Under European data privacy principles, companies operating in the EU are not allowed to send personal data to countries with less stringent privacy regulations. The US is considered to be one such country. To overcome this commercial difficulty the two sides developed a 'safe harbor' agreement. Provided that the US company concerned agrees to abide by certain privacy guarantees, it is able to receive personal data from EU sources.
The Edward Snowden revelations on the NSA Prism surveillance program have made many European politicians question whether this safe harbor arrangement is compatible with US Foreign Intelligence Surveillance Act (FISA) interpretations and applications of the PATRIOT Act. Under these interpretations, US law enforcement and intelligence agencies can and do require US companies to hand over personal data – including that of EU citizens – that would generally be protected by the European data protection laws.
Earlier this month, the European Parliament's rapporteur/draftsman for the proposed General Data Protection Regulation, Jan Philipp Albrecht, commented, "The upcoming informal meeting of the Council's justice and home affairs ministers should respond rapidly to these latest developments. Failure to provide an adequate response to these developments means jeopardizing the EU's principles of democracy, justice and integrity.”
Vice president Vivian Reding duly responded. At the informal meeting in Vilnius, she announced, "The Safe Harbor agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones." She went further stating that the Commission is assessing the existing agreement and will present a report before the end of the year.
With perfect timing, the precise issues concerned were highlighted by a 'ruling' – actually just a letter – from the Irish data protection commissioner last week. The activist organization Europe v Facebook had filed data protection complaints against several major companies for handing over EU data to the NSA's Prism program. The Irish commissioner responded to complaints against Apple and Facebook, both of whom have European headquarters in Ireland.
It replied by letter to Europe v Facebook, "We consider that an Irish·based data controller has met their data protection obligations in relation to the transfer of personal data to the U.S. if the U.S. based entity is 'Safe Harbor' registered. We further consider that the agreed 'Safe Harbor' Progamme envisages and addresses the access to personal data for law enforcement purposes held by a U.S. based data processor."
In short, all a US company has to do is register with the Safe Harbor scheme for it to be lawful under European law to hand over EU data to the NSA. “This means," said Max Schrems, founder of Europe v Facebook, "that you can forward Europeans’ data to the NSA as much as you wish, if you only put your parent company on a list.” This is the loophole that Viviane Reding intends to investigate.