The Safe-Harbour provision, in place since the early years of the tech boom in the late 1990s, allows US companies to satisfy EU rules by signing up to a self-reporting scheme, supervised by the US federal trade commission. It is based on the principle that US data privacy standards are equivalent to those in Europe.
Viviane Reding, the commissioner overseeing data protection, told that her office had begun an assessment of the “Safe Harbour” used by Google and Facebook, as well as thousands of smaller US tech companies.
The Safe Harbor agreement between the EU and US is under review as it may be a “loophole” for data transfers to take place at a lower standard of data protection than EU law permits, the European Commission has said.
The European Union has therefore launched a commission to review the U.S. Department of Commerce’s Safe Harbor agreement. The review comes in the wake of PRISM, the US National Security Agency’s data collection program. Safe Harbor is a voluntary program for U.S.-based companies with operations in the EU to transfer personal data across EU borders.
The EU, indeed, argues that the Safe Harbor program may be using “loopholes” to skirt EU data privacy rules. The International Trade Association (ITA), acknowledges the “criticisms,” but disagrees, saying that the program operates within its framework. Safe Harbor is based on the EU Data Protection Directive, and, as noted by the ITA, is limited when national security or defense matters are in question.
EU officials would like to review Safe Harbor for compatibility with new EU laws on data protection. While the U.S. is open to discussions on Safe Harbor, it is not likely that they will tighten any restrictions on it.
At issue is the reach of the draft EU legislation. It would require non-European companies to comply with EU laws in full when serving European customers – something that US officials argue is extraterritorial. It would also allow Brussels to fine companies that did not comply up to 2 per cent of their total annual turnover.