EUROPEAN UNION COMMITTEE
HOME AFFAIRS, HEALTH AND EDUCATION SUB- COMMITTEE
Safe Harbour Oral Evidence and Written Submissions
Contents Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) ...... 2 European Commission—Oral Evidence (QQ12-20) ...... 40 European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) ...... 58 Information Commissioner’s Office—Written Evidence ...... 82 Information Commissioner’s Office and European Data Protection Supervisor—Oral evidence (QQ21-32) ...... 86 Information Commissioner’s Office—Supplementary Written Evidence ...... 87 Phil Lee, Caspar Bowden and Professor Charles Raab—Oral Evidence (QQ1-11) ...... 89 Professor Charles Raab, Caspar Bowden and Phil Lee—Oral Evidence (QQ1-11) ...... 90 UK Government—Oral evidence (QQ33-46) ...... 91
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Evidence Session No. 1 Heard in Public Questions 1 - 11
WEDNESDAY 12 MARCH 2014
Members present
Lord Hannay of Chiswick (Chairman) Baroness Benjamin Lord Judd Lord Morris of Handsworth Lord Sharkey Earl of Stair Lord Wasserman ______
Examination of Witnesses
Professor Charles Raab, University of Edinburgh, Chris Connolly, Galexia, Phil Lee, Privacy and Information Law Group, Field Fisher Waterhouse LLP, and Caspar Bowden, independent privacy expert and former Chief Privacy Adviser for Microsoft Europe
Q1 The Chairman: Welcome to the Committee, and thank you very much for coming along to give us evidence. If I may, I will explain a little about the background. This
Committee, as you probably know, is the sub-committee of the European Union Select
Committee of the House of Lords, which is responsible for home affairs, as well as health and higher education, which are not terribly relevant to this morning.
We have decided to conduct what is called enhanced scrutiny on the Commission communication about Safe Harbour. As you know, the Commission sent a communication
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) and I am sure that you are all familiar with its terms. That means that we are not conducting a full inquiry with a fully fledged House of Lords report at the end of it, but we are taking evidence from you, from the Commission’s ombudsman on data protection and Commission officials, and from the Government in the form of the Minister of State at the Home Office, and someone from the Ministry of Justice too. Those three sessions will then flow into a much more detailed letter to Ministers here about the Commission communication, which we will probably issue some time at the end of the April. Your evidence is a contribution to that process but it is not the process with which you may otherwise be familiar of a full inquiry lasting about six months, ending in a report of 60 or 70 pages.
That is by way of introduction. The session is in public and is being broadcast. A transcript is being taken and a copy of the transcript will be sent to you. You may wish to make minor corrections to it but it will be published online in the uncorrected form. That is the situation. If any of you would like to make an opening statement, please do so but there is no need to do that. We can move straight to questions—it is up to you. Perhaps we could start by each of you introducing yourselves and saying what your expertise and background in this matter are. Then we can take it on from there. The other thing I would say is: please do not feel that you each have to answer every one of the questions because time, yours and ours, is probably a bit limited to allow for that. Welcome again, and would you like to begin with a word or two about yourselves and your expertise? Shall we start from this side, please?
Professor Charles Raab: Thank you Chairman. I am Professor Charles Raab and I am
Professor of Government at the University of Edinburgh. If I have any expertise it is in the area of privacy and data protection. I have done quite a bit of research on some aspects of surveillance and have taught on them, so that is my area of expertise.
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Chris Connolly: Thank you Chair. My name is Chris Connolly. I am a privacy and consumer advocate, based now in the UK but previously in Australia. I have been engaged in a five or six-year campaign to seek improvements to Safe Harbour on behalf of consumers through writing reports, appearing at committees, lobbying authorities and simply dealing with individual complaints. I hope to be able to bring some insight into those today, although I am a little restricted in what I can say about complaints that are still the subject of investigation.
Phil Lee: Good morning Chairman. My name is Philip Lee. I am a partner in the privacy and information law group at Field Fisher Waterhouse, so I am a legal adviser on privacy and data protection matters. In addition to that, I run our US office in Palo Alto, California, where I counsel US businesses on matters of European data protection law, so I guess that my perspective slightly differs from those of the other panellists here today in that I hope that I can bring a slightly practical element to some of the evidence I will give.
Caspar Bowden: I am Caspar Bowden, and I founded many years ago the Foundation for
Information Policy Research, which did a great deal of analysis and scrutiny of RIPA. Then I worked for Microsoft for nine years as Chief Privacy Adviser for 40 countries, including the
EU, where I had direct experience of dramatic internal controversies concerning Safe
Harbour compliance. I left Microsoft three years ago to campaign about what I discovered about ominous aspects of US surveillance law, which after Edward Snowden have become very obvious, and I wrote the official NSA briefing note for the European Parliament inquiry into the Snowden affair.
Q2 The Chairman: Thank you very much. Perhaps that reminds me that the acoustics in this room are perfectly appalling, so if you could speak up and speak reasonably slowly when you are replying to questions and giving evidence, it would be a huge help. If nobody wants to make an opening statement, can we move into questions? We will start, then, with a very general question on which I imagine all of you will wish to make a contribution. What are
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) the main strengths and weaknesses of the present Safe Harbour agreement, in your view?
Who would like to start on that?
Chris Connolly: Thank you Chair, I would be happy to go first. It is a question that I have spent a lot of time working on, and writing articles doing research and publishing papers on, with my organisation Galexia and with other privacy and consumer advocates. To briefly summarise what I see as the main current weaknesses, the first and most relevant for this
Committee is that Safe Harbour is used as a shield when European consumers complain about privacy, and specifically when they complain about national security disclosures since the Snowden revelations. These are cases such as Europe v Apple or Europe v Facebook, which were heard in Ireland, and the Microsoft and Skype cases, which were heard in
Luxembourg before the local data protection commission authorities. In both those cases, in the first instance the consumer complaints were knocked back on the basis that those companies belong to Safe Harbour and therefore could not be investigated, even though after Snowden revelations had been made about those companies in relation to their participation in Prism, for example, or other disclosures. So the first and most serious issue is: should the Safe Harbour be a shield to stop even the beginning—the basics—of an investigation on a privacy and security matter? Those cases are very important. I should point out, however, that in Ireland a case has been appealed to a higher court and that the investigation has been started.
The other key weaknesses are the false claims. That is where a consumer visits a website that says that it is a member of Safe Harbour. “Trust us”, it says, “Give us your information”.
It might have a Department of Commerce logo on it and very often it will have another logo on it from someone such as TRUSTe, a trust mark provider, but in fact that organisation is not a member of Safe Harbour and may not have been one for many years. The FTC took some action on those recently and the average length of the false claims in the cases brought
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) this year was three and a half years. That is three and a half years of repeatedly telling consumers, “I am in Safe Harbour. Give me your information”, when in fact they were not.
This is not a trivial administrative matter: if you are claiming to be in Safe Harbour, you are supposed to do annual in-house verifications of your privacy protection, signed off by the
CEO. You are supposed to pay an annual fee, which all your competitors may be paying when you are not. You are supposed to join a free dispute resolution service and, again, pay an annual fee to that, which you are not doing. So these are quite serious matters.
I reported last year that there were 427 false claims, which is a staggering amount. It means that one out of every seven public claims of Safe Harbour membership is actually false. That received some criticism and one US business group did its own study, because it believed that it was an exaggeration, but it found 465 false claims with better resources than I had. It is a very serious, non-trivial issue that is undermining the integrity of Safe Harbour and has very high risk for consumers. I will probably stop there and give some time to other people.
Q3 The Chairman: Your list of the strengths of Safe Harbour seems to be a little on the short side, which is not surprising since you have written very critically about it. Could you just try to lift yourself out of pure criticism and say whether you think that there are any benefits or strengths to the system?
Chris Connolly: Obviously the Safe Harbour Agreement itself is a compromise between
Europe and the US, and I accept that compromises lead to all sorts of quirks in how they are applied. Probably the best strength of Safe Harbour at the moment is that it is really the only practical mechanism for a lot of organisations that have complicated business structures. I will give Mastercard as an example. It is very difficult for it to have individual contractual clauses with all its consumers. It has relationships that are all cross-border, so Safe Harbour is a neat way of getting that organisation into a system which the Europeans believe is adequate for data to be disclosed, so that is its main strength. But, again, I would have to
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) mention a weakness, which is that if you read the Mastercard Safe Harbour privacy policy carefully and compare it to the seven Safe Harbour principles, you might have some concerns about whether that model is being complied with.
The Chairman: Thank you. That is very helpful.
Phil Lee: This would probably be a good point for me to come in. I am not familiar with how aware the Committee is with European rules on data transfers generally, so I would like to take one step back and explain why Safe Harbour exists. I hope that that will convey some of its strengths. We operate under a regime in Europe where we have a data protection framework that applies across the whole of Europe and is now close to 20 years old, so we have a set of laws that basically date back to a time before the internet was in very wide public use: that is, before we had things such as online banking, social media or online shopping. It was before we had all those things. Against that backdrop, the framework we have in place essentially envisaged a world where you had a business operating somewhere in Europe that may have had a few servers. It created a regime that basically said that if you were collecting personal information from citizens in Europe, you had to keep that personal information inside Europe and that the only basis on which you could transfer it outside Europe was if you put one of a number of legal solutions in place. Subject to a few legal derogations, essentially three solutions exist. One of them is Safe Harbour. Another is the opportunity to put in place data export contracts between the entity in Europe sending the data and the entity outside Europe receiving them. The third is a scheme called binding corporate rules, which is where large organisations adopt a binding policy framework that enables them to move data within their group organisation but not outside that group.
Against that backdrop, you have to understand that these are very limited bases on which to transfer data outside Europe but that we live in a world today of complete data globalisation where data go everywhere. Some of the panellists here will have specific views about that,
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) which I do not wish to criticise as a lot of their concerns are much merited. But, equally, in order for businesses to operate they need to be able to transfer that data. It is unrealistic to expect that data can be kept inside Europe. Against that, one of the real strengths of Safe
Harbour is that it enables business to happen. If you are doing transatlantic business—if you are a US conglomerate that has branches or subsidiaries in Europe and you need to transfer data about your staff or customers back to the US, where your main processing operations take place—Safe Harbour enables that. That is one of its key strengths.
Another key strength is that it has a relative lack of red tape by comparison to some of the solutions available. I talked about one of the other options for exporting data being binding corporate rules. As a firm, we do a lot of work on that, but a typical process to implement binding corporate rules takes around 18 months to go through full regulatory authorisation.
That is a very long time but, by comparison, if you are doing Safe Harbour and you hold yourself to the standards which Safe Harbour requires, self-certification takes a matter of weeks: that is, to get registered on the Department for Commerce website. That is another advantage.
Its final advantage is that it is an attractive solution to small and medium-sized enterprises and large corporations alike. Again, being based in Palo Alto, which is the heart of Silicon
Valley, a lot of the companies that I end up working with are high-growth start-up companies looking to expand their operations into Europe. They simply do not have the resources to do something such as binding corporate rules, but Safe Harbour is something that they can readily adopt and implement. They can verify themselves against that and it enables them to expand their operations into Europe. A lot of these companies have legitimate needs to service European consumers, and there are European consumers who want the services that they provide. It might not be a perfect solution, but out of the solutions that we have available it is one that is very practical and that enables business to take place.
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Safe Harbour’s key weaknesses have been identified in the European Commission’s report.
One is a distinct lack of transparency. Outside perhaps very specialist audiences such as us, very few people understand that Safe Harbour exists, what it is and what rights it affords them. That is a major impediment to individuals being able to enforce the rights that they have. The other is generally enforcement itself. There has been a notable lack of enforcement when it comes to Safe Harbour breaches, and there are very limited recourses for individuals to enforce the rights that they have, but against that backdrop I would say that that complaint is not unique to Safe Harbour; it is generally applicable to a lot of data protection regimes across Europe as a whole.
One of the other solutions that we look at for exporting data is these data export agreements, but off the top of my head I struggle to think of a single case where there has ever been any enforcement under a model contract under one of those agreements.
So, yes, there are limitations, but I am not sure that they are unique or that they put Safe
Harbour on a worse footing than any of the other solutions that are available.
Caspar Bowden: Perhaps I should start by saying that I think there are severe omissions from the European Commission analysis. I hope we can get on to subsequent questions where I can go into detail in my evidence on some of the areas that have not been covered by the Commission. One of the reasons for that is that at the time of Safe Harbour’s conclusion in 2000, we should remember that there was a major controversy over the
Echelon system—the system that was the generation before Prism. In fact, two studies for the European Parliament had been written by 1999, and the Parliament was in the midst of a full inquiry into the Echelon system. It seems very peculiar, therefore, that Safe Harbour was concluded in 2000 against this backdrop, which granted very broad national security exemptions to that third country. One should go back to some of the fundamentals and ask how the Commission had competence to conclude such an agreement, which granted these
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) national security exemptions in the interests of a third country, not a member state, when we understand that national security is a prerogative of member states. It seems as though the Commission almost bartered away genuine guarantees for fundamental rights to get this commercial agreement in place.
I have just a few initial observations. One of the things I became aware of working in industry is that one reason why the alternate mechanisms that Mr Lee has described are difficult for companies to apply is because companies often want the best of all possible worlds, in the sense that they would like to be taxed in one jurisdiction, regulated for data protection in another jurisdiction—typically a jurisdiction with a weak regulator—and then to repatriate profits, typically to the US. To get all those things at once means that the mechanisms are rather complicated. Some would say, “Too bad”, given that those are the drivers.
It is quite right, though, that we should consider the other mechanisms for data export alongside Safe Harbour and not think of Safe Harbour as unique or in isolation. Indeed, in a forthcoming regulation there will be a new mechanism: a so-called European privacy seal, which I think has great promise compared to the other mechanisms. Overall, I think one could say that Safe Harbour is very attractive from the American point of view, because essentially it avoids any culpable commitments that could result in a US court having to adjudicate against a US company or a US official. That has been a key plank of the US negotiating position since for ever.
Professor Charles Raab: May I add one or two points to this? It seems to me that the strengths are on the business case side and the weaknesses are on the citizen, human rights and privacy protection case side. As was said, Safe Harbour was cobbled together as a compromise, largely because the USA does not have comprehensive data protection legislation, so something was needed to overcome that difficulty. It could be remedied if the
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
US were to develop adequate, comprehensive data protection legislation with a competent data protection authority to monitor, to supervise and to enforce.
It seems to me that Safe Harbour is based on a commerce model rather than a human rights model, and that creates tensions when it comes to European data protection. For example, the principles which the Safe Harbour Agreement enshrines are worded rather differently from the way in which principles are enshrined in data protection legislation in Europe and in
Council of Europe Convention 108 and other instruments of that kind. It is not well aligned.
Also, in terms of self-certification, relatively few companies have self-certified, given the hundreds of thousands of companies that could. In addition, some categories of companies are not allowed to self-certify. Telecoms companies, for example, are not permitted to self- certify. In this day and age when you have a blurring of the distinction between telecoms and other kinds of operations, that may be somewhat anomalous.
The last thing I would say is that there have been very few enforcement actions by the
Federal Trade Commission, which is empowered to bring enforcement actions. Of course, there has been a spate of these things in the past four of five years, and they seem to be coming on stream now, largely—my colleagues here might say differently—when there is external pressure on them, an external goading, to get on with enforcement. The current
Federal Trade Commissioner, Julie Brill, is probably cracking the whip a bit more now than the FTC did in previous years.
There has also been a tightening up of controls over certification and the validation of certification, and whether companies are really living up to the principles. Many reports from the European Commission have recognised that as being pretty slack in previous years. We have to wait and see whether this is going to get tighter and more effective so that the
European citizen can feel for the most part that their personal data, leaving surveillance and
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) the NSA’s activities aside, are being well protected when those data enter the USA in commerce or trade.
Q4 Earl of Stair: That is very interesting, and you are definitely coming out very much on the weaknesses side rather than on the strengths that we heard about so far. Could you say a bit more about how you think these weaknesses ought to be addressed, or do you tend to agree with the European Parliament in relation to civil liberties that Safe Harbour should be suspended until these errors and loopholes have been sorted out?
Professor Charles Raab: I am not so sure that suspension would make that much of a difference in the short run. I think that the threat of suspension should be maintained— maybe not immediate suspension, although I respect the European Parliament’s decision on that. In the long run the European Union probably could not realistically revoke the Safe
Harbour Agreement without some envisaged replacement for it, because it plays a big part in
EU-US commerce. It may be unrealistic to say, “We will revoke it entirely”, but the threat of suspension, at least until one can see how far it has been improved in practice, is certainly on the cards.
There is also the question of whether there could be a renewed agreement—a new modification of it—that was negotiated between the two sides of the Atlantic. That might require better incentives for compliance and better sanctions against non-compliance, and transparency for companies that do not comply: that is to say, to name and shame, in some sense, so that the public can really get a hold of that. There may be other suggestions short of revoking the agreement.
Caspar Bowden: I would say that in both my notes to the European Parliament before and after Snowden I recommended shutting down Safe Harbour but in a strategic way. I think it would create severe difficulties to somehow terminate the agreement overnight with no particular strategic plan, but we have to remember that Safe Harbour is not a treaty. It has
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) been accurately described as a simultaneous unilateral declaration, and in a sense it is not quite clear what the US is declaring here, but the Commission’s position under the rules of
Safe Harbour is that it can revoke it in any way, at any time and to any degree, according to all the circumstances. So roughly the strategy that I recommended to the European
Parliament was as part of a negotiating package. On the one hand, it is necessary to build up
European capacity in software and cloud computing to provide both an indigenous capacity to do those things safely within Europe and an incentive for the US essentially to take
European concerns seriously.
On the other hand, take President Obama’s presidential policy directive 28 as an example.
This was published following his speech in January and has been portrayed somewhat inaccurately in the media—in fact by the BBC—as offering the same rights to Europeans. It says no such thing. If you scrutinise the presidential policy directive carefully, particularly footnote 9, you see that in fact it perpetuates the exceptional and discriminatory protections only for US nationals and residents. In other words, the entire system of US protection in the area of national security surveillance law depends on whether or not you are an
American citizen. This is very disturbing and unique, at least from the rest of the world’s point of view. Very few other countries have such a nationality-discriminating approach. Of course, we do not do that in the UK.1
When one closely scrutinises President Obama’s new directive, one sees that it in fact offers very little comfort whatever that the surveillance practices are going to be modified to any significant degree. The collection will continue more or less unchanged, and of course good intentions are expressed about limiting the use of those data, but one of the points I made in the initial report is that the terms of the 1978 Foreign Intelligence Surveillance Act, which followed the Watergate scandal and the great concern on the part of the American people
1 Witness Note: So far as publicly known.
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) about the activities of the CIA and NSA domestically, show when the foundation was laid for these discriminatory provisions by nationality, all that way back. Section 1801(e)2(B) stated that within the remit of foreign intelligence gathering is the ability to collect information on non-US Persons that merely “relates” to US foreign policy or to a foreign territory. That is far, far broader than anything that we could conceive of or recognise as being national security.
I had the opportunity to travel to Washington last year at the invitation of three of the members of Obama’s NSA review panel, and I took them through the conclusions of my report. There is no problem in my telling you this—we agreed the rules before the meeting—that the view of that group in particular, but I would say of Americans in general, is that Safe Harbour is what they call simply a “commercial privacy” agreement. They regard the Annex 1 national security exception as simply providing a total permission for them to engage in foreign intelligence.
It is also noticeable that when the European Data Protection Supervisor, Peter Hustings, gave evidence to the European Parliament inquiry a few months ago, he said something that I think is very significant: that it is entirely possible that the Americans have been using this national security exception to justify in their own minds the full range of NSA activities that we now understand from Edward Snowden have been occurring, and the Europeans do not agree. This all hangs, really, on the meaning of a few words in one sentence. It really is extraordinary, and we should revisit, how such an enormous loophole was allowed to be created when even at that time, because of the context of the Echelon inquiry, European officials should have known better. Indeed, the Office of the European Data Protection
Supervisor made no comment on foreign intelligence whatever, or on these types of risks, for the duration of his office until Snowden. Again, that would be a very interesting question
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) for the Committee to put when you get the opportunity to speak to the European Data
Protection Supervisor.
