Communication from the Commission to the European Parliament and the Council on the functioning of the safe harbour from the perspective of EU citizens and companies established in the EU

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Data Protection Directive") sets the rules for transfers of personal data from EU Member States to other countries outside the EU to the extent such transfers fall within the scope of this instrument. Under the Directive, the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into in order to protect rights of individuals in which case the specific limitations on data transfers to such a country would not apply. These decisions are commonly referred to as "adequacy decisions".

On 26 July 2000, the Commission adopted Decision 520/2000/EC recognising the Safe Harbour Privacy Principles and Frequently Asked Questions (FAQs) issued by the Department of Commerce of the United States, as providing adequate protection for the purposes of personal data transfers from the EU. The Safe Harbour decision was taken following an opinion of the Article 29 Working Party and an opinion of the Article 31 Committee delivered by a qualified majority of Member States. In accordance with Council Decision 1999/468 the Safe Harbour Decision was subject to prior scrutiny by the European Parliament.

As a result, the current Safe Harbour decision allows free transfer of personal information from EU Member States to companies in the US which have signed up to the Principles in circumstances where the transfer would otherwise not meet the EU standards for adequate level of data protection given the substantial differences in privacy regimes between the two sides of Atlantic. The functioning of the current Safe Harbour arrangement relies on commitments and self-certification of adhering companies. Signing up to these arrangements is voluntary, but the rules are binding for those who sign up. The fundamental principles of such an arrangement are:
a) Transparency of adhering companies' privacy policies,
b) Incorporation of the Safe Harbour principles in companies' privacy policies, and
c) Enforcement, including by public authorities.

This fundamental basis of the Safe Harbour has to be reviewed in the new context of:
a) the exponential increase in data flows which used to be ancillary but are now central to the rapid growth of the digital economy and the very significant developments in data collection, processing and use,
b) the critical importance of data flows notably for the transatlantic economy,
c) the rapid growth of the number of companies in the US adhering to the Safe Harbour scheme which has increased by eight-fold since 2004 (from 400 in 2004 to 3,246 in 2013),
d) the information recently released on US surveillance programmes which raises new questions on the level of the protection the Safe Harbour arrangement is deemed to guarantee.

Against this background, this Communication takes stock of the functioning of the Safe Harbour scheme. It is based on evidence gathered by the Commission, the work of the EU-US Privacy Contact Group in 2009, a Study prepared by an independent contractor in 2008 and information received in the ad hoc EU-U.S Working Group established following the revelations on US surveillance programmes.

See also:
- Communication from the Commission to the European Parliament and the Council - Rebuilding trust in EU-US data flows