EU questions decade-old US data agreement

“We do have the impression that the Safe Harbor Agreement, might not be so safe, after all,” she said.

The agreement was hammered out in 2000 between the US department of commerce and the European Commission, based on a clause in the current 1995 EU Data Protection Directive.

The around 3,000 companies that have voluntarily signed up follow a binding set of data transfer rules between the US and EU based on seven principles - notice, choice, onward transfer, security, integrity, access, and enforcement.

The low data protection standards built into the agreement is possibly a loophole, noted Reding.

“I’m working on a solid assessment of the Safe Harbor Agreement and I will present this assessment before the end of the year,” she said.

The US Federal Trade Commission (FTC) enforces Safe Harbor.

Some European data protection authorities have also expressed their doubts the agreement.

German deputy privacy commissioner Marit Hansen of Schleswig-Holstein’s data protection authority says the rules are seldom enforced in substance.

“I assume that if I write to a company as a data protection authority ‘you are in Safe Harbor please give some information on these principles and how you implement them in your business’ they will answer. So far no one was able to answer my question because they are not prepared to do that,’ she told this website in April.

In 2010, the US consultancy company Galexia found a number of irregularities in the agreement.

They noted in a report that 200 companies claimed to have joined the agreement without ever having done so. They also found only 350 companies which complied with the minimum standards of the agreement and that only one court case had been issued in over a ten-year period.

The FTC has since been more proactive and has issued twenty year consent orders on Twitter, Google, Facebook and MySpace which require them to be regularly audited.

In November last year, the FTC required Google to pay out $22.5 million over claims the Internet giant planted cookies on Apple’s Safari Internet browser.

Reding’s announcement on Safe Harbor follows a morning session of informal discussions with EU ministers of interior, which also touched upon the EU data protection regulation and the post-Stockholm programme on future justice priorities.

The on-going media revelations about the US Prism surveillance programme has provided extra new incentives for legislators to finalise negotiations on the data protection regulation and its adjoining directive.

Both policies aim to harmonise data protection rules throughout the EU but have suffered numerous setbacks as euro-deputies struggle to reach compromises on the 4,000 or so amendments.

German and French ministers in a joint-letter said the legislative data reforms need to advance with an aim to finalise negotiations between the European parliament and member states before the end of the Lithuanian EU Presidency.

“The justice ministers of the two countries signed a joint declaration saying that we need a high level of data protection for European citizens, which strikes the right balance between freedom and security,” said Reding.

She urged other ministers to demonstrate a similar drive to turn the data reforms into a binding EU law.