The Chairman: What you were saying, if I understood it rightly, was that you did not think it would make much sense—in fact, that it would be quite dangerous—to suspend the thing just like that, with a sort of guillotine. Are you saying that for Europe, which is currently negotiating a new set of data protection regulations, that is the framework within which future relationships with the United States should be situated, or are you asking for something more immediate than that?
Caspar Bowden: The unreality of the Commission’s 13 points on reforming Safe Harbour is most serious on its final point, which deals with national security. The Commission essentially gives an aspirational statement. It says that it hopes that future application of the national security exemption will be proportionate and in line with European views, but I see absolutely no basis for believing that that is going to be the case, so there is this question of verifiability. In my view, the only kind of verifiability that we could rely on would be binding statute law passed by the US Congress—a domestic law in the United States that, without any qualification, makes criminal the abuse of data that would exceed the terms that would be negotiated between Europe and the US. I fear that we will otherwise soon be back to
“business as usual” where, without the knowledge of any European regulators or officials, the US intelligence community will sadly be using these flows of data for the purposes that we have now learnt about.
The Chairman: Any other comments on this question?
Phil Lee: Perhaps I might respond to that question as well. I am firmly against suspending
Safe Harbour. I guess that I have a couple of reasons for that. First off, if you suspend Safe
Harbour, that has the potential to have a hugely detrimental effect on international flows of data. I fully accept Professor Raab’s comment that a lot of the discussion to date has been on
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) the need to facilitate trade. That is absolutely right, but there is no alternative mechanism in place that would readily enable that kind of business to take place. I will give an example. At the moment, with a lot of the clients who I work with in the US, the mere threat of the suspension of Safe Harbour is already having a protracted effect on their ability to conclude deals with European customers. I work for a number of cloud providers in the US that want to conclude deals with customers in Europe, who are already refusing to acknowledge their ability to transfer data on the basis of Safe Harbour. That is the case, notwithstanding that
Safe Harbour remains a legal and valid solution for exporting data, but the threat that it may be suspended is already having a business impact on them.
Caspar Bowden: I must disagree with you when you say that there is no alternative in sight to Safe Harbour. There is an alternative, which covers exactly the cases that Safe Harbour would cover, and that is consent. If you obtain consent from individuals, it has to be informed consent, and being informed you have to be informed of all relevant risks.
Phil Lee: I firmly disagree with that.
Caspar Bowden: Although it might be unpalatable for US companies, I suggested in my report to the Parliament that if a company wishes to proceed on the basis of consent, there should be a kind of pop-up box warning that says, “If you click here, all the data that you submit may be subject to foreign intelligence surveillance for the political interests of a foreign country. Do you agree?”. Some might regard that proposal as facetious, but it seems to me entirely realistic in light of what we now know. The proposal was, of course, designed to create a political effect and a deeper understanding among European citizens of what risks they face when they use American services.
Lord Sharkey: Would not a pop-up appear on every single web page that you looked out, given the extent of the surveillance that we know about?
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Phil Lee: I would like to go further than that. It is not just a case of every single web page.
We are moving into a world now where we are not just accessing the internet or remote services through a desktop-based computer. We are accessing them through our mobile phones and we are going to be accessing them through our watches. We are moving into a society where pieces of clothing and household appliances are all going to be internet- connected. They are all going to be sharing data on a regular basis about you and the kinds of things that you do. There may be a discussion to be had about whether those kinds of data collection are necessary, proportionate or wanted, but the assumption that individuals can meaningfully consent to that, or that they want to consent on every single touch point where they may be interacting with a device, is wholly and utterly unrealistic.
Caspar Bowden: But the point is that this would create space for the emergence of
European services where citizens did not run these risks. At the moment, they are being told that their data are protected to a high level by these regulatory arrangements, and that is manifestly untrue.
Phil Lee: But I would have to pose the question: why is there an assumption that data would be that much better protected in Europe? We already have law enforcement access here and things such as the data retention directive, which also enable—
Caspar Bowden: There is a straightforward answer to that question. Any processing, even in the context of foreign intelligence within the European Union, still has to conform legally to the European Convention on Human Rights, whereas if your data go to the United States you have literally zero protection under the American constitution and policy interpretations—none whatever.
Q5 Earl of Stair: It is quite interesting to hear this from both sides, but how would you bring in an interim safeguard until it is sorted out, to make sure that people are aware that information they are putting onto that website is either protected or not?
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Caspar Bowden: This is why my recommendation is for a planned, strategic and phased shutdown of data flows, not some sort of sweeping or blindly indiscriminate gesture.
Essentially, the Americans think that this is going to blow over: that if and when Snowden’s revelations stop, concern will gradually subside and they will be back literally to business as usual. Therefore they are not budging; they are sitting tight. In my view it is only when we get such a planned trade strategy coming into operation and crystallising significant losses for
US companies that those US companies may stop, perhaps through UK law firms, lobbying to dilute European data protection standards. They may then come around to saying,
“Perhaps we do have to take these foreign laws seriously”, which unfortunately until now they have not, in my experience.
Phil Lee: I think you ask a very valid question. My concerns when I hear the comments of
Mr Bowden are that so much of the debate is very much focused on the ability of very large companies to adapt if you were to shut down data transfers from Europe to the US. Could very large companies set up data centres in Europe? I am sure that they could; they have the resources and the means to do that. Could the smaller companies, which also rely on the ability to transfer data—
Caspar Bowden: Mr Lee, you ought to know that that is not the point. The point is not the location of the data centre. The point is the jurisdiction to which the data are subject, so in fact it would do no good from this point of view for American companies to establish their own data centres in Europe because they would still be subject to the extraterritorial provisions of FISA.
The Chairman: Hold on a second. I honestly think that we will need to move on a little. I think that we have both your points of view.
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Phil Lee: If I may make one final point, I think the answer to your question lies in how we revisit the current Safe Harbour provisions and enhance them to provide better protection around the areas where they lack it currently.
Q6 Lord Judd: Chairman, if I am permitted, I must just say that I am a pessimist, because all that we are talking about is dependent upon a prevailing culture because the techniques and capabilities are so great, while the issues of the protection of the individual are operating in a completely different mindset. I always feel fearful that whatever regulation we have, we will have a minimalist culture behind it because the key people will not really have their hearts in it. I think there is a huge debate to be had about what the prevailing culture should be. Forgive me, Chairman.
Coming to the Commission communication on transparency, for the record you will recall that it proposed: that self-certified companies should publicly disclose their privacy policies; that privacy policies of self-certified company websites should always include a link to the
Department of Commerce Safe Harbour website, which lists all current members of the scheme; that self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, such as cloud computing services; and that there should be arrangements to clearly flag on the website of the Department of Commerce all companies that are not current members of the scheme. I would be interested to know whether members of the panel feel that these are sufficient or lacking, and what additions or changes they would recommend.
Chris Connolly: Thank you. That is an interesting group of recommendations, and I think I can see what they are trying to achieve. In fact, even since those recommendations were written there has been a bit of a scramble in the US among companies to add Safe Harbour notices to their privacy policies and links to the Department of Commerce website, which now has clearer warnings about organisations that are not current. The not-current
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) organisations are listed in red, which is a new thing. Having that sort of red flag has never happened before and it is great. I am very impressed to see that work happening and the recommendations in place, because this has been a 13-year campaign to have those basic elements introduced to the Safe Harbour. We really need to be quite grateful to Snowden for allowing some focus on Safe Harbour, because all those recommendations have been made in the past, and in multiple reviews of Safe Harbour, and they have been completely ignored for all that time.
So yes, I can see massive improvements. One of the world’s largest companies updated its privacy policy just last week to comply with Safe Harbour for the first time, but there was no acknowledgement that it had been doing anything wrong. There was no media release and no attention to it at all. It was just quietly implementing its own response to these recommendations, so congratulations to the European Commission for getting to that point and making an impact.
I think your final question was whether it will do enough or go far enough. On transparency,
I think that is a yes. On dispute resolution redress, possibly more needs to be done, but that is a question for later in the panel.
The Chairman: So you have added one to the list of strengths of Safe Harbour, anyway.
Chris Connolly: It is a strength, but they have been goaded into it.
Caspar Bowden: Those arrangements for transparency were reasonable assumptions 13 years ago, but there is very great doubt about whether they are reasonable now. One syndrome we currently face is that commercial privacy policies are either too long or too short. For example, the privacy policies for Windows or Facebook can be of 7,000 or 8,000 words, and when you read those policies, even if you are a privacy expert it will not be clear what in fact your privacy risks are, particularly in respect of non-enforceability of rights and, of course, the national security questions. On the other hand, Google has recently simplified
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) its privacy policy to the extent where you could almost say that it was on one page—and it tells you nothing at all. It simply says that they are going to fuse the data for various commercial purposes. In fact, both the Netherlands and the French data protection authorities are now pursuing very well reasoned and forensically correct reasons why such brief privacy policies are not informing consumers about these fused uses of their data.
Another very interesting observation came six years ago in a paper by Aleecia McDonald, an
American researcher, called The Cost of Reading Privacy Policies. What she essentially did was to value people’s time with quite plausible demographics and structurally good methodology and then work out, how much time would be necessary if everyone in America read all the privacy policies that they would have to read for all the services that they used. She came up with this hypothetical cost of something like $30 billion to $50 billion a year. These are figures from five or six years ago. That is the time-value what American consumers would have to spend scrutinising privacy policies to be aware of what their situation is.
There is a real question now about whether imagining that somehow a privacy statement or privacy policy which users are expected to scrutinise and comprehend is realistic any longer.
Of course it is somewhat antithetical to the original concept of European data protection, which is that you provide individuals with a very simple set of principles and rights which they can comprehend, and then they should not really have to bother reading privacy policies because they have an understanding of where they stand and the rights that they should be able to assert, rather than being put into the position essentially of having to be privacy lawyers.
Phil Lee: My perspective is that privacy policies still have a value, not least because when you commit an organisation to putting down on a publicly facing document its practice towards data, that encourages greater honesty and greater scrutiny of what it does with data in the first place, both by itself and by the public.
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
I completely accept that very few people read privacy policies, and my criticism of the
European Commission’s transparency recommendations, if I have one, would be that if you publicly disclose a privacy policy, that is a good thing and that should be par for the course anyway. Linking back from a privacy policy to the Department of Commerce’s Safe Harbour website, again, is great, but to the vast majority of individuals it is absolutely meaningless.
Again, outside a very specialist circle, very few people really understand what Safe Harbour is.
If we are going to meaningfully enhance transparency, there need to be greater efforts towards public awareness and education, maybe even looking at other ways of communicating to individuals the protections to which their data will be forwarded if those data are transferred. The efforts made in the advertising industry are an example. I do not mean to hold it out as a model of compliance, but it has made efforts to communicate to individuals in alternative ways, such as through the use of icons around adverts. You can imagine a similar situation where a short graphical icon on a website, on a device or whatever it is would inform an individual that their data were being exported overseas. That, to me, is a more meaningful way of raising awareness.
Professor Charles Raab: I have a few comments. I think the piece of research that Mr
Bowden referred to is justly famous, on the billions of dollars. The question of the inadequacy of privacy policies goes back a very long way. There was research by Mary
Culnan in the late 1990s in America, for the FTC, on privacy policies and their inadequacy, and it seems that too many companies simply still do not get the message about this. The only way in which people who care to read privacy policies could understand what is in there and what is not in there is if they simultaneously had the list of principles and the privacy policy so that they could say, “Hey, something is missing. There’s nothing here on redress. There’s nothing here on notice or choice. There’s nothing here on onward
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) transfers. The question of what the purpose is is fudged or unclear”. Nobody is really going to do this kind of thing, and it may require a whole series of filters, maybe civil society organisations, to put the spotlight on these things rather better, and data protection authorities in the member states of the European Union to be more proactive in scrutinising this. That, of course, takes a lot of resources, but at least it would help to take the burden off the individual to read all these policies and to make some sense of them, which is really not going to happen.
Lord Judd: It also helps with accountability.
Professor Charles Raab: Of course, yes.
Q7 Lord Wasserman: That leads to the problem of recourse, as you put it, or address.
You know what the Commission recommended recently. What do you think about this?
Does this go far enough? I care about what rights I have and what I can do about it. I also care about what the policy is. I do not read it, but when an issue arises I want to be able to do something about it. I want to have some power.
Caspar Bowden: I will take you through what is involved in trying to make a complaint under Safe Harbour at the moment. I have made several in a personal capacity over the past
10 years to try to see what happens. If you make a complaint against a US company that has what is called an alternative dispute resolution procedure, you first of all contact the company and it will probably, not at first but after three e-mails, bounce your complaint to an organisation such as TRUSTe or one of a number of others. That organisation may charge a fee, in some cases quite a large fee under present arrangements, even to pursue your complaint—something that is very unfamiliar to a European complaint consumer culture. It also means, of course, that if some kind of harm is occurring in a small way but to a very large number of people, it is really not feasible to expect any satisfaction through an
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) alternative dispute resolution procedure that charges a substantial amount or even a minor amount.
If you get no joy from the alternative dispute resolution procedure, you can try escalating your complaint to the EU Safe Harbour Panel, which is a sub-group of European data protection authorities that will adjudicate and hear that complaint. The first time I tried to make a complaint to the panel in 2004, they told me, for reasons I could not understand, that they would not hear the complaint: that they did not have competence. The second time I tried, that case has now been running for 18 months, I think, and I have not heard from them in four months. I am due to send them a reminder letter. In total, that EU panel has managed to attract seven complaints, including two from me, for the entire period that it has been up and running.
Overall one has to say that the complaints process is designedly byzantine. It is designed really to suppress complaints and fob them off. I would have to say that among consumer and privacy advocates there is really no confidence in any redress mechanisms.
Lord Wasserman: Okay. I want to know what we should do about it.
Chris Connolly: Perhaps I could talk about that. One of the main issues that I have been raising in my report and my individual complaints is the inability for ordinary consumers to access the dispute resolution providers, mainly because, first, they charge very high fees; we are talking thousands of dollars for some of the schemes. Secondly, the companies that are in Safe Harbour are not complying with principle 7, and they are not telling consumers which dispute resolution provider they belong to. The Department of Commerce has just written to 600 organisations, telling them that they must add that information to their websites, but that should have happened years ago. Again, this is happening because of Snowden.
The European recommendations are aimed at those two issues. They are aimed at reducing the fees and making sure that the name of the dispute resolution provider is disclosed to
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) individual consumers. But there are a few other issues as well. There are quite a number of very large multinationals in Safe Harbour that have added a clause to their Safe Harbour privacy policy, which says that if you have a dispute it has to go to this mediation provider. It is very expensive. However, we, generously, will assume the costs if we lose. These are very large companies using costs really as a threat. Of course, they have not received a single Safe
Harbour complaint as a result, because no one would risk the cost of thousands of dollars in mediation unless their case was absolutely guaranteed, and how could that ever be? Of course many clauses in the Safe Harbour policy also say that the jurisdiction will be Salt Lake
City, Utah, or something along those lines. Whether it is meaningful in practice, it frightens consumers away. There are a lot of barriers before a consumer would be brave enough to make a complaint.
The other form of redress is going to the Federal Trade Commission. That is also an incredibly difficult process for individual consumers. Hopefully it is getting better. It is very lengthy and very secretive; you are told almost no information at all about what is happening to your complaint and how long it might take. The FTC’s record to date is that it has agreed some consent orders with businesses that are in breach of Safe Harbour, but in the vast majority of cases, apart from one, there have been no fines, compensation, apology or anything like that. It is just a consent order that says, “I have breached Safe Harbour. I now consent to abide by Safe Harbour”, which they should have been doing anyway.
Q8 Lord Wasserman: I know that it is not good, it is terrible. Everybody knows that.
What proposals do you have? There are three proposals on the table. Which ones do you want to have?
Caspar Bowden: None of them. From my experience of the US industry, the two things that US industry really fears are class action—
Lord Wasserman: Exactly.
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Caspar Bowden: —and domestic jurisdiction, so if possible there should be a reasonable cause of action or preferably a class action, for Europeans to sue a US company. The main object of US corporate lobbying over many, many years has been to avoid that situation coming about, and it is a matter of regret for me that the European Commission is not holding out for that.
Phil Lee: I will give a quick bit of background to explain how this came about and then I can tell you what my recommendations are. Under Safe Harbour there is a requirement that you have an independent recourse mechanism, and as part of that you have to choose either to have an alternative dispute resolution—the provider manages those—or to agree to submit in effect to the jurisdiction of the European data protection authorities. I think the concerns have been very well voiced already and I agree with them completely. Thinking about it very practically, when you are an individual who feels that your data have in some way been misused or your personal information has been incorrectly shared, your immediate thought is not to look at the privacy policy, find the Safe Harbour requirement and then go off to an
ADR provider, who will charge you for it. It is equally not your thought as a European consumer to go to the FTC, because again outside the very specialist knowledge of a few circles, very few people really understand what the FTC’s role is. If you are going to complain, your complaint first off would always be to the European data protection authority; it would be to the national authority that you know. So if there is going to be a way to improve things, my suggestion would be that companies self-certifying under Safe
Harbour agree to submit themselves to the jurisdiction of national data protection authorities to co-operate with them in the course of investigations and to abide by any final rulings that are reached.
Caspar Bowden: Can I just come back on one thing? We are in a very serious position in this country regarding the attitude and performance of the Information Commissioner’s
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Office. I hope in the next questions we can come on to the significance of cloud computing structurally for where Safe Harbour is now. The Information Commissioner’s office published its official guidance in October 2012, in which it essentially said that if you comply with a foreign law enforcement or national security request you get off scot free. The ICO pre-announced, in effect, that it would take no action, and this was before Snowden, which I find extraordinary. So, today, if you complain about Safe Harbour to your national data protection authority, it will say, “It is not our problem. This is something the European
Commission agreed to. We have no standing to get involved”. Indeed, that is precisely what the ICO told me when I tried to assert a complaint under Safe Harbour several years ago.
Professor Charles Raab: I would like to underscore Mr Bowden’s point about class action.
That could be quite an important step. I should also say on the costs of the alternative dispute resolution that the FTC commissioner, Mrs Brill, recently made a statement calling for the reduction or abolition of fees. There are several ADR providers, and all but two of them do not charge fees.
It also seems to me that we are in a position to think about whether you improve the machinery that is there already, which includes the European Data Protection Panel, the role of the FTC and the role of data protection authorities in the member states, as well as thinking how the scheme itself could be improved, short of tearing it up completely. It seems to me that the panel that Mr Bowden referred to is extremely obscure. If you try to go on to websites for data protection authorities, it is difficult to find any references to that kind of thing. It seems to me that the data protection authorities could be much more proactive in making Safe Harbour redress mechanisms, such as they are, better known than they are at the moment. That would not necessarily be a way of exhausting all avenues to improvement, but it might be a step in the right direction, because at the moment the whole thing is
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) entirely obscure. It is cumbersome and, as has been said, the rights of European citizens in this are much less than those that might be afforded to US citizens.
There is another suggestion, which comes from the American organisation EPIC—the
Electronic Privacy Information Center—which is that companies should comply with the
Consumer Privacy Bill of Rights. If that could be promoted and encouraged, it might also be a step in the right direction towards improving the rights of people for redress and for compliance.
Q9 Lord Sharkey: We have heard about the lack of remedies available, the lack of reporting and the lack of proper verification. I notice that in the Galexia report in 2008, there were only 1,100 companies on the register, of which at most 30% may have been compliant. Given all that, is self-regulation really the most appropriate model for this kind of enterprise?
Caspar Bowden: Perhaps I could start. What makes the prospect of Safe Harbour continuing, essentially as a self-regulatory model, particularly disturbing is the imminence of cloud computing. When written about in the popular media, cloud computing is often portrayed as somewhere just to store your photos or your e-mails, but the true business and strategic significance of cloud computing is making massively parallel processing of data a commodity. When you have a data centre full of thousands of blade computer servers, it means that you can sell computing power that can scale almost instantaneously. That is a very attractive way to write applications and to sell computer software services around the world. But the regulatory implication of that is that when Safe Harbour was devised, and certainly when most of the norms of transborder data flow were devised, the idea was that territory and jurisdiction were roughly congruent and that data flows outside the territory were at the margins. Cloud computing completely demolishes that assumption. We now
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) have a situation where almost all the data inside a country might be processed outside its borders and subject to a foreign jurisdiction.
