Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance) (2000/520/EC)

• Published date: 25 August 2000
• Official Gazette Publication: Official Journal of the European Communities, L 215, 25 August 2000

2000D0520 — EN — 25.08.2000 — 000.001

---

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

►B COMMISSION DECISION of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance) (2000/520/EC) (OJ L 215, 25.8.2000, p.7)

Corrected by:

►C1 Corrigendum, OJ L 115, 25.4.2001, p. 14 (520/00)

---

▼B

COMMISSION DECISION

of 26 July 2000

pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce

(notified under document number C(2000) 2441)

(Text with EEA relevance)

(2000/520/EC)

THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Community,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ( 1 ), and in particular Article 25(6) thereof,

Whereas:

(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer.

(2) The Commission may find that a third country ensures an adequate level of protection. In that case personal data may be transferred from the Member States without additional guarantees being necessary.

(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and in respect of given conditions. The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under that Directive ( 2 ) has issued guidance on the making of such assessments ( 3 ).

(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out and any decision based on Article 25(6) of Directive 95/46/EC should be enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail nor constitute a disguised barrier to trade taking into account the Community's present international commitments.

(5) The adequate level of protection for the transfer of data from the Community to the United States recognised by this Decision, should be attained if organisations comply with the safe harbour privacy principles for the protection of personal data transferred from a Member State to the United States (hereinafter ‘the Principles’) and the frequently asked questions (hereinafter ‘the FAQs’) providing guidance for the implementation of the Principles issued by the Government of the United States on 21 July 2000. Furthermore the organisations should publicly disclose their privacy policies and be subject to the jurisdiction of the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, or that of another statutory body that will effectively ensure compliance with the Principles implemented in accordance with the FAQs.

(6) Sectors and/or data processing not subject to the jurisdiction of any of the government bodies in the United States listed in Annex VII to this Decision should fall outside the scope of this Decision.

(7) To ensure the proper application of this Decision, it is necessary that organisations adhering to the Principles and the FAQs can be recognised by interested parties, such as data subjects, data exporters and data protection authorities. To this end the US Department of Commerce or its designee should undertake to maintain and make available to the public a list of organisations self-certifying their adherence to the Principles implemented in accordance with the FAQs and falling within the jurisdiction of at least one of the government bodies listed in Annex VII to this Decision.

(8) In the interests of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify in this Decision the exceptional circumstances in which the suspension of specific data flows should be justified, notwithstanding the finding of adequate protection.

(9) The ‘safe harbor’ created by the Principles and the FAQs, may need to be reviewed in the light of experience, of developments concerning the protection of privacy in circumstances in which technology is constantly making easier the transfer and processing of personal data and in the light of reports on implementation by enforcement authorities involved.

(10) The Working Party on Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered opinions on the level of protection provided by the ‘safe harbor’ Principles in the United States which have been taken into account in the preparation of the present Decision ( 4 ).

(11) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31 of Directive 95/46/EC.

(12) Pursuant to Council Decision 1999/468/EC and in particular Article 8 thereof, on 5 July 2000 the European Parliament adopted Resolution A5-0177/2000 on the draft Commission decision on the adequacy of the protection afforded by the ‘Safe Harbor Privacy Principles’ and related frequently asked questions issued by the United States Department of Commerce ( 5 ). The Commission re-examined the draft decision in the light of that resolution and concluded that although the European Parliament expressed the view that certain improvements needed to be made to the ‘Safe Harbor Principles’ and related FAQs before it could be considered to provide ‘adequate protection’, it did not establish that the Commission would exceed its powers in adopting the decision,

▼B

HAS ADOPTED THIS DECISION:

Article 1

1. For the purposes of Article 25(2) of Directive 95/46/EC, for all the activities falling within the scope of that Directive, the ‘Safe Harbor Privacy Principles’ (hereinafter ‘the Principles’), as set out in Annex I to this Decision, implemented in accordance with the guidance provided by the frequently asked questions (hereinafter ‘the FAQs’) issued by the US Department of Commerce on 21 July 2000 as set out in Annex II to this Decision are considered to ensure an adequate level of protection for personal data transferred from the Community to organisations established in the United States, having regard to the following documents issued by the US Department of Commerce:

(a) the safe harbour enforcement overview set out in Annex III;

(b) a memorandum on damages for breaches of privacy and explicit authorisations in US law set out in Annex IV;

(c) a letter from the Federal Trade Commission set out in Annex V;

(d) a letter from the US Department of Transportation set out in Annex VI.

2. In relation to each transfer of data the following conditions shall be met:

(a) the organisation receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs; and

(b) the organisation is subject to the statutory powers of a government body in the United States listed in Annex VII to this Decision which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of non-compliance with the Principles implemented in accordance with the FAQs.

3. The conditions set out in paragraph 2 are considered to be met for each organisation that self-certifies its adherence to the Principles implemented in accordance with the FAQs from the date on which the organisation notifies to the US Department of Commerce (or its designee) the public disclosure of the commitment referred to in paragraph 2(a) and the identity of the government body referred to in paragraph 2(b).

Article 2

This Decision concerns only the adequacy of protection provided in the United States under the Principles implemented in accordance with the FAQs with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect the application of other provisions of that Directive that pertain to the processing of personal data within the Member States, in particular Article 4 thereof.

Article 3

1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to an organisation that has self-certified its adherence to the Principles implemented in accordance with the FAQs in order to protect individuals with regard to the processing of their personal data in cases where:

(a) the government body in the United States referred to in Annex VII to this Decision or an independent recourse...