Feeds

Microsoft exec says Safe Harbor framework is 'alive and well'

Privacy critic: 'It's dead. We just forgot to bury it'

Top 5 reasons to deploy VMware with Tegile

CPDP Privacy advocates have expressed concern about Brussels' Commissioner Viviane Reding's decision to leave in place the Safe Harbour framework used by some companies to transfer data from Europe to the US.

The EC's vice president tabled her draft bill for the overhaul of the EU's 1995 data protection law on Wednesday.

However, critics have questioned how the Safe Harbour scheme can remain workable within the wider context of the commissioner's DP legislation proposals.

EU data protection laws currently state that organisations must tell people when they are asked to disclose their personal information. Some companies that meet the requirements of Europe's DP directive are allowed to transfer EU data to the US.

Microsoft is one of them.

Reding's proposals state:

Article 41 sets out the criteria, conditions and procedures for the adoption of an adequacy decision by the Commission, based on Article 25 of Directive 95/46/EC. The criteria which shall be taken into account for the Commission’s assessment of an adequate or not adequate level of protection include expressly the rule of law, judicial redress and independent supervision. The article now confirms explicitly the possibility for the Commission to assess the level of protection afforded by a territory or a processing sector within a third country.

Article 42 requires for transfers to third countries, where no adequacy decision has been adopted by the Commission, to adduce appropriate safeguards, in particular standard data protection clauses, binding corporate rules and contractual clauses. The possibility of making use of Commission standard data protection clauses is based on Article 26(4) of Directive 95/46/EC. As a new component, such standard data protection clauses may now also be adopted by a supervisory authority and be declared generally valid by the Commission. Binding corporate rules are now specifically mentioned in the legal text. The option of contractual clauses gives certain flexibility to the controller or processor, but is subject to prior authorisation by supervisory authorities.

Article 43 describes in further detail the conditions for transfers by way of binding corporate rules, based on the current practices and requirements of supervisory authorities.

Article 44 spells out and clarifies the derogations for a data transfer, based on the existing provisions of Article 26 of Directive 95/46/EC. This applies in particular to data transfers required and necessary for the protection of important grounds of public interest, for example EN11 EN in cases of international data transfers between competition authorities, tax or customs administrations, or between services competent for social security matters or for fisheries management. In addition, a data transfer may, under limited circumstances, be justified on a legitimate interest of the controller or processor, but only after having assessed and documented the circumstances of that transfer operation.

Article 45 explicitly provides for international co-operation mechanisms for the protection of personal data between the Commission and the supervisory authorities of third countries, in particular those considered offering an adequate level of protection, taking into account the Recommendation by the Organisation for Economic Co-operation and Development (OECD) on cross-border co-operation in the enforcement of laws protecting privacy of 12 June 2007.

Ron Zink, who is Microsoft's EU affairs COO, told a panel at the Computer, Privacy & Data Protection conference in Brussels today that he hoped that the "Safe Harbor framework is alive and well and would continue." He added, "I hope it continues to be an adequate mechanism for the transfer of data between the US and EU."

But Walter Van Holst of the European Digital Rights group, who was also present on the panel, retorted that the scheme was "a compromise that just doesn't work".

He added that "Safe Harbor is dead. We just forgot to bury it."

Zink insisted that "Safe Harbor was alive and well," however.

A representative for the European Commission told the audience that it would report on the Safe Harbor framework in the coming months.

Van Holst said that the "export of personal data" remained "poorly enforced" and added that it was "detrimental to European companies".

He added: "Talks about data being offshored in places outside the current scope of the Directive hurts European companies," he claimed.

'Aspirational rules'

More generally, Zink reaffirmed comments he made earlier this week about the need for "harmonisation" of data-handling on both sides of the Atlantic.

He has expressed some concerns about the proposed reform of DP law in the EU. Specifically, on how the so-called "Right to be forgotten" online can be adequately addressed and the need not to be too overly prescriptive with the reform.

"It's easy to criticise a monumental task like this. It's complex: everyone's looking." He added: "With cloud computing we're moving data around the world".

"The fact that this is a regulation that harmonises is very good."

Zink also said that "improvements" had been made to how data is transferred around the world and added that contractual clauses detailed in Article 42 of the draft bill "could be helpful". He added that consent from an individual about usage of their data needed to be "explicit".

The MS exec said that Reding's proposed rules on data protection were "aspirational". ®

Intelligent flash storage arrays

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.