In the theology of Safe Harbour, there is a concept called Safe Harbour-as-a-data processor.
The distinction, between controller and processor exists in European law but not really in
American law and not in the original form of the Safe Harbour Agreement. Very shortly after Safe Harbour was concluded, and even at the time, the US asserted that there ought to be a status for something called Safe Harbour-as-a-data processor. Now, what does this imply? When you are a data controller, you essentially have full responsibility for compliance with European data protection and giving effect to data subject rights. A data processor is somebody who undertakes processing on behalf of the controller, according to their precise and specific instructions. Back in the 1990s, when this model was formulated, the assumption was that the controller would be in the driving seat and that the processor would be some sort of bureau, which might generate mailing lists or something like that for you. Now, of course, we have a complete inversion of those power relationships in that many small and medium-sized enterprises are controllers, but they then have to contract with Google,
Microsoft or one of these other behemoths—giants—who are claiming the status of Safe-
Harbour-as-a-data-processor for their cloud computing activities.
If we look at what the Safe Harbour principles are and consider whether a cloud processor can give any effect to them, well, they cannot do Notice because they do not know who the individual subjects whose data they are processing. They cannot do Choice for the same reason. They cannot guarantee anything about Onward Transfer because they essentially do not know what the data controller is doing with those cloud computing facilities. They cannot guarantee Security, because although they can do something about external hackers breaking into the data centre, they cannot do security at the granularity of the personal data within the data being processed because they do not what those are and how they are
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) structured. Similarly, they cannot guarantee data Integrity or give effect to subject Access because they cannot authenticate and do not know the individual data subjects and the structure of the data concerned—and, for all those reasons, they cannot do Enforcement.
This means that any company claiming Safe-Harbour-as-a-processor in the context of cloud computing is rather like supposing that you and I did a deal based on these eight principles.
Then some time later we come back and there is a foreseeable situation in which you say to me, “Well, we cannot actually execute on any of those eight principles which we agreed but we still have a deal”. Well, I would not think so. That is now the very dangerous situation we have for those enormous companies claiming Safe-Harbour-as-a-processor status.
This also continues into the structures in the proposed new EU general data protection regulation, where essentially this rather bogus or oxymoronic concept of Safe-Harbour-as-a- processor has been transformed into something even more dangerous: Binding Corporate
Rules, or BCRs.2 That is rather a mouthful. It turns out that, based on this Safe Harbour-as- a-processor model, the regulator's interpretation of BCRs-for-processors already contains loopholes. In the small print of what the Article 29 Working Party said should be in a BCRs- for-processor agreement, you will find that it exempts the application of laws precisely such as the US Foreign Intelligence Surveillance Act, where the surveillance would be done in secret and the data processor would be prohibited from telling the controller. This seems to be sheer naivety, or worse, on the part of the Article 29 Working Party. It is something that
I have challenged it about over the past 18 months. I have a little more to say about it, but I should perhaps leave it at that.
Phil Lee: If I may, some of the comments that Mr Bowden raises are legitimate, but they probably go more to what the scope of the Safe Harbour regime is about rather than whether self-regulation is the appropriate model. I would answer your question by first
2 Note from witness after the evidence session: For data processors
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) noting that all the three mechanisms available to move data from Europe to outside it are effectively self-regulatory. They rely on Safe Harbour or on an agreement put in place between the exporting and receiving entities, or on these things called binding corporate rules, which Mr Bowden has touched on. That is on a level playing field with the other solutions that exist out there, so my immediate question would obviously be: if you decide that self-regulation is not the appropriate model for Safe Harbour, what is the appropriate model? Are we talking about direct regulation? I always have to come back to the practicality of this, because that is how I work with businesses on a daily basis. So my question is: how would you actually do that?
If a business is agreeing to hold itself to a certain part of the principles, the only way as a regulator that you could meaningfully check that would be to do some kind of audit of the business. Under the current Safe Harbour regime there are 3,500 companies, and with its current uptake you have to assume that each of those companies has to be audited in some way by regulators who have none of the technical expertise or knowledge to understand how their systems or processes work. That is not to say that you might not do that in a perfect world, but I struggle to believe that regulators really have the resource or the capability to do that effectively. Perhaps it is as with that notion of democracy being the least worst form of government: self-regulation may not be an ideal solution, but I am not sure that a better one is available, save using self-regulation as a model with effective teeth in the event of breaches. So if you discovered that somebody has fallen short of the Safe Harbour standards or that there are complaints, they would be properly investigated with proper recourse mechanisms and proper enforcement would be taken when that happens. That would be my suggestion.
Q10 Baroness Benjamin: You know, I always say “Good system, bad people”, hence in this case the need to have ethical safeguards and protection in place. Can you tell us
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) whether you think that there are any data protection safeguards in the TFTP and the PNR agreements, or similar agreements, which should be replicated for Safe Harbour?
Chris Connolly: That is a very interesting question because the Safe Harbour Agreement is incredibly general. Any type of information or organisation can be involved. In fact, organisations can join Safe Harbour just for their online data but not be in it for their offline data, or they can join just for their employee data and not their customers’ data, et cetera. It is very complicated but very general. The Terrorist Finance Tracking Programme and the passenger name agreement are both very specific. They are almost like microsections of information being transferred from Europe to the US, so it will always be difficult to take something that works in those fields out and apply it to Safe Harbour.
When I have looked at those agreements, the most attractive parts are the definitions. They have definitions of national security that are completely absent in the Safe Harbour
Agreement, which just says, “This can be watered down for national security reasons”, but gives no definition of what a national security reason could be. Now, we should not have to make definitions, but I think that post-Snowden, when we have seen that national security has been used as an excuse for spying on the climate change conference or trade agreements, we probably should have a definition of national security in Safe Harbour. The words that the Europeans use are that any security disclosure should be necessary and proportionate. Those words are not in the Safe Harbour principles, but perhaps they should be transferred across because, as I said, we should not have to say them. Those definitions should be accepted, but obviously they are not.
One of the agreements has a great little phrase in it. It says, “Any disclosure for security purposes should be narrowly tailored to those purposes”, which would prevent the mass surveillance of people’s webcam images or the collection of all ISP or e-mail data, and so on.
I like the idea of security disclosures being narrowly tailored. Those are probably the most
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) attractive parts of the terrorist financing and passenger name agreements and I could see the possibility of transferring them across to Safe Harbour and improving it as a result.
Phil Lee: I would fully endorse the view that we need an understanding of what you mean by national security disclosure. That is absolutely correct, but where I would perhaps have a different view from Mr Connolly is that we have to remember that Safe Harbour is effectively a set of business regulatory principles. If we are to introduce a requirement that disclosures in the interest of national security should be only when necessary to that national security interest, the challenge immediately facing any business is that it is not in a position to judge. Ultimately, if you are a business and you get a request from the FBI telling you to disclose data because there is a terrorist investigation under way, you are going to disclose those data. You are not going to want to be the business that in some way impaired the prevention of a terrorist attack. That is completely different from saying that there should not be those restrictions on law enforcement requests being made. I entirely endorse the idea that there needs to be an arrangement between the EU and the US, where the US law enforcement authorities are to make requests of businesses only in those narrowly defined circumstances, but I am not sure whether that is the same thing as flowing that down to a business regulatory principle.
The Chairman: So presumably when the European Parliament has at the moment blocked the new PNR regulation in the European Union, on the grounds that there are not proper data protection provisions, they have got the cart before the horse. They might have done better to have given a green light to the PNR regulation and used some of the provisions in it more widely.
Caspar Bowden: I do not think so. The fundamental structural problem with such sector- specific agreements is that they presume that the data are technically safe outside the legally agreed areas. What we have seen with all three of these examples is a sort of legal façade
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) whereby the protections provided in law by these agreements are not very good and have fatal ambiguities in them. Now of course we know, with programmes such as Upstream and
Prism, that the US has the capacity to siphon this data out from underneath without any respect even for the nugatory legal provisions in those sectoral agreements.
I would like to call attention to three elements of relevant agreements. One is the idea in the PNR agreement that data will be masked after some while, by which they mean that they will be reversibly encrypted in some form. Unfortunately and quite inexplicably, this has been equated to the concept of anonymisation, a concept that in European privacy is really fairly clear: that data must be rendered non-identifiable, and irreversibly, which is sometimes impossible against growingly sophisticated statistical techniques. Yet somehow in this transatlantic sectoral agreement, it has been accepted that reversible identification can occur.
Secondly, we should remember that after the first PNR agreement the acting Under-
Secretary of State of that time, Stewart Baker, wrote a letter to the EU that essentially said,
“You know that we thought we had an agreement in writing to limit the propagation of these data through the rest of the US intelligence apparatus. Well, we have just reneged on that and we do in fact reserve the right to propagate this information throughout the US intelligence apparatus”. That was an extraordinary letter to have written and perhaps it did not quite receive the attention it deserved at the time.
The third point is about a future so-called “Umbrella Agreement”. In a sense, this is what should have happened prior to the sectoral agreements that we have talked about. The concept of the umbrella agreement is that there should be explicit definitions of national security and law enforcement purposes, which would cover all these sectoral agreements with a basis for trust. However, it appears that the US and the EU now agree that the scope of any such umbrella agreement is only going to be criminal law enforcement, so national
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) security mass-surveillance activities will not be touched by this. Moreover, cloud computing—in the sense that it is a service provided by a private sector actor, who then perhaps transfers that data under FISA to the US Government—will not be covered by the umbrella agreement either because it will cover only state-to-state transfers. This is not a pretty picture. We have a situation where the sectoral agreements are misconceived but we do not have any overarching instrument in sight that is going to patch them up.
The Chairman: Right. Professor Raab, are you asking to speak or not?
Professor Charles Raab: I have just a few points. I think one might be grasping at straws to consider that the TFTP or the PNR provide some kind of role model that could be incorporated, especially because the TFTP, at least, has come under suspicion of being a kind of conduit for information to be used in a bulk way by the security services. There is a highly elaborate arrangement in TFTP that involves supposedly independent supervisors—a nice idea, but one wants to know more about whether they are independent and how well they work. It also involves a role for Europol in filtering the data that then go to the USA from
SWIFT, which is the financial transactions company in Belgium that has lots of data on bank transactions. Whether or not one wants to pick up those sorts of ideas involving other kinds of organisations, one would have to recognise that the TFTP at least comes with some baggage. There is some baggage over the difference between bulk data and individually targeted or tailored data and about the retention periods, because a lot of the data being collected then go to the USA but only a small proportion gets specifically analysed. The rest should be dumped after five years, but the query is whether that five years is excessive, and so on. One would have to satisfy oneself as to whether those kinds of mechanisms are really operating as they should in terms of people’s rights—the rights of EU citizens—before thinking “Well, there’s a lesson to be learnt”, and that it can be incorporated into something rather more generic and less devoted to law enforcement and criminal justice purposes than
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) the TFTP and PNR. However damaged the umbrella agreement might be when it comes out at the end of the wash, it would be a very good idea to have it settled, because it might raise the level of clarity and protection, the establishment of definitions and so on.
Q11 Lord Morris of Handsworth: Before I explore my question with you, I have listened extensively to what you have all said and I thank you for extending my knowledge about the subject matter of Safe Harbour. You have left me with the picture of the chicken and the egg here. Given the anomalies that we all know are associated with Safe Harbour, some of which you have identified, how might concerns about the exploitation of the national security exception be addressed, particularly in the light of reactions to mass surveillance programmes? That is where the chicken and the egg come in.
Phil Lee: I agree, and I think that this has been addressed in part by the eloquent answers from Mr Connolly and Professor Raab. My view on this as regards Safe Harbour is, as I have explained, that it is essentially a framework for business regulation for those businesses in the US that receive data from Europe. They will from time to time receive requests from law enforcement to disclose data, whether for national security or criminal reasons. I hope that we are in agreement that those are legitimate aims for any law enforcement authority or a Government to want to pursue. The question is the degree and extent to which those tools are used.
The fundamental problem for business is exactly the chicken and egg situation that you describe: that a business is not empowered with the knowledge to be able to execute those decisions about whether a request is necessary for national security or to pursue a criminal matter. It can do a certain level of inquiries and if it receives a vague request saying, “Give me this data about your customer”, it should of course push back and ask what the purpose of that request is. Ultimately, it does not have the ability to make that assessment. The only people who do are the authorities requesting the information in the first place. If concerns
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11) around national security and law enforcement are to be addressed it is through agreements such as the umbrella agreement where, as Professor Raab explained, you have agreement reached between authorities that constrain the power of those authorities in the requests that they are able to make, not that of the recipient of those requests and how it should assess them.
Caspar Bowden: I agree that it is very difficult for a business to know anything about the true purpose for which some direct request for data is made. I am slightly puzzled as to why, in the Commission recommendations, it thinks that is one important element in one of its 13 points when it does not seem that that will leave the consumer, shall we say, any the wiser. I repeat the point that the current scope of the umbrella agreement, and both the EU and the
US seem clear on this, will not cover so-called national security. It will only be for criminal enforcement. Unless that changes tack in a way that it has not done for the past four years, it will not provide a solution. One thing that may be promising is that in the new regulation, the civil liberties Committee has restored an article, which is now numbered Article 43a, which was in fact in the penultimate draft before the regulation was officially published over two years ago. Article 43a says that if a company acquiesces to one of these direct data requests under a FISA warrant or the Patriot Act—but FISA is now recognised as a more serious problem—then it should do that only if it can get permission from a national data protection authority. If it does not do that, it is in breach of European law and could then be fined up to the full sanction defined in the new regulation, which may be 2% or 5% of turnover, according to which amendments are accepted. That is a considerable disincentive to US companies in then complying with direct data requests.
Phil Lee: I would just—
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Caspar Bowden: If I may finish the point, the European proposal is essentially that these transfers should occur only through existing mutual legal assistance treaty procedures, which are designed for this case and cover the full spectrum of cases that might be necessary.
Phil Lee: If I may make one point about what Mr Bowden is saying, he has not had a response in four months on his complaint to the European data protection panel. In the situations that we are talking about with that type of national security request, I wonder whether a request made to an under resourced data protection authority, particularly some of those operating in the less sophisticated jurisdictions, would actually be handled in the timely manner needed to address the time-sensitive nature of these investigations. As a matter of principle, if these things could be dealt with very quickly and we knew that they would be handled efficiently, I would not have an issue with what Mr Bowden is saying, but I suspect that in practice the reality would be somewhat different.
Caspar Bowden: That is already foreseen in the text of the regulation. There are already procedures for exceptional transfers in exigent circumstances to occur on important grounds of public interest. We are talking about establishing the normative procedure.
Phil Lee: But what you put into law and what happens in practice are often two very different things, so you may well write that into the legislation, but if a data protection authority has one or two people handling these types of requests, and they are overworked or on holiday—perhaps it is a public sector holiday—or any of those things, the request could get delayed.
Caspar Bowden: That is not the real problem, with respect. The real problem is that in the
Department of Justice there are attorneys who specialise in handling mutual legal assistance treaty requests from the rest of the world and that, because the US has all the data, there is an imbalance between the requests going to America and those going out. The US
Caspar Bowden, Phil Lee and Professor Charles Raab—Oral Evidence (QQ1-11)
Department of Justice simply does not want to double, or probably triple, the number of attorneys working on those MLAT requests.
The Chairman: We have, alas, just about run out of time, but we have covered a great deal of ground this morning. Thank you very much for your assistance in doing so. If we ever had any illusions that this was not a fairly contentious area, we have lost those illusions in the course of the morning. We will make use of your testimony and comments in our further enhanced scrutiny of this measure. Since this is all going to lead on to a much bigger negotiation over the data protection provisions of the new regulation in the EU, I do not imagine that we are going to lose sight of it all. It will be of use to us in that too, so thank you very much indeed.
European Commission—Oral Evidence (QQ12-20)
European Commission—Oral Evidence (QQ12-20)
Evidence Session No. 2 Heard in Public Questions 12 - 20
WEDNESDAY 2 APRIL 2014
Members present
Lord Hannay of Chiswick (Chairman) Baroness Benjamin Lord Blencathra Lord Faulkner of Worcester Lord Judd Lord Morris of Handsworth Baroness Prashar Lord Sharkey Earl of Stair Lord Tomlinson ______
Examination of Witness
Paul Nemitz, Director, Fundamental Rights and Citizenship, Directorate-General for Justice, European Commission
Q12 Good morning, Mr Nemitz. Are you receiving the video all right?
Paul Nemitz: Yes, I am receiving you. Are you receiving me?
Q13 The Chairman: Yes, indeed. Thank you very much for coming along this morning to help us. I will begin by explaining, as I did to your Director-General when I met her a couple of weeks ago in Athens, that we are not producing a full report on Safe Harbour but are conducting a process here in our national scrutiny that we call enhanced scrutiny—that is to say, we deal in greater depth with the issue concerned, but not to the extent of producing a full report in the form with which I am sure you are familiar. At the end of the process, which will be at the end of April, we will then address a letter to our Government, which of course will be made available to the Commission, too, about how we think they should
European Commission—Oral Evidence (QQ12-20) approach the communication which the Commission made on Safe Harbour some months ago. So it is very useful for us to have your testimony on this issue.
Q14 It is, as you know, on the record. It will be recorded and published. You will be asked to comment on it, and if you have any amendments, please let us have them. Other than that, we welcome any written communications from the Commission. Of course, we already have a great deal of material from the Commission that is very valuable. The Committee has also become aware of and has seen the outcome of the EU-US summit last week, which had a number of paragraphs that dealt with this issue. So you can assume that we are reasonably familiar with that, although it may be that your answers to questions will help us understand where things are in that process. That is all I want to say by way of introduction. If you wanted to make an opening statement, that would be fine, but if you are prepared to go straight into questions, that would be equally satisfactory. Perhaps you could very briefly introduce yourself and say whether you want to make an opening statement or whether we should proceed to questions.
Paul Nemitz: Thank you, Chairman, for this opportunity to talk about Safe Harbour and EU data protection generally. Let me just say by way of introduction that the age of big data needs big trust. We are doing our part in Europe, with your help, to reform data protection.
We are working on a regulation. As you know, the European Parliament has already adopted the text; now it is up to member states and the Council to agree it. We believe that they should be able to agree it because the European Parliament agreed by a very large majority on a good text. Safe Harbour is part of this work towards more trust. Our part is the regulation. Safe Harbour is really now in the United States’ ballpark. The Commission put its requirements on the table in the communication of 27 November of last year and we are, indeed, now working with the US to come to a good, upgraded Safe Harbour that brings back the trust we need for big data in the digital economy.
European Commission—Oral Evidence (QQ12-20)
I am Paul Nemitz, Director for Fundamental Rights and Citizenship in the European
Commission. In that function, I also talk to the United States Department of Commerce and colleagues at the Office of the Director of National Intelligence on the future of Safe
Harbour.
Q15 The Chairman: Thank you very much. I think you have begun to answer the first question, but perhaps I could ask you to go slightly further. The question is on how the negotiations with the US are progressing. In what sort of timescale do you envisage them being brought to a conclusion, and to what extent is that process—the points that Vice-
President Reding put on behalf of the EU to the United States last November and its response to them—part of the whole legislative process of the European Union as it processes the Commission’s proposals on data protection?
Paul Nemitz: First, on your question of how the talks with the US are going, we are, of course, talking about 13 concrete requests that the European Commission has put on the table in the name of the European Union. They concern transparency, the possibility of effective redress for EU citizens when data are transmitted for processing in the United
States, effective enforcement of Safe Harbour principles and—this is probably the elephant in the room—limitation of access to the data transmitted. They also concern the way of transmission—I am talking about transatlantic cables—and the limitations on access by public authorities. The exemption for national security cannot be a routine rule for access. These are the subjects we are talking about. We are talking about them in a regular rhythm and we have made good progress on a number of points relating to Safe Harbour principles in requests 1 to 11. We have also had our first exchange—I would say it was a good exchange—on the need to limit access by the NSA.
