The EU has a ‘Safe Harbour’ agreement with the US to provide “adequate protection” for EU businesses and citizens’ data:
“The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.
In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” framework and this website to provide the information an organization should need to evaluate – and then join – the U.S.-EU Safe Harbor program.”
Facebook’s Safe Harbour explanations states:
“Facebook, Inc. (hereinafter “Facebook” or “we”) recognizes that the European Community has established a data protection regime pursuant to Directive 95/46/EC (the “Directive”), which applies to the European Economic Area (“EEA”), and that Switzerland has established a data protection regime pursuant to the Federal Act on Data Protection (“FADP”). Facebook further recognizes that these regimes restrict companies and other organizations in the EEA and Switzerland (collectively, “EEA/CH”) from transferring personal data about individuals in the EEA/CH to the United States, unless there is “adequate protection” for such personal data when it is received in the United States.
To create such “adequate protection” and to overcome the restriction on international data transfers established by the Directive and the FADP, Facebook adheres to the Safe Harbor Privacy Principles published by the U.S. Department of Commerce (“Safe Harbor Principles”) with respect to certain information that it receives in the United States: namely, personal data about employees or other individual representatives in the EEA/CH of corporate customers, suppliers, distributors, advertising customers and other business partners of Facebook or a subsidiary or affiliate of the Facebook group (“EEA/CH Data”).”
Note the “pursuant to Directive 95/46/EC (the “Directive”)“.
So, “Safe Harbour” only relates to one EU acquis, yet the EU has many more acquis relating to EU data.
It looks to me that ‘Safe Harbour’ does not relate to these other EU acquis and therefore EU data transferred to the US does not meet the European Union (EU) “adequacy”/“adequate protection” standards for privacy protection of the EU’s businesses and citizens data by conforming to ALL EU acquis.
An additional concern is that US companies self-certify whether they are in compliance with ‘Safe Harbour’. Surely the EU should decide which companies are in compliance with ‘Safe Harbour’ and whether data that is transferred outside EU jurisdiction is “adequately” protected and has “adequate protection” at least up the the standards ALL EU acquis lays down.
Interestingly, there are some moves to create “DMCA Safe Harbors” via crowdsoucing new legislation, which sounds very interesting:
As an aside, I was reading this report on the mechanisms Facebook uses to censor content posted on Facebook: http://www.allfacebook.com/facebook-content-screeners-2012-02
It would seem Facebook transfers data to at least Turkey, the Philippines, Mexico, and India in order for their poorly paid censors, that are based in those countries, to examine data Facebook pays to be examined. How does this transfer of EU data outside the EU conform with ‘Safe Harbour” or indeed, all EU acquis?