the United States under the Principles with a view to meeting the requirements of Article 25 paragraph 1 of the Directive and does not affect other legal conditions or restrictions pertaining to the processing of personal data within the Member States that may apply to transfers of such data.

(12) The decision that protection for personal data is adequate under the Principles should not prevent the competent authorities from taking the necessary measures in accordance with Article 2 of this decision to suspend specific transfers when the competent US bodies have found that the Principles are not being complied with, or if it becomes clear that US enforcement action is failing to secure compliance and that the continuation of the transfers in question would gravely harm data subjects;

(13) The "safe harbor" created by the Principles, underpinned by well-established government and private sector mechanisms in the United States, represents an innovative approach which may need to be reviewed in the light of experience and of developments concerning the protection of privacy in circumstances in which technology is constantly making easier the transfer and processing of personal data;

(14) The Working Party established by Article 29 of the Directive has delivered Opinions on the level of protection provided by the "safe harbor" arrangements in the United States which have been taken into account in the preparation of the current decision⁽⁴⁾.

HAS ADOPTED THE FOLLOWING DECISION

1. For the purposes of Article 25, paragraph 2 of Directive 95/46/EC, for all the activities falling within the scope of the Directive, the "International safe harbor privacy principles", hereinafter "the Principles" implemented in accordance with the guidance provided by the Frequently Asked Questions (FAQs) issued by the Department of Commerce on …… and annexed to this decision are considered to ensure an adequate level of protection for personal data transferred from the European Union to organisations established in the US, if and insofar as the following conditions are met , in relation to the data to be transferred

(a) the organisation receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs and

(b) the organisation is subject to the statutory powers of a government body which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles⁽⁵⁾.

2. The conditions mentioned in paragraph 1 are considered to be met for each organisation that self-certifies its adherence to the Principles from the date on which the organisation notifies to the US Department of Commerce (or its designee) the public disclosure of the commitment referred to under paragraph 1 letter a) and the identity of the government body referred to under paragraph 1 letter b).

1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of the Directive, the competent authorities in Member States may exercise their existing powers to suspend data flows to an organisation that has self-certified its adherence to the Principles in order to protect individuals with regard to the processing of their personal data in cases where:

a) the US public body referred to under Article 1, paragraph 1 letter b) or an independent recourse mechanism within the meaning of indent a) of the Enforcement Principle has determined that the organisation is violating the Principles, or

b) there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

The suspension shall cease as soon as compliance with the Principles is assured and the competent authority concerned in the EU is notified thereof.

2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1.

3. The Member States and the Commission shall also inform each other of cases where the action of bodies responsible for ensuring compliance with the Principles in the US fails to secure such compliance.

4. If the information collected under the previous paragraphs of the present Article provides evidence that any body responsible for ensuring compliance with the Principles in the US is not effectively fulfilling its role, the Commission shall inform the US Department of Commerce and, if necessary, present draft measures in accordance with the procedure established by Article 31 of the Directive with a view to reversing or suspending the present decision or limiting its scope.

1. The present decision shall be reviewed at any time if experience with its implementation shows that this is necessary. The Commission shall in any case evaluate the implementation of the present decision on the basis of available information three years after its publication in the Official Journal and report any pertinent findings to the Committee established under Article 31 of the Directive, including any evidence that could affect the evaluation of the system set out in Article 1 of this decision as adequate within the meaning of Article 25 of the Directive and any evidence that the decision is being implemented in a discriminatory way.

2. The Commission shall, if necessary, present draft measures in accordance with the procedure established by Article 31 of the Directive.

Member States shall take all the measures necessary to comply with this decision at the latest at the end of a period of ninety days from the date of its publication in the Official Journal of the European Communities.

This decision is addressed to the Member States.
 
 

¹ OJ L24 of 30 January 1998, p.1

² [Add reference to the composite opinion of June 1998.]

³ This recital will list the government bodies concerned and refer to the relevant provisions conferring the powers that will ensure the effective enforcement of the Principles. So that the procedure for adding to this list, if this proves necessary, is as streamlined as possible, the US has proposed the following addition to this recital: "or by another government body nominated by the Department of Commerce which, in the judgement of the Commission, has provided the necessary assurances that it will effectively ensure compliance with the Principles."

⁴ Add reference(s).

⁵ See recital 8 and footnote to recital 8. It will be necessary to adapt this wording if, as seems likely, the powers of some of the government bodies to be listed in recital 8, which will effectively ensure compliance with the Principles, rest on a basis other than relief against unfair or deceptive practices.