It is clear to us—one can see this from the speech of President Obama on 17 January and the new policy instructions to the intelligence community in the United States—that the
European Commission—Oral Evidence (QQ12-20) message that trust must be brought back and that there should not be routine byte access and byte surveillance on the internet has been understood. We hope very much that the principle of necessity and proportionality of access by national security services to the data of individuals can be concretised in Safe Harbour or alongside it in a way that satisfies citizens in Europe and Members of Parliament such as you—and the Members of the
European Parliament.
I recall that your honourable colleague Claude Moraes, who is a Member of the European
Parliament from the Labour Party, presented a report that contains key demands from the
European Parliament on the European Commission, on member states and on the United
States in relation to Safe Harbour. I am referring to the text adopted in the European
Parliament on 12 March 2014. It is entitled, US NSA Surveillance Programme, Surveillance Bodies in Various Member States and Their Impact on Citizens’ Fundamental Rights. In this report, in finding 36 onwards, one sees the demands of the European Parliament, to which we as the
European Commission also try to respond. As you will know, the European Parliament in this resolution asked us to suspend Safe Harbour because it came to the conclusion that at present the rights of European citizens were not sufficiently protected. The European
Commission, in its communication of 27 November last year, which was based on our EU-
US working group on data protection, which I co-chaired, has not gone in this direction. We have said that we should be given the chance to upgrade the protections of Safe Harbour.
There is a deadline, which is accepted by the United States, of summer 2014. We are awaiting new commitments from the United States, and then, on the basis of the new commitments, we will see whether they are sufficient to comply with our law and, on the broader issue, to bring back the big trust that we need for big data in the digital economy.
The Chairman: Thank you. Yes, indeed, I am well aware of Claude Moraes’s report. It was discussed at a meeting in Brussels about 10 days ago between the LIBE Committee and the
European Commission—Oral Evidence (QQ12-20) home affairs committees of national parliaments. On that occasion, I pointed out to Claude
Moraes that the European Parliament’s position suffered from a defect, which is that the
European Parliament has no powers in the field of national security and was therefore not well placed to balance, as crucially as one has to in this area, the requirements of national security, the requirements of the 28 member states and the requirements of data protection, and that therefore I was not totally convinced by his report. But we can leave that to one side. You have half-answered the next question, but I will ask Baroness Prashar to ask it so that we get a very clear picture of your attitude on suspension of the present agreement.
Q16 Baroness Prashar: Thank you, Lord Chairman. Mr Nemitz, as the Chairman indicated, the question is: do you think that the agreement should be suspended, as has been recommended by the LIBE Committee?
Paul Nemitz: The European Commission has said that suspension is an option in the future, but that at this stage we want to work with the United States to upgrade the arrangement to a standard that complies with our law. We are bound by law to ensure that the protections under this agreement comply with Directive 95/46/EC and, independent of what the Commission is doing on this, national data protection authorities have the right and are obliged to enforce data-protection rules in the European Union also as regards transfers to third countries. So we are running the risk that the independent data protection authorities in Europe will start suspending transfers to the United States if they come to the conclusion that the arrangement does not work properly and that the deficiencies are not being addressed sufficiently by the United States. So what we are doing here is working also to ensure legal certainty, which is part of the trust that we have to bring back in the digital economy.
European Commission—Oral Evidence (QQ12-20)
The Chairman: Have there been any signs that any of the national data protection agencies are likely to act independently?
Paul Nemitz: We have had a number of complaints in Europe to data protection authorities. As far as I know, two data protection authorities have rejected complaints relating to transfers to the United States. The complaint to the data protection authority in
Ireland related to transfers by Facebook and was brought by Max Schrems from Vienna. The same Max Schrems also brought a complaint to the Luxembourg authority relating to
Microsoft and Skype transfers. This authority has also rejected this complaint. Both these rejections are now subject to judicial review.
As far as I know, in Germany we have a number of complaints pending, and the German data protection authorities have issued a statement saying that for the time being no new approvals for transfers will be granted. As far as I know, there are some investigations going on in Germany into these complaints, but as these authorities are independent, they are not obliged to tell us about their investigation activities, so our information is patchy. Also as far as I know, there are two further investigations going on in Europe. Under EU law, these suspensions are possible. Eventually if the judicial review moves on, this issue may come before the European Court of Justice by way of a preliminary question from a national judge on how to interpret Directive 95/46/EC and the Commission’s decision on Safe Harbour, which is directly applicable EU law.
Baroness Prashar: But do you think there is a need for temporary safeguards in the interim?
Paul Nemitz: I think we have to move fast to implement upgrades in protection, because the right to data protection is a matter of the highest law in the European Union. It is a right that is protected under the fundamental rights charter and the European Convention on
Human Rights. As one can see from the public debates in the UK and other member states
European Commission—Oral Evidence (QQ12-20) and in the report from the European Parliament, it is a right in which very many citizens take very great interest. I think there is agreement between my partners in the United States and me when we talk that this matter has to be addressed speedily.
Q17 Lord Faulkner of Worcester: Good morning Mr Nemitz. It has been put to us by a panel of privacy experts that the redress rights of EU citizens need to be strengthened considerably and go much further than the Commission communications propose. One of the ways in which this might be done is by facilitating a class action. Do you agree with that?
Paul Nemitz: Whether we can introduce class actions by way of Safe Harbour in the United
States, I do not know. This would be a matter of US law. It is true that in the United States many issues that are addressed in Europe by public enforcement are addressed in the United
States by the instrument of class actions due to the absence of public enforcement. I do not even know whether this is necessary or whether class actions are already possible in the
United States, but if the United States came to the European Union and said, “In the context of Safe Harbour we commit to class actions being made possible”, I think we would see that as a positive, but at this time there is no such demand in the catalogue of demands for 13 improvements in Safe Harbour which the Commission put on the table on 27 November.
Nor is it included in Claude Moraes’s report from the European Parliament, as far as I can see.
The process of improvement is open to ideas. We have encouraged our American partners to think creatively and see what they can offer to recreate trust. It is true that very few people have sought redress so far under the existing Safe Harbour agreement, and I think it would be a mistake to interpret this as a sign that everything is fine. It is more likely that it is very hard for Europeans to seek redress before US dispute settlement bodies. Beyond that, there is EU law. National data protection is a complex matter and people often do not know what is happening to their data.
European Commission—Oral Evidence (QQ12-20)
In short, we are working on improving and facilitating the redress mechanisms. The US is ready to move on this issue. I have had positive signals, and I can only repeat that if the US offers to introduce elements of class action, we would certainly not see that as a negative.
Lord Faulkner of Worcester: That is not very realistic, is it? American corporations seem to spend a huge amount of time and money resisting exactly that sort of initiative, so is it not overoptimistic to imagine that that might happen?
Paul Nemitz: As I said, we do not have an offer yet, and we are not asking for this yet. Your assessment may be right, but at this stage I really do not want to limit the work and the thinking on the other side of the Atlantic. What is necessary here is that we in Europe and the United States work together to recreate trust in what happens to individuals’ data when they use the internet and software and participate in our digital world.
By the way, any contribution outside Safe Harbour, such as an autonomous change of law in the United States relating to what the NSA does or does not do, is helpful, because in the end when it comes to the overall assessment under EU law that we have to carry out, we will look at the commitments which the United States has given us in the context of Safe
Harbour in the overall context of US law. So my message is also that if the United States autonomously moves on in reforming NSA activity and introducing proportionality and necessity limitations on byte collection from EU citizens, this will also facilitate a positive assessment of Safe Harbour in the future. It does not need to be written into Safe Harbour documents.
Lord Faulkner of Worcester: Can I ask you, as the second half of the same question, whether you think that the EU Safe Harbour panel, the European data protection authority and the national data protection authorities, such as the Information Commissioner’s office in the United Kingdom, should have a bigger role to play in this?
European Commission—Oral Evidence (QQ12-20)
Paul Nemitz: There is certainly scope for action by the national data protection authorities.
Every national data protection authority, including the Information Commissioner in the
United Kingdom, is free to undertake own-initiative inspections of whether transfers to the
United States comply with EU law and Safe Harbour and to decide whether they are necessary and appropriate. I believe that this is valid EU law, which has to be properly enforced, so the answer to your question is yes, there is scope for activity, not only in terms of agreeing on resolutions, press statements and speeches but, if one wants to take this seriously, in terms of reinforcement work.
The Chairman: Presumably, if I can go back to your answer to Lord Faulkner’s first question, if the United States’ autonomous process of regulating the National Security
Agency were to distinguish or discriminate between the protection it offered US citizens and the protection it offered EU citizens, the Commission would not think that that was very desirable.
Paul Nemitz: The reality of US law right now is that there is huge discrimination between the limitations on the NSA in relation to activities domestically and US citizens outside the
United States on the one hand and EU citizens on the other. One finds this different treatment by national security services of their own citizens and other citizens in many legal orders. The question is the degree to which that is happening. What we cannot accept in
Europe as the normality is byte collection and mass surveillance without any specific suspicion about European citizens’ data.
We have to introduce elements of proportionality and necessity into the national security clause. This is the biggest issue. We have to get away from the blanket mass surveillance of everything that goes through the transatlantic cable and limit national security interventions to what can be justified under EU law. Let me say that very clearly. That is why I respectfully disagree with what you said about what the European Parliament can or cannot do. Under
European Commission—Oral Evidence (QQ12-20) the jurisprudence of the European Court of Justice, the national security clause under the treaty, if a member state invokes it, obliges the member state to justify and to demonstrate that the purpose for which national security is invoked is followed by measures that are necessary and proportionate for this purpose. It is not enough just to say, “I consider this to be national security. You stay out”. No, the matter needs to be justified before a judge. In this debate about what is necessary and proportionate under EU law, everybody can participate, including the European Parliament. I believe that one of the great debates before us is how far European fundamental rights—the European Charter of Fundamental Rights, the European Convention on Human Rights and EU law—at this stage of integration between member states, put a limit on the unlimited blanket surveillance of citizens, including citizens of other member states.
The Chairman: I do not want to pursue further the discussion that I had with Claude
Moraes, except to say that the point I was making was that the report that he wrote was based on a consideration that did not have the capacity to include the responsibility for national security, which rests with the 28 member states, and that that was perhaps not a fully adequate basis on which to carry this forward. But we can leave that point.
Q18 Baroness Benjamin: Trust was something that we all took for granted, but it has, as we know, been hugely abused and, as you have said repeatedly, it needs to be rebuilt. The communications said, “As a matter of urgency, the Commission will engage with the US authorities to discuss the shortcomings identified. Remedies should be identified by summer
2014 and implemented as soon as possible”. Also, “the Commission will undertake a complete stock taking of the functioning of the Safe Harbour”. However, the EU data protection supervisor has questioned the logic of agreeing remedies prior to a complete stocktake, so what form do you think the broader stocktake referred to in the “rebuilding trust” communications take to satisfy everyone?
European Commission—Oral Evidence (QQ12-20)
Paul Nemitz: Thank you very much for this question. This is indeed an issue that the
College of Commissioners and the Commission will still have to look into because, under this communication, there are indeed two ways forward. One option would be to take the commitments that the United States will present in the summer and make a first assessment by the Commission. Then the Commission could implement the commitments in a new Safe
Harbour decision and thereafter undertake a broader assessment with public consultation, and consultation with national Parliaments, the Council, the European Parliament and so on.
Since this is not a bilateral agreement under international law but a unilateral decision of the
European Union on whether to accept the commitments, if such a review came to the conclusion that what the United States has put on the table is still not enough, nothing would hinder us at a later stage from coming back and resuming the talks with the United
States and yet again having a decision that would implement a higher standard.
The other way forward is to look at the commitments that the United States puts on the table in the summer. We very much hope, of course, that we can say in an initial review that these commitments look good to us. Then we can have a public consultation, and consultation with the data protection authorities, the Article 29 group, the European
Parliament and of course member states, because they are part of the decision-making process in what is called the Article 31 committee.
The Commission’s decision must be validated by a majority of member states. After this review process, we would implement the new Safe Harbour. Both options are before us, and
I very hope that we will make a good choice when summer arrives. I hope that through this choice we will be able to agree with our American partners.
Baroness Benjamin: Do you think this will happen by the summer 2014?
Paul Nemitz: My impression right now is that the US Government are willing to work hard on this and come to substantial commitments. So for the time being, we have a joint
European Commission—Oral Evidence (QQ12-20) timetable that leads us to the US presenting its commitments in July. The big elephant in the room, as we have discussed, is the national security clause. This will require substantial work and a real political willingness to recreate trust and will give a bit of a special deal to
Europeans, because, after all, what we are doing with Safe Harbour is also giving a special deal to the United States.
Q19 Earl of Stair: The European Data Protection Supervisor has called for greater clarity in the principles of Safe Harbour, better communication of them to citizens and industry and more inspections by the Federal Trade Commission. The principles were never designed for large-scale access to data by the United States intelligence authorities. What is the
Commission’s assessment of these recommendations?
Paul Nemitz: We largely welcome these recommendations, because they validate the recommendations of the European Commission—the 13 points put on the table on 27
November. Let me just go through these points, starting with the last, which is that Safe
Harbour was not designed to allow large-scale byte surveillance of EU citizens. This is, indeed, what we have just discussed, and we fully agree. That is why the Commission is asking to limit the national security exemptions to what is really necessary and proportionate—and it is not necessary and proportionate to go through all the data that are transmitted by Europeans through the transatlantic cable.
On the question of better enforcement and inspections in the United States, we agree that we would not limit the request to the Federal Trade Commission. There is a division of labour of active enforcement and control between the Department of Commerce and the
FTC and right now we are having constructive talks on how to intensify in particular the ex officio validation of compliance in the United States. I am quite confident on this point that we will make good progress.
European Commission—Oral Evidence (QQ12-20)
I also note in passing that the fines held out by the Federal Trade Commission for non- compliance with privacy rules, including Safe Harbour, are far beyond what any European data protection authority so far has ever adjudicated. You will know that the settlements of the Federal Trade Commission with companies such as Google and Facebook, which concerned non-compliance with the Safe Harbour, goes into double-digit million figures. So we can learn from the enforcement rigour of the United States Federal Trade Commission, which is in the fortunate position of being able to transfer the enforcement culture of competition law, for which it is also responsible, to the enforcement culture of privacy enforcement—and surely Europe can learn from this transfer of knowledge, as we have seen in a recent paper from Mr Hustinx. So yes, we have to have more ex officio activity in the
United States and to come to the information point; and yes, citizens and companies must be better informed—on this, the Department of Commerce has some good ideas and is willing to help us—and the data protection authorities in Europe should better inform citizens in each member state via their own website on Safe Harbour and the related redress possibilities.
Q20 Lord Morris of Handsworth: Good morning, Mr Nemitz. In your view, does the recent announcement by the US President, requiring Congress to legislate before any measures can take effect, go far enough to ensure that requests for data provided under the scheme of national security reasons meet the test of necessity, and how will the Commission ensure that future application of the national security exemption will be proportionate?
Paul Nemitz: We must ensure together that the US reforms on surveillance effectively and meaningfully also benefit Europe and Europeans. To re-establish the big trust that we need for big data, it is not enough that the United States reforms domestic surveillance activities.
This is plain to everybody who knows how much money American companies make on the
EU market in relation to digital activities.
European Commission—Oral Evidence (QQ12-20)
The trust must also come back to Europe, and it is the United States that has this possibility in hand. President Obama’s announcements give us some hope. We hope that it has been understood that reforms must also benefit Europeans. The President has recognised that the current data collection programmes of the NSA go too far. He also clearly said that certain protections that are currently available only to Americans should be extended to non-
Americans. This is a step in the right direction, in particular as regards the specific attention given to the protection of the privacy of Europeans.
These words now need to be translated into concrete limitations and restrictions on the massive collection of the data of Europeans by the NSA. Safe Harbour offers an opportunity to concretise the President’s announcements. After all, Safe Harbour is a special deal, ensuring that data flows between certified companies in the EU and US are treated in the same way as flows between EU member states and EU companies.
This special deal, we believe, also deserves a special effort on the part of the United States to work with us on circumscribing and limiting further, and on making clear what the necessity and proportionality of national security activity means in this context. It is clear that massive collection of data by intelligence services on anybody, without suspicion, goes beyond what is proportionate and necessary.
There must be a meaningful limitation on byte collection, covering not only the use of data by the US security agencies but collection and initial acquisition, on the basis of a limited catalogue of purposes. Effective minimisation and targeting procedures should be in place, as they are already in place for Americans. National security requests must be made only through Safe Harbour companies, and with their knowledge. These requests must be case- specific and strictly tailored to precise national security purposes.
We also need to come to some credible joint oversight and review mechanism of Safe
Harbour, including the use of the national security clause. In other words, the US must
European Commission—Oral Evidence (QQ12-20) provide Europe with convincing assurances that government access under these exemptions will remain an exception, and that exceptions will not swallow the rule. This is what we believe is necessary to bring back the trust that we all need for the digital economy to thrive, and which we all need to stay leaders worldwide in the protection of fundamental human rights. These are values that we share with the United States. Therefore, we also have to treat each other with full respect.
Q21 Lord Sharkey: Mr Nemitz, each previous review of Safe Harbour recommended better assurance of compliance by companies that are self-certified. What new mechanisms might deliver better legal certainty on this kind of compliance? I note in passing your remarks about double-digit million settlements, to which you referred a moment ago. It is not clear that they would mean very much to companies with net revenues as large as Facebook’s, for example.
Paul Nemitz: Thank you very much. First, on the fines and settlements, I think you are right: future fines for breaches of data protection have to be in line with the commercial value of the data and the turnover of the company concerned. This is a good and tested principle in
EU competition law, as you know, for cartels and for illegal corporations and agreements between companies.
Under EU law, fines of up to 10% of the world turnover of a company can be imposed, and that is what we are doing. The European Commission, in the reform of data protection in
Europe, has proposed that the maximum fine for non-compliance with data-protection rules should be 2% of world turnover. Of course, the fine always has to be proportionate: this is just the maximum limit. The European Parliament has now said 5%. I just want to say that the present practice of the FTC in terms of amounts already goes in a much better direction than the present practice in Europe—but it is right that we are catching up, and we will get better once the data protection reform in Europe is adopted.
European Commission—Oral Evidence (QQ12-20)
On your question about Safe Harbour, the United States has, together with us, reviewed
Safe Harbour twice: in 2002 and in 2004. We have seen, for example, increased activity by the FTC, which we welcome. We have also seen a stronger stance from the Department of
Commerce in verifying certain elements of compliance with Safe Harbour. Our present conception is that there will not be a change of system away from self-certification.
However, this type of stepping up of ex officio checks and controls on companies to supply good papers, and not only to the Department of Commerce, about their self-certification— in the same way in which the tax authorities from time to time go on location and check that the papers comply with reality—will, we believe, provide higher certainty that the Safe
Harbour principles will be complied with in future.
In the same direction, we have also asked for dispute settlement mechanisms to be free of charge. We believe that this is important because, as I said at the outset, with regard to the individual knowing what is happening to the data, it is a big issue for them to see only the problem. To then go to a dispute settlement in the United States also costs money. These are huge problems that have to be overcome. That is why it is important that the dispute settlement becomes free of charge. We believe that that is perfectly proportionate because, after all, the companies that use the data have the potential to make a lot of money with these data.
In parallel with this, a higher level of involvement from national data protection authorities and the joint panel on Safe Harbour will also be welcome. All in all, we believe that if our 13 demands are complied with, we will have higher legal certainty and a higher level of protection for our citizens in Europe.
Lord Sharkey: Just for the sake of clarity, can I confirm that that means that you envisage the level of FTC activity vis-à-vis compliance will remain at its absolute discretion?
European Commission—Oral Evidence (QQ12-20)
Paul Nemitz: We are now talking about exactly that: we want to see, with the United
States, how we can get certain commitments about ex officio activities. How to circumscribe this in the wording of the Safe Harbour is exactly the subject of discussion just now.
However, I understand your point and have the same concern. We started out by asking for a certain percentage of, for example, ex officio investigations. This seems to be a difficulty for the United States, but we will have to see; I think that this is being reflected upon.
I agree with you that there cannot be total discretion on whether or not to implement and control Safe Harbour compliance. The commitments to create the trust that we all want to create—and which the US Government wants to create for US companies that use Safe
Harbour for transfers from Europe to the United States—are not without obligation.
Q22 The Chairman: Can I just finish this very useful evidence session by asking an additional question that puzzles me all the time. What is the relationship of the negotiations, the discussions, that you are conducting within the context of the safe harbour agreement to the negotiations that are going on between your colleagues on the transatlantic trade and investment issue, which are of course of huge interest to all our members states and parliaments, including the European Parliament? How do the two fit together, or are they completely separate?
Paul Nemitz: Chairman, thank you very much for this question. Of course, the European
Union, as I am sure the British Government, Parliament and House of Lords do, looks at the relationships with the United States and other countries in an overall context. To answer your question very precisely, legally there is no relationship between these two; nor is there one in the mandates for the respective ongoing talks. However, politically, for example, the
European Parliament and others make a connection, which is that if certain issues, particularly relating to the activity of the NSA, are not cleared up, we hear that ratification of TTIP will be difficult.
European Commission—Oral Evidence (QQ12-20)
My view is therefore that I can help my colleagues from the Directorate-General for Trade who are negotiating TTIP. If we are successful in bringing forward Safe Harbour and the commitments are good, this will remove a liability from the TTIP negotiations. It is important that this is understood on the other side of the Atlantic. If you want TTIP, let us therefore all work together to make Safe Harbour a success story, to really bring back the citizens’ trust in the digital economy.
The Chairman: Thank you very much indeed. This has been a very useful session. We have covered a lot of ground. You have been very generous with your time. Thank you for that. We will of course send you the transcript. If you would like to comment on that, that is entirely up to you. Meanwhile, the enhanced scrutiny that we are conducting on this has been advanced very usefully by our session this morning. Thank you very much.
Paul Nemitz: Thank you very much, Chairman.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32)
Evidence Session No. 3 Heard in Public Questions 21 - 32
WEDNESDAY 2 APRIL 2014
Members present
Lord Hannay of Chiswick (Chairman) Baroness Benjamin Lord Blencathra Lord Faulkner of Worcester Lord Judd Lord Morris of Handsworth Baroness Prashar Lord Sharkey Earl of Stair Lord Tomlinson ______
Examination of Witnesses
David Smith, Deputy Commissioner, Information Commissioner’s Office, and Mr Peter Hustinx, European Data Protection Supervisor
Q23 The Chairman: Okay. I welcome our two additional witnesses to this part of the session. I am glad that you were able to hear the previous evidence. I am sure that was valuable for us, and I hope for you too. We welcome you both here—Peter Hustinx, the
European Data Protection Supervisor, and David Smith, the Deputy Commissioner in the
UK Information Commissioner’s Office. I am not sure whether you were here at the outset but, for the sake of clarity, I shall explain what we are doing.
Q24 This is not a full inquiry of the sort that we usually conduct, and which you are quite familiar with, which leads to a published report of 20, 30 or 40 pages. This is a process that we call enhanced scrutiny, in which we look in greater depth into a European document that
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) has come to us to scrutinise and give our views in somewhat greater detail to the
Government than we would in the normal run of European legislation. In this case, it is the
Commission’s Safe Harbour communication that we are looking at, and we are likely to give our views to the Government about the end of April or beginning of May, after which they will respond. So these views will not be expressed to the Commission—we will of course make them available to the European Commission and to the Information Commissioner— but to the Government, who will no doubt in due course respond to them.
Q25 Thank you for coming along. As you know, the evidence is on the record. We will let you have a transcript in due course, and if you have changes that you want to make to it, you must let us know, although it will be on the website in its original form straightaway. If you agree, it would be helpful if you could start by introducing yourselves.
Q26 I explained to the Committee before you came in where the European Data
Protection Supervisor sits in the not entirely straightforward arrangements within the
Commission and the European Union, but if you could enable us to understand precisely where you sit in relation to the officials of the Commission and Director Nemitz, whose evidence we have just heard, that would help the Committee quite a lot—and perhaps say a few words about the Information Commissioner’s position on all this. If you then wish to make an opening statement, by all means do so. If not, we will go straight on to questions. It is up to you.
Mr Peter Hustinx: I can confirm that I am Peter Hustinx, the European Data Protection
Supervisor. It is a completely independent European institution, like a European ombudsman.
Our role is to ensure compliance to supervise the European Commission and other institutions and bodies all over Europe, but also to advise the legislator—the Commission,
Council and Parliament—on new policies and new legislation, and to work together with
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) national regulators in the context of the Article 29 working party and beyond to ensure consistency. So much for my introduction.
I want to add that I have made public statements on the very same subject previously, on two occasions, and I think that you have access to those documents. In the context of an opinion in February about the Commission’s communication on the wider issue of restoring trust in EU-US data flows—Safe Harbour was a part of that—and in October, before the
LIBE inquiry, where I wanted to put my remarks on Safe Harbour in a wider framework.
That framework is not the subject of your inquiry, but if we are discussing Safe Harbour, it is still important to put that at least in the context of its role in the current data protection directive. So if you will allow me, when we come to the merits of Safe Harbour, I will slightly digress and give you the wider picture. The documents are available to the Committee. I have heard you refer to that, so I trust that it is fine.
David Smith: I am David Smith, Deputy Commissioner from the UK Information
Commissioner’s Office. The Commissioner himself, Christopher Graham, apologises that he cannot be here today, but I have particular responsibility for data protection matters in our office. Our role is essentially supervising compliance with data protection obligations by UK organisations, which includes transfers of personal data by those organisations to the US under Safe Harbour or, indeed, by any other means. Also as the UK authority we take part in the Article 29 working party, which is the collective grouping of EU data protection authorities. The Safe Harbour communication from the Commission is on our agenda and will be discussed in our meeting next week. It is possible that the Article 29 working party will also issue a view on this matter.
The Chairman: So if I have understood it rightly, you will discuss this next week within the
Information Commissioner’s Office.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) David Smith: No, within the Article 29 working party with the other European data protection authorities, including Mr Hustinx. On the agenda there is a commentary on the
Commission’s proposal. I cannot tell you at this stage what will be adopted.
The Chairman: No, of course not. But we are having a session with the Minister next week. Which day will the discussion take place?
David Smith: Wednesday and Thursday.
The Chairman: I think we will have to ask the Minister when he comes before us to give us an account of the discussion in the Article 29 working group, not in our evidence session on Wednesday but in writing after that and before we complete our enhanced scrutiny, because it clearly will be relevant. It is very helpful that you have drawn our attention to that—so I thank you.
David Smith: As soon as anything is published, we are a member of the group so we can make sure that we send you that communication.
Q27 The Chairman: I am sure, one way or another, before the end of April, when we have to put our thoughts together, that we will need to see the outcome of that. Thank you very much for that. I start with a very general question. What do both or either of you feel are the key strengths and weaknesses of the present Safe Harbour agreement?
Mr Peter Hustinx: Briefly put, Safe Harbour is one of the instruments to provide for adequacy in data flows from the European Union to a third country—in this case, the United
States. It has an additional merit, and I shall mention that in a minute, but adequacy is something to be understood well. This relates to data flows to third countries under Articles
25 and 26 of the directive. In those situations, controllers transferring data to the US are bound by national law to all the other provisions, so it is an additional requirement.
European law in some cases continues to apply when controllers are transferring and continuing to be controllers.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) The second point is that adequacy was conceived not as equivalent to European law but as sufficient in the circumstances. The concept of adequacy was developed early on, 15 years ago at least, and has been consistently applied since then. It is a functional concept in all adequacy findings, usually applying to third countries but also indirectly evaluating contractual arrangements and other instruments such as, more recently, binding corporate rules, where these same criteria are applied. At that stage, when adequacy was conceived, it also included the possibility of self-regulatory arrangements. So in theory any jurisdiction that had only or predominantly self-regulatory approaches could lead to adequacy if a number of conditions had been fulfilled.
The Safe Harbour arrangement was conceived as a very creative effort to build a bridge between the EU approach, laid down in Directive 95/46, and the predominantly self- regulatory approach in the US. There was scattered legislation, but there was not the kind of general approach that we had in the EU. However, there is a general rule providing the
Federal Trade Commission with jurisdiction in cases of unfair or deceptive trade and the like. So with the Safe Harbour arrangement, the idea of publicly committing to compliance with certain principles and not delivering it in practice would trigger the jurisdiction and the action of the FTC. That was the creative effort.
The Article 29 working party at that stage was involved in the preparatory stages with continued criticisms, which then led to a final outcome, which the group at that time considered satisfactory. It has followed this since with continued efforts to make it happen.
Safe Harbour had a difficult start, and that partly also translates into the kind of improvements that have happened gradually, in 2003, 2004, 2009 and so on.
In summarising the merits, the creative effort was successful to some extent. The mechanism has gradually been used to provide adequacy for a group of well over 3,000 small and large companies. It has also moved the debate in Europe and the US to more than just contractual
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) arrangements and to the so-called real data protection, where you have to do data management, implementation, auditing and practical privacy.
In a way, Safe Harbour has been the birthing ground of the next step of binding corporate rules, but meanwhile the world has changed. The internet has developed and companies now in Safe Harbour are in many cases by no means small. We have seen very big ones. The phenomena include things like cloud computing arrangements. The weaknesses of Safe
Harbour have therefore become more prominent in recent years, and the NSA story on top of all this has now pushed them to the fore. The weaknesses have been addressed, as well as the fact that there are different elements that need to be in place.
There is a role for the Department of Commerce. There is a back-up role for the Federal
Trade Commission. There are complaint and alternative dispute resolution mechanisms.
There is a need to have privacy policies, and there is self-certification. The architecture of the arrangement requires that all those elements perform well. There is a lack of transparency in the details but also in the overall functioning. What are the percentages?
What are the problems? We have very few statistics about the effectiveness of Safe
Harbour.
There is an issue about actual compliance. We will have to develop that. Indeed, there is a general issue of protection after leaving Safe Harbour because of onward transfers. Onward transfers have now developed into the big elephant; they are understating the issue of lawful or unlawful access by Governments. However, my reading of the arrangement is that the merits still make the system worth improving. That is why suspension is not the most appropriate way right now. Safe Harbour has considerable merits—that is still my belief— but the weaknesses need to be fixed urgently, and it will take some big fixes to do so.
David Smith: We essentially share the view that there is much that is good in Safe Harbour, but it still needs considerable improvement. There is no doubt, in our view, that it has led to
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) improvements in privacy practices among US businesses. That is not universal, and there are certainly weaknesses in terms of those who sign up to Safe Harbour not necessarily delivering on their promises. However, some do, to good effect, so it has led to improved protection. It is better in our view, particularly if the weaknesses are fixed, than the contractual solution: just having a contract in place to ensure proper data protection. That is merely a legal solution and does not embed privacy practice in a business effectively.
But there are weaknesses, and one of the greatest ones, which is not easy to resolve, is that if you are a US business, you have US customers and EU customers. You are only required to apply the Safe Harbour principles to your EU customers, and you may do things very differently for your US customers. Indeed, you may see the principles as red tape obligations that you have to apply to EU customers. That is not the most effective way in which to deliver privacy. Where it is most effective is where a business has said, “These are principles
I am required to deliver for EU customers and I will deliver them to my US customers and embed them in the culture and thinking of my business”. There has been some movement in that direction, and that is where it works well.
The failings have been clearly identified. Any good system of data protection, when you are looking at whether another country provides adequate protection for data transfer, involves principles, and we have the principles in Safe Harbour of accuracy and rights for individuals.
But it also involves procedural enforcement mechanisms—something that ensures that there is a good level of compliance with those principles: support and help for individuals, data subjects who have complaints and problems, and appropriate redress if they have suffered damage.
It is in that area where Safe Harbour falls short. That role in the EU is provided by us: an independent data protection authority. But the US does not have that approach. It is, if you will forgive me, cobbled together by the Federal Trade Commission’s role, which is very
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) important, and it has done some good work, but it is not the equivalent of the European data protection authority. There are also self-regulatory schemes: TRUSTe, the Better
Business Bureau and so on. It is not as good as we would deliver here, but it addresses some of the weaknesses about ensuring compliance and proper support for individuals, which is important.
To add one other point, the surveillance issues and the question of the Snowden revelations are a bit of a red herring here. These concerns about the Safe Harbour are long-standing, and ones which the Article 29 working party expressed right from the beginning. When Mr
Nemitz talks about the cables being intercepted, that is not a Safe Harbour problem. The cables would be intercepted whether you transferred data under contract clauses, binding corporate rules or any other measure.
I am not saying that the Snowden revelations are not relevant here, but these concerns would exist without them, and it is not clear to us exactly how much of the data that are accepted to have been accessed by the US intelligence authorities were transferred under
Safe Harbour. All the revelations are to do with telecommunications data: call records and internet access records. Telecommunications businesses are outside the scope of Safe
Harbour because they are not regulated by the Federal Trade Commission or the
Department of Transportation. We simply do not know, but the idea that masses and masses of data are being transferred under the cover of Safe Harbour and are therefore accessible to US intelligence authorities may be a little misplaced.
The Chairman: That is certainly a point that we will need to follow up next week when we talk to the government representatives to see whether they share your view.
Lord Sharkey: I understood what you said about the confusion over transatlantic cables and companies in Safe Harbour. Nevertheless, the issue is about the onward transmission of
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) data, and that clearly applies to companies in Safe Harbour, so this is surely an issue that we must address as we address the defects of Safe Harbour.
Mr Peter Hustinx: There is an obvious overlap. Some very prominent companies have chosen to join Safe Harbour and are using this quality assurance in their advertisements.
Microsoft, Google and so forth are part of that.
Lord Sharkey: So the answer is yes.
Mr Peter Hustinx: They are both true. It is not only Safe Harbour; it is contracts and others.
Lord Sharkey: But it is also Safe Harbour.
Mr Peter Hustinx: Yes, so it is important to clarify this exception clause extremely well.
Q28 Baroness Prashar: Thank you very much indeed for those comprehensive answers.
You began listing the weaknesses. Can you elaborate a bit more on how you think that those weaknesses should be addressed?
Mr Peter Hustinx: I largely agree with the 13 points submitted by the Commission. They are definitely correct. In the opinion that we submitted in February I have added a few more points of detail, but I have mainly criticised the vague perspective on what is next. I just heard Mr Nemitz explaining that there is very likely to be a phased process, and it strikes me as rather an intelligent way of negotiating not to do this in one step. But there is a process going on, and I am delighted to hear that its first phase is going well.
In the discussion, there is a repeated reference to suspension, yes or no. That is also about how we would approach it. I want to make you aware of the fact that, to put it simply, suspension enters the scope of the discussion on two entirely different levels; you can find them in Articles 3 and 4 of the Commission decision. Simply put, data protection authorities have a sanction in concrete cases to intervene and stop data flows, provided that a number of conditions are fulfilled. They are quite demanding, but if they have tried and there is no
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) prospect of things going better, then suspension is an appropriate sanction. The other suspension is more to do with the system as such. That would involve the cover that also provides some assurance in cases where nobody has done anything wrong. We have to keep these apart.
DPAs have the potential to stop flows in concrete cases as a remedy. The Commission has a range of options, and any decision is one-sided; it is not part of an agreement. However, if we have all negotiated, the Commission probably wants to try improvements first. In fact, that is the phased approach that I heard being expounded by Paul Nemitz. I find that an acceptable approach. He also distinguished between the easy parts and the more complicated parts: the bits to be provided by July this year, and then maybe points 12 and 13 a bit later. That is still a very important part of the problem.
It also requires not only negotiations with the Department of Commerce but commitments from other parts of the Government; I heard a brief reference to the national intelligence community. It would require that the bulk collection is addressed, which makes it without any doubt beyond necessity and proportionality, and that the very recognition of the need for necessity and proportionality is applied to EU data. This has been alluded to by President
Obama, but has not been delivered so far.
To develop this slightly, if we read carefully the presidential statement and his policy document from January, we see positive messages and good sounds, but I will give you two examples from the small print. One example is the concept of foreign intelligence, which is the leading concept, is much wider than national security. If something says, “Signals intelligence shall be collected exclusively where there is a foreign intelligence purpose”, that does not in itself imply a very specific limitation. It is a question of seeing what this all means.
Another example is Section 1(d) of the presidential policy directive, which says that signals intelligence activity shall be “as tailored as feasible”. That is, of course, flexible language. If we
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) compare this with, for instance, the experience of the US TFTP agreement on financial data, the Europol joint supervisory body reports that similar language allows for the practice of saying that targeting is not possible and therefore it must continue mass collection.
We need to have substantial assurance to fix that particular point, but on the whole the approach is okay and at this stage a suspension would not be wise. It should be kept in reserve, along with other options such as reductions and restrictions. There are some bargaining chips for negotiation which we can use in a smart fashion.
The Chairman: The Information Commissioner’s view is the same on suspension?
David Smith: It is. We broadly support the Commission’s view that that is the right approach. There are some encouraging signs that the US is responding to that. If there was to be suspension, and it should still be kept as an option, there are some real risks. It must not be forgotten that a large amount of EU or British citizens’ data has already been transferred under Safe Harbour, so you cannot just pull up the drawbridge. There is an ongoing question of looking after those data. There are within Safe Harbour many businesses that are playing by the rules, even if there are also those which are not. It is important to look at their and their customers’ positions to see where it leaves them.
It again comes back to what the reason would be for suspending Safe Harbour. If it is about specific deficiencies of Safe Harbour, then there are arguments to suspend it. If there are actually, deep down, concerns about US surveillance activities and the activities of the NSA, you really get to the question of whether we should not suspend all transfers to the US, whatever the mechanism, because it is not a particular weakness of Safe Harbour. I am not for one moment advocating that, but there is a risk of seeing Safe Harbour as the problem when, as was said, it applies to Safe Harbour but it also applies to others.
To clarify one thing about the role of the data protection authority—us—in suspending our transfers under Safe Harbour, essentially we are not able to do that. Safe Harbour is a
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) European Commission finding of adequacy. We have to respect that. So long as businesses comply with Safe Harbour, we cannot stop them transferring data. In that process, it is not for us to judge whether Safe Harbour is adequate or not. If they are not respecting Safe
Harbour rules, we can step in and take action against them.
Q29 Lord Judd: I was very interested by the words that you used when you said that there are businesses that play by the rules but there are those that do not. It would be helpful, certainly for me, if you could give an indication of what the proportionality is.
David Smith: I am afraid that I cannot; we simply do not know. That in itself is one of the weaknesses of Safe Harbour. Because it is so reliant on self-certification without any independent, authoritative checking of whether the self-certification is justified, we cannot know how many are not compliant. However, we certainly know from Federal Trade
Commission actions that there are businesses that say that they are Safe Harbour members and they are not, and those that are not necessarily meeting the obligations that they have under the Safe Harbour principles.
Lord Judd: You compound my anxiety. You seem to be telling us that the culture is not yet self-evidently there.
David Smith: I think that what is not sufficiently there is the checking of whether those who signed up to the Safe Harbour promises honour those promises in practice, and the mechanism for doing so is less strong than it would be within an EU environment.
Lord Sharkey: Just to follow that up briefly, you said a moment ago that there were many businesses in Safe Harbour that play by the rules. Following Lord Judd’s question, I was curious as to how we might know that.
David Smith: There are a number of ways in which you can come to that conclusion, simply by looking at the information that is there on websites. I have performed only my own sample check, looking at what Safe Habourites put on their websites. Some have very good,
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) comprehensive privacy policies with which we would be perfectly happy in the EU. I appreciate that there is then a question of whether they are actually doing that in practice, but that is a start. You go to others, and there is nothing there; you cannot find any information about Safe Harbour.
The Chairman: This activity that you are describing—your own anecdotal evidence—is that something for which you need a legal authority? Or is this just something that you are doing? Do you have an inspection right?
David Smith: No, we do not have an inspection right. It is at the end of the day anecdotal evidence. It is also based on the very small number of complaints that have been received by our office. The problems of data that have been transferred under Safe Harbour are not a regular feature of our complaints workload, which is huge. These feature very rarely. There is therefore no evidence of widespread consumer concern that Safe Harbour is leading to detriment. That is not to say that everything is right but, anecdotally, it is not all a mess, either.
Lord Sharkey: Could I just be clear about this? The anecdotal evidence you are talking about is surely evidence of the assertion of compliance. It is not evidence of compliance.
David Smith: I would say that it is more than evidence of an assertion, but it is also anecdotal—it is what we see. The complaints are few and far between. I have been to the
US and have talked to businesses, and it is clear that it is driving better practice among US businesses. They take the safe harbour very seriously as a way of enabling transfers to the
EU. So I am not saying that everything is good. It is not. Problems have clearly been identified before. Equally, it would not be right to say that every business that signed up to Safe
Harbour is just making a gesture.
Q30 The Chairman: Some of our witnesses have suggested that one reason for the lack of complaints is that the process is too complex, costly and time-consuming, and that people
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) are not really encouraged to use it. Is that a fair view? Are there things that both national and European authorities could do to make the complaints process easier for people to access and to use that they are not doing at the moment?
David Smith: There is certainly some truth in that. People may not know how to complain, and some of the mechanisms are costly—although on the figures that we have, most of the mechanisms through which people can complain are free of charge. However, it could be putting people off. We can make more information available on our own website about how to make complaints under this mechanism, and the ability to direct complaints through our office. However, given that the numbers are in the ones and twos at the moment, I do not have a feel from what we know of this that if we suddenly put a big notice on our website, complaints would flow in by the hundreds.
Q31 The Chairman: I think that it would be helpful for the Committee if you and the
Commissioner could let us know before we write whether you intend to make the accessibility of your office for complaints a little better known. It would help us in the advice we give to the Government on this if you could let us know that before the end of April, if possible.
David Smith: We will certainly do that.
Mr Peter Hustinx: One problem is that the structural flaws have an impact on what we were just discussing. Within my jurisdiction, no companies have signed up to Safe Harbour.
European institutions rarely interact with companies that have done so, so it enters our supervision indirectly, and on those occasions we have not come across any signs of wrongdoing.
The structural flaws and the transparency issues, and there are a number, are handicapping this enormously. It starts with the list of Safe Harbourites being sometimes misleading, either because it is incomplete, because the names on it are no longer Safe Harbourites, or because
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) the claim is made but they are not on the list. Plus there is what David Smith just mentioned: if the Safe Harbourite has finished adhering to the scheme, the obligations continue for past data. That is a blurry picture.
Self-certification is one thing. The Department of Commerce has become increasingly active in following this up, and that is welcome. One issue is the publication of the policy on the website, links to and from that website, and the substance of the policy. There are different layers. We know from experience that around 10% of false claims are about Safe Harbour adherence; the Federal Trade Commission has become very active in that area and set a number of examples. The list from researchers focused on that. Of course, the 10% is more if you relate it to the 3,000 rather than the original 10%. I am afraid that it will be very difficult ever to get it back to 0%.
I am saying that if you fix the structural problems, as apparently the Commission is trying to get sufficient buy-in from the US authorities to do, it is more likely that the enforcement problems that exist on the European side will also be addressed. That transparency will also be to the benefit of European consumers and data protection authorities. We therefore do what we can at a European level. Recently some cases have come to the panel, which is composed of national authorities because they are dealing with this. Max Schrems was mentioned. He and his friends are a very intelligent action group who pushed the point. So it is helpful, but it is not the same as large numbers of people taking action, which would be necessary to have an effect.
The Chairman: I think I will ask Baroness Prashar to ask her question, if you could swap, because she has to leave in a few minutes.
Baroness Prashar: No, but I have asked the question. I was only waiting to hear Mr
Smith’s answer to the question about how he thinks the weaknesses should be addressed.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) David Smith: I am happy with the information that has been given so far, unless there is anything else in particular.
Q32 Lord Judd: You will both be more aware than most of the Commission’s recommendations on increased transparency. I hope that we can find some way of summarising them in our report so that I do not have to bore everybody by reading out the summary, because we all have it in front of us and you are well aware of it. Do you think that these proposals are sufficient, or do you see weaknesses and things that should be addressed?
David Smith: We would describe them as a good start. Requiring the public disclosure of a privacy policy is essential. That policy should properly describe the practices of that organisation. I think that we rather kid ourselves if we think that consumers will read pages and pages of text. It is more about accountability and living up to your promises, and that is where the powers of the Federal Trade Commission come in. We should insist on this, but there is a tendency in the US approach to privacy. Notice and choice are big principles there. We have a lot more in the EU regime. The other sorts of measures are very important. It is not just about transparency; it is just one building block, and that is very important.
I add a couple of points on transparency. The whole structure of the Safe Harbour agreement is not helpful to understanding how it works. So much of it is contained in frequently asked questions and answers that, as far as we know, nobody has ever asked. The frequently asked questions and answers contain a mix of rules, guidance and explanation, so it is not very clear what the rules are. That does not lend itself to people being able to understand very quickly what it is about.
The other aspect of transparency is what we call subject access: the individual’s right to know what is being kept about them by the US organisation. There are a lot of restrictions
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) on that right within the Safe Harbour agreement, far more than there would be under EU law. To remove some of those restrictions would be helpful. Those are the main points.
Q33 Lord Judd: Can I just ask you a specific question, Mr Smith? You say that accountability is critical. I totally agree with you, but for accountability to work there has to be a very alive, well informed and large constituency of people who are interested in the issue and able to demand accountability in an informed way. Do you feel that we have had adequate debate in this country about what it is all about, or are we all lost in a world of legislation and the rest, without that debate having taken place?
David Smith: Further debate would undoubtedly be helpful. There is a need for a debate between how you describe accountability, which is accountability to individuals, and accountability to the regulator. Should individuals, going back to the company and saying, “I want you to explain this”, rather than reading it all, be able to say, “You have made your promises, I know there’s a regulator here, I trust your promises and if I am let down I’ll go to the regulator”, and it is the regulator who says, “You’ve let this person down.”? In many ways, the latter is the more effective mechanism, because you cannot expect people to read the masses of privacy policies.
The problem with Safe Harbour is that that regulatory mechanism is not as effective as it is when you have a European data protection authority. One way of addressing the weaknesses here would be to have a US Safe Harbour regulatory authority, but that is so out of step with how the US approaches these issues that it is probably not a realistic expectation.
However, it is how you would better deliver our sort of system. We are trying to piece the bits together to make the self-regulatory part of it more effective and known to people, removing charges from it, giving the FTC a stronger role and checking that more than a small percentage of people’s self-attestations are worth while. We think that a substantial percentage, maybe all of them, should be subject to some measure of checking. When we
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) have looked at seal programmes, which are supported by the European Commission and are in the regulations, they would involve a much higher level of authentication than just an occasional spot check.
The Chairman: I think we must move on.
Q34 Lord Faulkner of Worcester: Mr Smith, you have heard in answer to an earlier question about citizens’ redress; you were in the room when I put the question to Mr
Nemitz on this subject. I ask you more or less exactly the same question: do you believe that class actions could be one way of improving the opportunity for citizens to get redress, and how likely is it that the United States would ever agree to such a thing?
David Smith: I have some difficulty understanding what is being suggested here, because class action is available under US law, as I understand it. Presumably therefore, people could already take class actions under US law against Safe Harbour participants. If it were a breach of the EU provisions, there is no provision under EU law—not even in the Commission’s proposals—for class action in this area. One thing that concerns me is that we should not look too much to legal solutions and the ability to take cases through the court. They are an important backstop, but even in the UK we do not get many cases going to court because it is expensive, difficult and not easy for citizens to understand. The idea of them joining in a class action in the states is perhaps theoretically helpful. It is much more important that we have these regulatory mechanisms and complaint resolution approaches and alternative dispute resolutions, which provide redress and compensation, than just concentrating on court action, necessarily.
Q35 Lord Sharkey: I wanted to talk about Safe Harbour in a more general sense. It seems to me that Safe Harbour is fine in principle only if we know that the companies are compliant. The mechanisms for knowing that they are compliant seem to me to be entirely reliant on the absolute discretion of the FTC. Not all regulators in the United States are as
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) responsive as each other. The SEC, for example, is a responsive regulator. The FTC, perhaps, does not have quite the same standing. Is a situation in which our knowledge of whether a company is compliant is almost absolutely dependant on a regulator we have no control over a satisfactory outcome of these negotiations?
Mr Peter Hustinx: The system is a bit more developed than that. The FTC is at the end of it. Safe Harbourites, in large proportion, have signed up to self-regulatory quality-control systems. Some of them claim that they do very useful work, but we know very little about their effectiveness. Those mechanisms should produce a signal to the next layer, and the next layer would then be triggered by the signal. The same applies to the alternative dispute resolution system and so forth.
Part of fixing the structure is that the linkages between the different layers are working satisfactorily. In recent years, the FTC has stepped up its involvement, as the Department of
Commerce has done, with more active checking. Mr Nemitz mentioned that this would be welcome in terms of certain percentages. The FTC has assured us that it looks at Safe
Harbour status in all its cases, even if it is not a Safe Harbour-complaint, so that is another welcome sign. However, the negotiations with the US Government should provide for a bit more than just a complaint-driven system. That is where the big hole is, and is exactly what
David Smith mentioned. Regulators in Europe would at least also do focused surveys.
Another structural problem is that in Europe, within our jurisdictions—this applies to all national regulators and even to my own jurisdiction—the controller transfers data to a destination but the destination, as such, is not within the scope of your supervision. It would be a very indirect way of checking from Europe. Therefore, we need to have a more structural form of monitoring, and that is an essential element of a sound architecture. No regulatory agency anywhere in the world works on the basis of 100%, but a number of percentages with psychological weight as to their perceived efficacy are essential.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) The Chairman: But in a sense, if I have understood it rightly—and Lord Sharkey’s question, too—we are up against something that is being considered quite elaborately in the
TTIP negotiations. That is to say that we are up against a situation in which the way forward appears to be that we accept each other’s regulatory authorities as being the best that you can achieve and that we accept their rulings on drugs, the safety of cars and so on. That is the whole basis, if I understand it rightly, of what is being done through TTIP.
I suppose our question to you is whether that sort of approach is capable of being applied in this new and fuzzy area of data protection. If not, I think we are all in trouble. If it is capable of being applied, presumably your response is that the more elaborate improvements that the Commission is pressing for will enable us to have confidence.
Mr Peter Hustinx: It is beyond my competence to speak on the larger side of the TTIP connection, but I see the parallel. In the field we are dealing with, we should not forget that the Safe Harbour discussions are taking place in the relevant context of legal reform. In the
EU we are discussing an enormous increase in effectiveness in the legal framework. Safe
Harbour will also be a building block in that particular regulation. In the US, it is not progressing as we would like it to, but there are also activities to step up law enforcement by the FTC.
In that context, I will mention, if I may, class actions, which we just touched on. On the EU side, that is approached a bit more widely by the term “collective redress”. The proposal currently on the table contains a provision that at least allows collective redress via, say, associations or entities acting on behalf of their constituency. That will lead to more enforcement and much stronger enforcement, with sanctions et cetera. There is a lot of co- operation with the FTC, in particular, on cross-border issues. We should not underestimate the possibility of bringing more vigour to enforcement, provided that the structural flaws of
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) Safe Harbour are addressed. If there is sufficient support on the US side, I think we can make quite a difference in this context.
Q36 Lord Judd: Turning to the exploitation of the national security exceptions, how do you think this should be addressed, particularly in the light of the actions of mass surveillance that we have been talking about? Do the recent announcements by the US President, which require Congress to legislate before they can have effect, go far enough to ensure that requests for data provided under the scheme for national security reasons meet the test of necessity? You will of course have been listening to Paul Nemitz and his views on this, but I would like to have yours.
Mr Peter Hustinx: I mentioned some elements of the presidential speech and the policy directive, which was released in January. There are some elements that I do not find entirely satisfactory yet. There are other examples, too. I heard Paul Nemitz saying that the difficult issues are being addressed, but there seems to be a common idea that trust needs to be restored. I read that as code for saying that it is possible to come up with some assurances and it will depend on whether the outcome comes sufficiently close to the kind of necessity and proportionality that we would seek. However, if that stays very general, I am afraid that it is not going to be sufficient.
You asked for my view and I will give you the relevant context. Certainly the European
Parliament has been quite clear about what it thinks if that point is not sufficiently addressed.
Politically, it could have quite negative consequences, so there is a strong incentive to get it right and I hope that it is successful in getting it right. Then I ask myself how we verify that this is complied with in practice. It starts with agreement on the intention, and if that is not available, we have a problem.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) Q37 Lord Judd: In terms of personal freedom and privacy, with all your great experience, do you sometimes have the feeling that you are helping us all to stick fingers in the dam when, to revert to the Lord Chairman’s point, the danger is that the dam is collapsing?
Mr Peter Hustinx: As a Dutchman, my experience of dams and dykes is considerable—I know it does not take a finger. No, I do not have that feeling, but the sense of urgency is very great. It is not only a question of large-scale surveillance; it is also about the vulnerability of the internet. We have seen huge innovation with great upsides, but increasingly we are discovering the downsides of these innovative but also very vulnerable structures. I think that we need to scale up our legal frameworks to that reality and be much more critical of the technology. The technology community is also quite shaken by what has happened. We are aware that standard setting around the internet is being rethought. Is traceability so good? It is that ecosystem—a word that is used very often—that has allowed the large-scale monitoring.
You asked me to be straightforward. If we open our eyes, it is not just the NSA and its colleagues who are doing the monitoring; there seem to be huge business cases built on monitoring. That is what we need to rethink. Those are exactly the stakes for the proposed data protection regulation, and it will flow through channels like this, so the stakes are big. It is not just about fixing Safe Harbour. The regulation needs to be fixed and then Safe
Harbour needs to be trustworthy in dealing with data flows to other countries.
To give this another context, third countries around the world are following this discussion very closely and are keen to suggest similar arrangements. That could involve not just EU-US but India, Brazil, China or Japan. So this is a very important test case to get it right. In that sense, the FTC is a robust enforcer and the whole system builds on its active role. I would not like to buy into something that was much less trustworthy. That is obvious. But there is a perspective and we are being watched in this whole exercise.
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) David Smith: Let me just add, Lord Chairman, that I think that we as data protection authorities are effective in regulating within our remit and our competence, which extends to companies such as Google and Facebook, where we and other data protection authorities have taken effective action to bring about data protection compliance. But national security matters are largely outside our competence, and we cannot control what is done in the name of national security. That is really a matter for Governments and member states to reach political agreement on. The problems over surveillance will not be solved by addressing the Safe Harbour alone. Some sort of intergovernmental agreement is needed.
One of the difficulties that we face is the different treatment of US and EU citizens, which is at the root of the problems, but, as Mr Hustinx said, this is not just a US problem. We have been approached with questions about outsourcing telecommunications to the Far East.
What sort of surveillance happens if it is outsourced to China? I do not know the answer to that, but there are real questions there. Most of the surveillance questions and the Obama proposals are really about access to call records and electronic communications. Safe
Harbour is not primarily about the transfer of call records and electronic communications.
As I said earlier, it is much more about employment and customer data and so forth.
Q38 The Chairman: In your last answers, you have raised three points. One is the fact that you omitted to refer to Parliaments, which I think also have some responsibility for national security.
David Smith: Absolutely, I apologise.
Q39 The Chairman: Secondly, I think that what Mr Hustinx said brought home to us, as it should do, that what the US and the EU can agree to do between each other has a capacity to become a regulatory gold standard for the rest of the world. That has certainly been the case in a whole number of fields, which is why TTIP is so important. It is quite likely
European Data Protection Supervisor and Information Commissioner’s Office—Oral Evidence (QQ21-32) that if a successful TTIP were concluded, a lot of other parts of the world would want to have the same sort of arrangements. So you are quite right—there is a lot riding on it.
The third thing that Mr Hustinx brought home to us related to a question from Lord Judd in particular. Of course, the defects of Safe Harbour have been demonstrated—there are weaknesses and so on—but we have to remember that in the last 15 or 20 years there has been a huge increase in personal freedom to do a whole lot of things that technologically were completely impossible to do until 20 years ago. There has been a great increase in the freedom of individuals to communicate with each other, to buy things and sell things and to do all these things. We are not perhaps all that good at regulating that yet, but we should not forget that there has been that increase, so it is not all bad news; there has been some good news, too.
Anyway, thank you very much for coming along and helping us this morning with our enhanced scrutiny. It has been valuable. If you could let us have information on the point that we asked about—increased availability on your website of clear, precise indications of how one makes a complaint—that would be useful. We will follow up with you and the Ministry of Justice people, who are coming to see us next week, the issue of a read-out on the Article
29 meeting and a possible agreement at that meeting on the way ahead. Thank you very much indeed.
Information Commissioner’s Office—Written Evidence
Information Commissioner’s Office—Written Evidence
1. The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA), together with associated legislation such as the Environmental Information Regulations (EIR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
2. The Information Commissioner is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals and taking appropriate action where the law is broken.
3. The Information Commissioner welcomes the Committee’s Inquiry and the opportunity to submit evidence. The Commissioner’s interest in the Safe Harbor stems from the important role that the Safe Harbor plays in ensuring “adequate” data protection for personal data transferred from the UK and other EU member states to the US. The Snowden revelations have led to the Safe Harbor becoming a focus of attention but the Information Commissioner and other data protection supervisory authorities have had concerns about its operation for some time.
4. There are eight data protection principles in the DPA with which data controllers are required to comply. Except to the extent that a data controller is able to claim an exemption from any of the principles, they will apply to all personal data processed by a data controller.
Under the eighth principle of the Data Protection Act 1998:- “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
The eighth principle is derived from a requirement in the European Communities Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data (the Directive). Article 25(1) of the Directive, requires that:
“The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if …the third country in question ensures an adequate level of protection.”
This evidence is concerned only with the eighth principle, but it should be remembered that data controllers transferring personal data are required to comply with the principles and the DPA as a whole.
5. Under the Information Commissioner’s approach to transfers of personal data outside the EEA, the data controller should consider the following steps:-
Information Commissioner’s Office—Written Evidence
whether there will be a transfer of personal data to a third country. whether the third country and the circumstances surrounding the transfer ensure that an adequate level of protection will be given to that data (for example by a Community finding of adequacy including the Safe Harbor). whether the parties have, or can put into place, adequate safeguards to protect that data (for instance, by entering into model clauses or establishing binding corporate rules). if any of the other derogations to the eighth principle specified in the DPA apply (such as the consent of the data subject to the transfer).
6. Once the data controller has established that there is a transfer of personal data to a third country, the data controller must then consider whether that third country ensures an adequate level of protection for the personal data taking into account all the circumstances of the transfer (‘adequacy’). This may be based on a Community finding of adequacy under Article 25(6) of the Directive (and Schedule 1, Part II, Para 15 of the Act) which requires that, where the European Commission (the Commission) has made a finding that a third country does, or does not, ensure adequacy, any question as to whether there is adequacy will be determined in accordance with that finding. The Commission has made positive findings of adequacy in relation to a number of countries.
7. In 2000, in addition to the findings about specific countries and after consulting the Article 29 Working Party of national data protection authorities, the Commission also issued a Decision recognising the Safe Harbor as providing adequate protection for the transfer of personal data under the terms of the Directive in relation to specific transfers to the United States of America.
8. The Safe Harbor scheme consists of a set of principles (“the principles”) (which are similar to the data protection principles found in the DPA) and frequently asked questions relating to transfers to US entities. It is not available to companies in all sectors, e.g. telecommunications companies and financial institutions are not covered by the regime. Any US company wishing to participate in the Safe Harbor must identify in its publicly available privacy policy that it is a party to the Safe Harbor and that it does in practice comply with the Principles. In addition it must also self-certify by declaring to the US Department of Commerce that it is in compliance with the Principles and this self-certification should be resubmitted every year. Enforcement of the scheme is by the US Dept. of Commerce and the Federal Trade Commission. 9. The Safe Harbor relies on the self-certification by the organisations which voluntarily sign up to the commitments in the scheme. This heavy reliance on self-certification is one of the concerns that many have had about the effectiveness of the Safe Harbor. These were raised by the Article 29 Working Party in the original discussions with the Commission prior to the Decision in 2000. The final element of the scheme is the enforcement of those commitments by public authorities in both the USA and Europe to ensure that individuals have a remedy where the protection of their personal data may be affected by a breach of the Safe Harbor Principles. This enforcement and redress may be through the US Federal Trade Commission or through the EU Data Protection Panel which was created to deal with complaints
Information Commissioner’s Office—Written Evidence
about the Safe Harbor. Representatives of a number of the European Data Protection Supervisory Authorities sit on this Panel which investigates complaints by individuals against those companies which have chosen this option for dispute resolution. The Information Commissioner is one of the authorities represented on the Panel. 10. The Safe Harbor has been under review for some time in part because the decade since it was introduced has seen the development of the digital economy with the consequent huge increases in the amount, value and importance of international dataflows. The revelations by Edward Snowden have, however, focussed specific attention on international transfers and in particular the Safe Harbor. To a certain extent the Snowden revelations are not strictly relevant to the Safe Harbor as it would not be possible to make data transfers for intelligence purposes under the scheme as it is open only to non-governmental US bodies in specific sectors. It has, however, raised public awareness of the issue of data being accessed by US intelligence agencies after it has been lawfully transferred to the USA under the Safe Harbor and therefore whether the scheme offers sufficient protections to the rights and freedoms of the data subject in relation to that transferred personal data. It should be noted that any method of international transfers provides lawful derogations in relation to law enforcement and national security provided access is exercised only where it is strictly necessary and proportionate. Similar questions over access for those purposes may also arise in relation to data transfers under Standard Contractual Clauses or Binding Corporate Rules for example which also have such derogations.
11. The two Communications from the Commission in November 2013 present a comprehensive examination of the Safe Harbor scheme and have identified a number of recommendations. The Information Commissioner considers that these represent a useful examination of the workings of the scheme and an effective way forward for its improvement. Of particular importance is the emphasis on improving the transparency elements of the Safe Harbor and also the redress offered to data subjects.
12. It is important that data subjects should be able to access appropriate redress for any breaches of the Safe Harbor scheme. It appears that there have only been a limited number of complaints about the scheme to the US regulators which has given rise to the belief that the redress and enforcement provisions are insufficient. The Commission has suggested improvements to the enforcement and redress offered to data subjects and the Information Commissioner would be keen to increase public awareness of the data subjects’ rights under the Safe Harbor. This could be achieved in part by a better explanation of the scheme as important elements are included only in the Frequently Asked Questions rather than in the Principles themselves and may therefore be perceived as lacking the same weight as the Principles. There have only been a limited number of complaints to the Data Protection Authorities and this may be due to lack of awareness which could be improved by those involved in the Safe Harbor scheme.
13. Some methods of providing for adequate protection for personal data when transferred overseas rely on purely legal solutions, for example, Standard Contractual Clauses or specific contractual agreements put in place by the data controller. Other methods such as self-certification (e.g. the Safe Harbor) or Binding
Information Commissioner’s Office—Written Evidence
Corporate Rules are based on effective implementation of data protection principles within the working practices of an organisation. These offer the advantage that compliance is embedded in the day to day work of the organisation and it is the organisation that is taking responsibility for meeting its data protection obligations in the most appropriate manner for that organisation. If it works well this method potentially offers the best approach because rather than simply being a legal solution, it is making data protection ‘live’ within the organisation and is a manifestation of the principle of accountability as developed in the draft EU data protection regulation.
14. Its effectiveness does however rely on there being a sufficiently robust method of assessing whether the organisation is truly compliant with its obligations. This need has been recognised in the development of the idea of privacy seals, certification mechanisms and trust marks, both in the draft regulation and in current work by the Information Commissioner. These methods already exist in practice, for example, in the use of third party assessors and auditors. Consideration could be given to providing a stronger role for such bodies in the self-certification process by independently assessing an organisation’s compliance with the required elements of the Safe Harbor. 15. Given the huge amount of personal data being transferred to the USA and the limited number of complaints received to date, suspending the Safe Harbor may not necessarily be the best short term solution. There is though no doubt about the need for improvement if the Safe Harbor is to truly provide “adequate” protection for personal data transferred from the EU to the US. This need for improvement is not simply a result of the Snowden revelations which give rise to concerns about the “adequacy” of a wide range of international transfers that are not confined either to the Safe Harbor or to the US. The Information Commissioner’s reservations in common with those of the other EU data protection authorities are long standing. Addressing these effectively is the Information Commissioner’s preferred way forward and implementing the recommendations in the European Commission’s Communications would go a long way toward this.
10 April 2014
Information Commissioner’s Office and European Data Protection Supervisor—Oral evidence (QQ21-32) Information Commissioner’s Office and European Data Protection Supervisor—Oral evidence (QQ21-32) Submission to be found under European Data Protection Supervisor and Information Commissioner’s Office.
Information Commissioner’s Office—Supplementary Written Evidence
Information Commissioner’s Office—Supplementary Written Evidence
1. The Information Commissioner is grateful to have been given the opportunity for David Smith, Deputy Commissioner and Director of Data Protection, to appear before the Committee in April and also to submit supplementary evidence arising from points raised during that evidence session. These points include updating on the actions of the Article 29 Working Party regarding the European Commission Recommendations in November 2013, enforcement of the Safe Harbor Principles, and the Information Commissioner’s approach. 2. As mentioned in Mr Smith’s evidence, the Article 29 Working Party has now sent a letter to Vice President Reding setting out a number of additional elements that it believes need to be improved in the Safe Harbor Decision. The Working Party hopes that these additional recommendations will assist the European Commission in its ongoing negotiations with the US to ensure the efficient protection of EU data subjects whose personal data are transferred under the Safe Harbor framework. A copy of this letter can be found at this link: http://ec.europa.eu/justice/data- protection/article-29/documentation/other- document/files/2014/20140410_wp29_to_ec_on_sh_recommendations.pdf. 3. The Safe Harbor Privacy Principle relating to Enforcement contains a number of different elements relating to dispute resolution and enforcement. It states that “effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non- compliance with the Principles, and consequences for the organisation when the Principles are not followed”. These mechanisms must include readily available and affordable independent recourse for the investigation and resolution of an individual’s complaint, with damages if appropriate, follow up procedures for verifying the actions of the business and obligations to remedy problems arising out of failure to comply with the Safe Harbor Principles. 4. Organisations can satisfy the different elements of the Enforcement Principle in a number of ways as set out in FAQ 11 of the Commission Decision of 26 July 2000 (‘the Safe Harbor’ Decision). These include (but are not limited to) compliance with private sector developed privacy programmes, compliance with legal or regulatory supervisory authorities that provide for the handling of individual complaints and dispute resolution or through a commitment to cooperate with the EU data protection authorities in the EU Data Protection Panel. The organisation must choose to comply with one of these recourse methods, but where the personal data concerned was collected in the context of the employment relationship i.e. HR data, the organisation must cooperate with the Panel as the only competent body for such complaints. 5. The Panel is the body competent to investigate and resolve complaints by individuals against US organisations which are members of the Safe Harbor scheme for failure to comply with its Principles. It is made up of a number of EU data protection authorities including France, Germany, Finland, Ireland, the Netherlands and the United Kingdom. Where appropriate, complaints made to the Panel may be referred to the relevant data protection authority. Further information about the Panel can
Information Commissioner’s Office—Supplementary Written Evidence
be found at this link: http://ec.europa.eu/justice/policies/privacy/docs/adequacy/information_safe_harbour_ en.pdf 6. As is common practice in most dispute resolution process, individuals with complaints or concerns about the handling of their personal data under the Safe Harbor scheme are urged to raise them with the member organisation in the first instance. If the individual does not receive a timely or satisfactory response, the complaint can then be raised in accordance the relevant dispute resolution process (including reference to the EU Data Protection Panel). Any refusal or failure to comply with the finding or recommendations of this resolution body could be referred to the US Federal Trade Commission which has responsible for enforcement of the Safe Harbor scheme. 7. The content on the Information Commissioner’s website in relation to Safe Harbor has been reviewed and the Commissioner considers that further information about the enforcement and complaints handling process under Safe Harbor could usefully be provided to data subjects. ICO staff are working on this and expect to be making further information available in the near future. In line with the comment by the Commission in its Communication on the Functioning of the Safe Harbor on 27 November 2013, the Information Commissioner will take the opportunity to work with fellow data protection authorities to raise public awareness of the existence of the EU Data Protection Panel. 8. The Information Commissioner will consider any complaints made about failures to comply with the Safe Harbor scheme which are appropriately and properly made or referred to his office. Where, in the context of cloud computing, the complaint relates to the disclosure of personal data that has been made properly and lawfully in response to a request from a foreign law enforcement agency, the Commissioner has set out the position at paragraphs 88-89 in his guidance (at this link: http://ico.org.uk/for_organisations/data_protection/topic_guides/online/cloud_compu ting) This guidance was published in October 2012 and does not take account of the recent revelations by Mr Snowden. The Commissioner reviews all of his guidance from time to time. He is planning to undertake a review of this cloud computing guidance and may make changes. It should, however, be stressed that the views currently expressed in the guidance include reservations and do not rule out action being taken by the Commissioner in relation to a complaint if it is appropriate in the circumstances of the individual case. 9. The Information Commissioner remains of the view previously expressed that the issues raised over access to personal data by foreign law enforcement bodies need to be dealt with on an inter-governmental basis and he awaits the outcome of such inter-governmental discussions. With regard to Safe Harbor, implementing the recommendations made in the Commission’s Communications would, in his view, have a significant effect on the effectiveness of and confidence in the Safe Harbor scheme.
06 May 2014
Phil Lee, Caspar Bowden and Professor Charles Raab—Oral Evidence (QQ1-11)
Phil Lee, Caspar Bowden and Professor Charles Raab—Oral Evidence (QQ1-11) Submission to be found under Caspar Bowden, Phil Lee and Professor Charles Raab.
Professor Charles Raab, Caspar Bowden and Phil Lee—Oral Evidence (QQ1-11)
Professor Charles Raab, Caspar Bowden and Phil Lee—Oral Evidence (QQ1-11) Submission to be found under Caspar Bowden, Phil Lee and Professor Charles Raab.
UK Government—Oral evidence (QQ33-46)
UK Government—Oral evidence (QQ33-46)
Evidence Session No. 4 Heard in Public Questions 33 - 46
Members present
Lord Hannay of Chiswick (Chairman) Viscount Bridgeman Lord Judd Lord Morris of Handsworth Baroness Prashar Lord Sharkey Earl of Stair Lord Wasserman ______
Examination of Witnesses
Rt Hon Simon Hughes MP, Minister of State for Justice and Civil Liberties, Ministry of Justice; Simon James, Deputy Director, Information Rights and Devolution, Ministry of Justice; and Tim Jewell, Deputy Director, Information and Human Rights Legal Directorate, Ministry of Justice
Q40 The Chairman: Thank you very much, Minister, for coming along this morning.
Perhaps if I may, just by word of explanation, point out that this work that we are doing on the Commission’s communication on Safe Harbour is not an inquiry in the full sense of a
House of Lords inquiry. We are not going to produce a weighty report with lots of recommendations and so on. It is something that we have that is between normal scrutiny and a full report and is called enhanced scrutiny, in which we take evidence from a number of people. We have already taken evidence on Safe Harbour from a number of private sector experts and various parts of the European institutions, namely the ombudsman-type official Mr Hustinx, plus the director in the Commission who is responsible for this area and the Deputy Information Commissioner in this country. They gave us evidence last week.
Quite a lot of written evidence has been put in.
UK Government—Oral evidence (QQ33-46)
Q41 We plan—always a dangerous word to use—to write to you and the Lord Chancellor about this after our next meeting, the first meeting after the Recess on 6 May. That will be a longer letter than we would send in the course of normal scrutiny but it will not be, as I say, a full thematic report about this area. I begin to think as time passes that the complexity and the wider implications of everything to do with data protection within the EU are going to mean that we may well end up writing a full report at some stage, but that will be for the successor Committee appointed in the next Session, which will not be chaired by me and which will have a different membership than the present one.
Q42 That is a lengthy introduction to say that, as I am sure you know, this is a normal evidence session in that the session is public, it is being broadcast, a transcript is being taken, and a copy of the transcript will be sent to you to give you an opportunity to make minor corrections to it. It will, have been published in an uncorrected form first.
Q43 It would be very helpful to us if we could start by you introducing yourself and your officials. If you wish to make an opening statement that will be fine, but if you want to go straight into questions that will be equally acceptable to the Committee. It is up to you. As I said to you, we would like to include right at the beginning a supplementary question about the European Court of Justice ruling that was published yesterday and which is reported in the press today, at least for an initial response. We will come on to that when we get on to questions. Would you like to introduce yourselves and say whether you would like to make a statement or not, and then we will go on?
Simon Hughes: Chairman, first, thank you very much for the invitation to appear before you and your colleagues, which I value very much. It is a pleasure and privilege to do so. My name is Simon Hughes, Member of Parliament. I am the Minister of State for Justice and Civil
Liberties in the Ministry of Justice and I am responsible for these areas of policy on a day-to- day basis at the department. I have with me Simon James, who looks after policy matters in
UK Government—Oral evidence (QQ33-46) this area with us and for us in the department, and Tim Jewell, who is our lawyer responsible for these things. Where I am stuck by your questions, I will ask them to unstick me.
What I would like to do, if that is acceptable, is make a very short opening statement and then just a comment on the judgment yesterday, to which you referred, Chairman, which is obviously linked, although not directly, to the subject of your inquiry.
On behalf of the Government, I very much welcome the opportunity to respond to your inquiry on the Commission’s communication on Safe Harbour and on European Union-US data flows. As I have considered these issues again and in depth before coming to address you and answer your questions, the importance of this issue becomes more and more apparent just in the normal transactional business between the European Union member states and the US. It is a huge area of activity that we need to make sure we give proper attention to. I am also very clear, as the Minister responsible for data protection and civil liberties, that there is always a balance to be struck in these issues. There is openness, transparency, freedom of information issues, and there is a data protection, privacy, civil liberties set of issues, and we have to get the balance right as a country and as a European
Union.
The public clearly need to be confident that their personal information is protected in any exchanges from this side of the Atlantic to the other, but they want to benefit from the services and the trade and the commerce that happen between Europe and America both financially—cheaper purchases—and through wider choice and greater potential. We welcome, in general terms, the communication that the European Commission has published. We believe that the Commission and the US want a positive outcome to their current negotiations, which we hope will be concluded sooner rather than later, and we are supporting the achievement of that objective.
UK Government—Oral evidence (QQ33-46)
On the communication, I am sure your Committee has registered that the Safe Harbour agreement came into effect in 2000. This is the first time the Commission has looked at this issue since 2004, although there was one other report in 2008.3 The fact that they have come back to this is welcome. We think that it is an objective review and it points out some reasonable areas for improvement. The basic theme underlying the communication is that we should preserve what is good and improve things that are not working as well as they should be.
The Government generally support the recommendations. I can amplify on that as you wish.
Specifically, because we believe that we need to improve its functioning, more transparency, better access to redress and enforcement are clearly matters that exercise people and are rightly addressed in the Commission’s document. There is a big issue, which you have addressed in your other evidence sessions, I notice, to do with the national security set of questions that have come to the fore in this country and in North America and Europe recently. As a Government, we will look at recommendations on that subject, but we are very clear that these are not matters of EU competence. You have had exchanges with other people who you have had before you on that subject. Whichever document you look at, it is very clear that national security matters are outwith these arrangements and are not intended to be encompassed by them.
In terms of improving data flows, it is for the US to set out the reforms that it may internally introduce following discussions with the EU. Obviously, any proposals which the US put before us we would, as a Government, respond to and comment on and feed into the
Commission.
A conclusion of the Government’s consideration of this issue and my very strong view—and
I have come to have a very strong view about it—is that Safe Harbour should be improved
3 Note from witness after the evidence session: The 2008 report is an independent report from the Galexia Consultancy firm.
UK Government—Oral evidence (QQ33-46) but absolutely not suspended. I know that the European Parliament has called for its suspension. I read the exchange you had with colleagues. It seems to me that the report is not robustly evidenced and therefore that its argumentation does not stand up to very heavy scrutiny. The arguments for continuation are much stronger, in my view, than that. We want to hold on to the good, make it better and collaborate with the process to do that.
I will, if I may, conclude my statement there and add just a word or two about the judgment that you asked me about. The judgment was given or reported only yesterday. We are considering and will consider the judgment and its implications carefully. We are very clear that the retention of communications data, which of course are not governed by the Safe
Harbour agreement—they are expressly excluded as a sector—is absolutely fundamental to making sure law enforcement and intelligence agencies have the powers they need to investigate crime, protect the public and ensure national security. We will look urgently at any steps that we may need to take as a Government to make sure that communications data can be retained and that our law enforcement agencies are able to acquire them when they are needed.
I would add a personal but relevant political consideration. As you know, I am Member of
Parliament for over the river in Southwark. The investigation into the murder of Damilola
Taylor was brought to a successful conclusion only by the ability to retrieve communications data held on phone calls made by people who in the end were arrested, charged and brought to trial. The public, I am sure, expect the law enforcement agencies to be able to do that. Of course, they expect it not to be abused, so we will look at the judgment carefully and in due course no doubt come to a formal decision as to whether we think the law needs to be changed in this country.
Q44 The Chairman: Thank you for that introductory statement, which is helpful and useful. I think you have really answered the question I was going to ask you about the Safe
UK Government—Oral evidence (QQ33-46)
Harbour agreement being suspended as the European Parliament has recommended, but nobody else from whom we have taken evidence has supported that, certainly not the
Commission, nor the ombudsman, neither of whom thought that was the right way to proceed. I notice that you do not, and nor did the Information Commissioner, so it is very helpfully clear on that point.
Q45 I will take up one point in what you said, which I think is going to be quite difficult to handle in this whole area, and that is what you said about the national powers in the security field, which nobody, I think, contests. Everyone would agree that this is a national competence, remains so and is not going to change, but we have come across a problem in our inquiries. You spoke about the balance between freedom of information, the freedom to use all these new possibilities of communication, and the need for privacy to be protected. I am sure that is right—a balance does have to be struck there—but there is a second balance, which is the balance between national security considerations and the privacy ones.
That is quite obviously another balance that has to be struck. It just seems to me, and perhaps you could respond to this, a little difficult to see how one can strike that balance in the new European legislation, and indeed in the handling of Safe Harbour, if one side of the balance cannot be discussed. I wonder whether the purely legal point of view—and nobody contests that this is national competence—is a sufficient answer to how you achieve in going forward the balance between the three elements that I think we have all identified, and you have identified, too, if you cannot discuss one of them.
Simon Hughes: Chairman, I understand that argument and that question. Can I add one other amplifying point and then try to deal with it directly? It is not just in the context of data protection agreements between the US and the EU in this document; it is in the context of all similar or parallel agreements, whether data protection directives, European
Union treaties or whatever, that a reservation is specifically placed into the documents that
UK Government—Oral evidence (QQ33-46) is to do with national security. That is because, not surprisingly, the UK reserves to itself the right to deal with national security matters in its own way.
The answer to your question is that, bluntly, there have to be separate discussions and negotiations to see whether agreement could be arrived at at all on those issues, but they must not be confused with this. Clearly what has happened, it seems to me, is that the
European Parliament has taken the general concerns, following the revelations last year that we all know about, and imported them into this debate, which is about how to facilitate business transactions, when they ought to be in another debate. The reason why it is important to keep the debates separate is that when people are having their day-to-day business transactions—we are in the middle of negotiations, as you know, between the EU and the US on the big free trade agreement deal—obviously that has a set of rules that will be put in place. We have looked at some of them, and there may need to be better publicity about them, the enforcement mechanism could be toughened up and so on.
What right the citizen has to prevent government interfering with that and taking data and finding information is a debate between citizen and state and this country. The accountability of the Intelligence and Security Committee in this Parliament has recently been beefed up.
We have changed the legislation. We have made it more accountable. It has the oversight— on our behalf as a country—of the Executive on those issues, and that is where people should come forward with proposals if there is a suggestion that we need to change that. If there was a view that the current broadly understood but not specifically defined definition of national security needed to be changed, it is really for them to put that view to
Government and it is then for all the Select Committees of Parliament and the Executive to consider that.
They are very separate debates and I think the public understand that there is a national security overlay. If it has not been working then it needs to be addressed, but it is not
UK Government—Oral evidence (QQ33-46) something to be addressed in the subject of bilateral negotiations on trade and specific agreements about information transfer.
Q46 The Chairman: As you have probably seen from the records we have been sending you, I have not been backward in suggesting to the European Parliament that it was not very well placed to factor in this issue because it was not exercising the responsibilities that national Governments had to exercise to protect their own citizens. I expressed that in a debate in Brussels with all the chairs of the Home Affairs Committees and Claude Moraes, the author of the European Parliament view on this, and I had a little disagreement on that, as I did with the director and the Commission, who took a somewhat different view. There is total acceptance, I think, in this Committee that these national security issues remain the responsibility of the 28 member states.
I have to say, however, that I think the idea that you can keep the whole discussion completely separate, when you have a Commission that clearly takes a different view, a
European Parliament that takes a different view, and a European Court of Justice that seems to take a different view, is going to be somewhat of an uphill struggle. I am not sure—and perhaps we could round off this exchange, unless other Members of the Committee wish to come in on it—that the straightforward legal point about it being separate is going to be an entirely sufficient argument for saying that it cannot be discussed when trying to achieve a balance between the national security imperatives and the freedoms. I think it is quite difficult to see that.
Simon Hughes: I will respond to that and then if Tim Jewell wants to add anything on the legal position I am very happy for him to do that. Of course, I understand absolutely that when the European Parliament is considering a process like this, a communication from the
Commission, it would understandably say, “How does national security impact on this? What is the relationship to this exercise that we are going on, which is to do with thousands of
UK Government—Oral evidence (QQ33-46) companies in the States that have a safe route in and out for data transfer? What is the impact?”. We are talking about some big corporate players with lots of information that could be of considerable interest to national security agencies. That is obvious, so they are perfectly proper to ask the question. I have no problem with that. What HMG want to make clear, and we are very clear about, is that this is not the place to resolve those questions.
They impact on this activity, of course, they impact on citizens’ rights and corporate rights, but the engagement has to be with the Administrations both in the States and in the EU. It is not for me, obviously, to speak on behalf of the Government of the United States, but I observe, as anybody in the Committee has, that the President of the United States has made comments and statements about his intention to review the processes and the workings of the Administration in relation to surveillance and national security, so the US Administration is seized of this question.
The member states have their own competence in this country. This has gone on the agenda of the Government of Germany and the Chancellor of Germany has made her views clear. It is on the agenda here, and although the Prime Minister always says—all Prime Ministers have always said—that we do not discuss national security, it is discussed in an accountable way at the Intelligence and Security Committee and in government, so it is not off the agenda. We quite understand that we need not to run away from the issue, but it is not an issue where there is competence in any way in any part of the negotiations that the EU takes on our behalf. Tim, is there anything you want to add on the legal position?
Tim Jewell: Just to build on that foundation, there are a number of different strands to national security, and, as the Committee will be aware, those strands are identified in the data protection directive itself. They include national security, so labelled, but they also include defence and public security. Of course, part of the complexity to which you refer,
Lord Chairman, is that there are different tailored responses on each of these issues across
UK Government—Oral evidence (QQ33-46) the whole of the data protection landscape, for example the current data protection framework decision that relates to how data protection requirements can be imposed upon law enforcement activities to the extent that they are within the scope of EU law. That is reflected, too, in the current negotiations on the new data protection directive that would replace the data protection framework decision. There are, sadly, more elaborate debates going on in different strands of that public security space, for want of a better word.
You referred to the European Court of Justice. The European Court of Justice has considered national security questions, of course, in the context of how far EU rules can go.
In a sense, that is less a matter of not including national security in the conversation as a matter of drawing a line around it so far as EU competence is concerned. I am not sure we would necessarily agree that the Court of Justice disagrees with our assessment of the limits of EU competence. Plainly, there is a boundary to be drawn and that is going to be at the heart of the continuing negotiations on these proposals as well as across the rest of the other international agreements and domestic agreements in data protection.
Simon Hughes: Lord Chairman, for the record, because I am not sure it has been put on the record, can I give you four sentences with the chapter and verse just so that the record is clear? In the current EU rules it is Article 3(2) that says that the data protection directive
“shall not apply to the processing of personal data: in the course of an activity which falls outside the scope of Community law”. The framework decision that Mr Jewell just referred to expressly states that, “It is without prejudice to essential national security interests and specific intelligence activities in the field of national security”. That is Article 1(4). The EU rules under negotiation say that, “The draft of the regulations does not apply to processing of personal data in the course of an activity that falls outside the scope of Union law”. That is Article 2(2)(a). The last one is the current draft of the directive, which is going through its negotiation process and may come before you or other Committees, is worded in the same
UK Government—Oral evidence (QQ33-46) way. Article 2(3)(a) says, “The directive does not apply to processing in the course of activity that falls outside the scope of Union law”. There is very clear and explicit exclusion,
Lord Chairman, for reasons that I am sure the Committee understands.
The Chairman: Yes, thank you very much. Both you and your colleague have helped the
Committee a great deal by going over that ground. I think it was useful. We are familiar with the special arguments that relate to Europol because we have come up against them in the discussion of the new directive on Europol. I have heard the Director of Europol, Rob
Wainwright, explaining to national parliaments and the European Parliament why you cannot apply exactly the same data protection rules to an organisation like Europol. Providing transparency to criminals is not probably the cleverest way you can think of proceeding. We are familiar with that and your answers have been helpful and have clarified what is going to be a very tricky—dare I call it—balancing act in the discussions that are going to take place. I think we must move on now, and perhaps I could ask Lord Stair to go on to the next question.
Q47 Earl of Stair: Minister, broadly speaking, the consensus seems to be that the Safe
Harbour agreement has been a good thing to set up. We have discussed the security issues at some length already this morning, but what do you see as the key strengths, and equally the key weaknesses, to the Safe Harbour agreement as it stands at the moment?
Simon Hughes: It is not a perfect document but there are a lot of strengths and I do not think we should underestimate them. First, it is a well tried and tested framework by which the flow of data can be facilitated, which is very important to our economy. A lot of business is covered. It is relatively convenient for companies. It helps to bridge the gap. The US does not have the same type of legislation or regulation, so it gives an extraterritorial protection to dealings with the US and the 11 other places in the world where we have a similar status of approved activity. It has effectively allowed us to determine the principles of data
UK Government—Oral evidence (QQ33-46) protection in the US in the areas that are covered—obviously not communications data or financial transactions but others. It is convenient. People know the score. It is the same set of arrangements that you would have in the UK. It is one of the few places in the world where an adequacy protection is in place. There are only 11. Half of them are quite small territories and there are some other big players. If you really want to know which I can give you the list, but I will not at the moment unless you push me.
The Chairman: It would be helpful if you could send us that list. It would be helpful to have that.
Simon Hughes: I will send it to you. Its existence means that open data flows are recognised as happening and being a good thing, so it validates the idea that it is good for business and necessary for business that data are exchanged. There is also an enforcement process attached to it, and it is an enforcement process that has been used and in quite a significant way; some very big players in the States have been the subject of the enforcement process.
Myspace, Facebook, Google and so on have been the subject of action with significant financial penalties, and in all those three cases I think to a 20-year auditing process to make sure they behave in the future, on a two-yearly basis. We see those as being the advantages.
The alternatives are that the companies would have to do this contractually. First, it is expensive. Secondly, it would take a relatively long time to do. Rather than buying into a system that exists, you have to make your own4 and you have to spend your own corporate resources doing that. Some smaller companies might not be able to do it and might not have the capacity to do it. Arguably, business might move to the disadvantage of the UK. There are quite a lot of UK businesses and people employed in the States. If this access route was not open, the businesses might either relocate here or not exist at all, or we might lose the
4 Note from witness after the evidence session: It is not obligatory for a company to draft their own bespoke in order to ensure adequate protection of data transferred to third countries. Instead, a controller can rely on standard contractual clauses approved by the Commission. This is a more time-consuming option than transferring on the basis of a company’s participation in Safe Harbour.
UK Government—Oral evidence (QQ33-46) benefit of people from the UK working in those businesses. There are, in my view, significant strengths to having the agreement.
Of course, the Commission has pointed out things that need to be improved. I have indicated that the Government are minded to follow those things, certainly those at the beginning of the list such as: publicising the system much better; making sure that you can check very easily whether the company in question is governed by this system so that you do not have to go hunting for it—you have a sort of imprimatur that this is a company; and making sure that the national websites give this information. There are practical things that can be done, but we believe that on balance it has significant strengths.
The Chairman: I think we covered that point a little in the testimony the Deputy
Information Commissioner gave us last week. He undertook, I think, that the Commission will publicise in a much clearer way and with rather more use of plain English than previously how somebody who wishes to complain about or to raise a problem about Safe Harbour can do so. I take it from your evidence just now that you would support them doing that.
Simon Hughes: Absolutely, my Lord Chairman. They are accountable to us as a department.5 I have had engagement with the commissioner and his deputy. We are absolutely clear, they want to do more, and we will support them in doing more. We6 are the enforcement agency for people in the UK, and the better we can publicise the arrangements here and the redress the better that would be, as you heard in evidence.
The Chairman: That is very helpful. We are hoping, and certainly they held out the possibility, that they will give us the new formulations that they are going to use in time for our letter to Ministers. I think that will be a way of carrying that forward in a very satisfactory way. Let us hope so.
5 Note from witness after the evidence session: The Information Commissioner is appointed by the Queen and reports directly to Parliament and not to Government. 6 Note from witness after the evidence session: The Information Commissioner is the UK’s independent public regulator of Data Protection Act 1998.
UK Government—Oral evidence (QQ33-46)
Q48 Viscount Bridgeman: Mr Hughes, how might concerns about the exploitation of the national security exception be addressed—we are back to the issue—particularly in the light of reactions to mass surveillance programmes? Do the recent announcements by the
US President, which require Congress to legislate before they can have effect, go far enough to ensure that requests for data provided under the scheme for national security reasons meet the test of necessity? It is worth bearing in mind the Commission communication recommendation that it is important that the national security exception foreseen by the
Safe Harbour decision is used only to an extent that is strictly necessary or proportionate.
Simon Hughes: We believe that Safe Harbour itself is an important means of giving protection. As far as it goes, it gives protection for the data from EU citizens, UK citizens included, when sent outside the EU. It is obviously known that those transactions and the people using them are subject to the US authorities, and they have to respect the responsibilities of the US authorities in their own national interest intervening when they regard it in relation to law enforcement as necessary to do so. You referred rightly to the announcements by the US President. It is clearly on the agenda of the President and
Congress and they have clearly responded to the concerns expressed. There is nothing at the moment on the bilateral agenda that would go into that space, for the reasons of competence which the Chairman explored with me earlier. We have a strong presumption that the principles should apply. That is the norm, and the only time they should not apply is where it is necessary that they do not apply if the Administration decide that they wants to apply the exception.
Of course, we would look at anything that might modify the changes, but we start from the position that this is a national competence that we, too, guard jealously. We would not want to forfeit that, and certainly there is absolutely no wish anywhere in government, nor I think in Parliament, to abdicate those responsibilities to the European Union, to the Commission
UK Government—Oral evidence (QQ33-46) or to anybody else. We see what their recommendations are. Those are the only recommendations in the list of recommendations where we have significant concern and would not be proposing to follow them. The ones that come earlier in the list are much easier to accommodate and we would expect to be able to respond positively to all those.
Viscount Bridgeman: It is also worth mentioning that the communication puts an onus on the privacy policy of the self-certified companies to include information on the extent to which US law allows public authorities to collect and process data transferred under Safe
Harbour. They should be encouraged to include that in their privacy policies when they apply exceptions to the principles to meet national security, public interest or law enforcement requirements.
Simon Hughes: Yes, and the Commission, rightly in our view, asked for the privacy policies to be in clear language, to be easily available—that follows on from Lord Stair’s question— and in a such way that you can both find what they are and which companies they apply to. I will not amplify it for long, but there is one small issue that is slightly complex, which is the application of any privacy conditions to subcontractors, which was also touched on in the
Commission’s communication. There ought to be, it seems to us, a clarification that the privacy conditions apply to subcontractors. Lots of people dealing from the UK with
American companies will actually be dealing with them and their subcontractors, and people need to know exactly what the rules are for that.
One of the things that was flagged up by the Commission, which we think will be a difference—it is fairly obvious—is that if there has been no membership renewal by a company that has been in the 3,000 or whatever the number is, that ought to appear immediately so that you, a UK citizen, doing business with this company, or you, a small company in Bermondsey doing business with this company, realise that that is the case and are warned. Then, of course, you can address yourself to the federal agency, the Federal
UK Government—Oral evidence (QQ33-46)
Trade Commission or the company itself and say, “Do you realise that you are not covered?
Will you put that right? I really cannot do business with you unless I know that the data will be protected”. The privacy matter is very important.
There is one additional point that Mr James would like to make, too, if that is acceptable.
Simon James: If I may, it is just to pick up on the point on privacy policies and to note that the Safe Harbour decision itself provides at Annex I that adherence to the privacy principles may be limited, to the extent necessary, if justified by national security, public interest or law enforcement requirements. If the recommendation to which you referred were to be adopted, the relevant privacy policies may make broad statements, but those statements will then be subject themselves to the general provisions on scope as set out. The privacy policies can only take you so far, I suppose.
Lord Sharkey: Is it not the case that in all these negotiations the US will remain the sole judge of what is proportionate and necessary in accessing data held under Safe Harbour, that that cannot be changed, and that it is implicit in the agreement anyway?
Simon James: That is correct.
The Chairman: My apologies, because I skipped a question inadvertently, although in actual fact the one we have just dealt with did fit rather neatly with the earlier one, so I do not think we have too much problem as a result of that. Lord Morris, I apologise for having overlooked your question.
Q49 Lord Morris of Handsworth: As I listen to your responses, Minister, and indeed to other responses that we have heard, two strands certainly converge, as they always do, on matters of security: the rights of citizens and the responsibility of government and how you strike the right balance there—and it has emerged in your response this morning. Do you think the EU citizens’ redress rights need to be bolstered further than the Commission’s communication proposes?
UK Government—Oral evidence (QQ33-46)
Simon Hughes: Your Lordship is right that we should see this absolutely first, in our view, through the eyes of the citizen, whether it is a person or a corporate citizen. We have to see it through the eyes of the individuals we are dealing with. The first half of the answer to your question is that the proposals for beefing up redress are good and we support them.
We could probably also beef up and encourage alternative dispute resolution mechanisms in the participating companies. There is also the capacity to refer to a European Union panel that is in existence. It is not hugely used but it is there. It is a backstop. It is a citizens’ tribunal if they want to avail themselves of it.
I believe—if I can say this, having had three months in the department—that the most useful thing, as my Lord Chairman said a minute ago, in a way is what we can do in this country to make people aware of their rights. It is about the Information Commission being clear and telling people where to find the information. It is about pointing people in the right place. It is about having simple language. It is about promoting the product, if you like. One of the things that I think government has a duty to do in an ever more complex world, where people dealing in this sort of issue would probably go online to look for information, is to make sure that it is really easy to find, it is really clear what it means, and it does not have lots of cross-references to websites where the link might be broken. It is very practical stuff that I think makes citizens’ lives and the life of businesses easier. Businesses are not to be bogged down in their transactions. They are trying to do international business. This is a wonderfully improved mechanism if people feel confident that they can exchange data, collect analysis done of the market in the States, look at the sales figures, all those sorts of things. It saves huge amounts of time and can make it hugely beneficial, but it needs to be as easy as possible. The answer is: make it as simple, clear and uncomplicated as possible.
Q50 Lord Morris of Handsworth: What is the ultimate redress for a citizen who feels that he or she has been wrongly done by?
UK Government—Oral evidence (QQ33-46)
Simon Hughes: Under the current mechanism, there is an EU panel, which I am advised has been rarely used. Normally, if people think a company has failed they will complain to the
Federal Trade Commission in the States and it will investigate. It can take punitive proceedings, enforcement proceedings, and it has done so. I have a list of, I think, 16 occasions in the last few years where companies have been found to have been in breach.
You report them; there is a reporting mechanism. There is then a financial sanction that can be imposed. It can be quite significant, I think. I will take advice.
Lord Morris of Handsworth: You think they are adequate and do not need to be bolstered in any further way.
Simon Hughes: I think we could improve the alternative dispute resolution mechanisms to make them easier. We could flag up the EU panel in case people are concerned that things are not working, particularly for those who might deal with several companies. For somebody dealing with a single company, the redress is to complain to the authorities in the
States about that company, I would have thought. But if you are dealing with lots of companies and you think there is a systemic problem, it would be better logically to go to the EU panel. I will just ask my colleagues if they think I have missed anything out in terms of what currently people can do to get their rights enforced.
Tim Jewell: All I would add, just at a glance if I may, Minister, is simply that the Commission decision itself provides some other options for ultimate enforcement, albeit at the extreme end. Data flows can be suspended in certain circumstances if the US regulator has identified the sort of systemic abuses to which the Minister has referred, and similarly step in if there have been pretty grave breaches of the agreement. That has not happened. I think it was the
Deputy Information Commissioner who referred to the limited number, as I took him to mean, of complaints that have been made here to our data protection authorities, which have a hotline, for want of a better word, to the FTC.
UK Government—Oral evidence (QQ33-46)
Q51 The Chairman: The evidence we heard from the private sector was to the effect that these procedures existed but that they were very complex, laborious, slow and potentially costly in terms of the time that a company had to devote to putting this forward.
Your response that this could be improved and should be improved is helpful, but I think we need to focus sharply on that aspect of things if the credibility of the whole system is to be strengthened, which it needs to be, having undergone some pretty rude blows as a result of
Snowden and all that. It does seem to me highly desirable, therefore, that the collective
Governments and the Commission do something to make this whole process simpler, less costly, less time consuming, so that people feel there is a real recourse there and one that is not going to lead them into a kind of maze.
Simon Hughes: Can I add another example to what I said to Lord Morris? If the public also knew that where sanctions were taken they were sanctions with teeth, that the punishment fitted the crime, people would be encouraged. I will give one example of Myspace, a case in
2012. The Federal Trade Commission intervened because there had been an allegation of a breach and it found a breach. It said: “The proposed settlement order bars Myspace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security or other compliance programme, including the US-EU Safe Harbour framework. The order requires that Myspace establish a comprehensive privacy programme designed to protect consumers’ information and to obtain biennial assessments of its privacy programme by independent third party auditors for the next 20 years. The final consent order will carry the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000”—each violation, so if it is a bulk batch of transactions that could be $16,000 per infringement. These are not insignificant penalties.
UK Government—Oral evidence (QQ33-46)
If that was flagged up so the public knew that there was a remedy, if they thought there was a problem they could go to the Information Commissioner’s office and engage the Federal
Trade Commission.
Q52 The Chairman: If my understanding is right, the panel can only consider human resource data complaints. Do you suggest that the panel’s responsibility could perhaps be usefully expanded to other types of business?
Simon Hughes: We have not considered that in detail, I do not think. We could take that away. It is a perfectly reasonable question.
The Chairman: Yes, if you could think a bit about that, that would be helpful, and it may be something we will raise when we write to you.
Simon Hughes: There have only been a handful of referrals so far. We will take that away, certainly, and look at that.
Lord Morris of Handsworth: What people want to see is a change in a practice that they regard as not conducive to their good and changing behaviours. Those who pursue the argument want change in practice and behaviour.
Simon Hughes: Yes. The encouraging thing—and, again, I do not come to this with any prejudice about it having been a wonderful agreement that we would have all been wonderfully proud to have implemented; it was before my time—is that it appears to have worked well. It has provided an easy, safe mechanism for data transfer in lots of sectors, not all of them subject to the national security limits, and it clearly has had significant confidence.
That is the argument. That is the reason, and Lord Morris, particularly with his background, would understand that. Suspending it would be really bad news, in my view. Even talk of suspension is beginning to worry investors. If people think that the company I am contemplating making a contract with on behalf of British workers in Coventry might not be governed by this protection mechanism, I might decide that I am not going to go down that
UK Government—Oral evidence (QQ33-46) road. If it were to be suspended, suddenly there would be no protection and a lot of companies would not be easily up to negotiating the alternative contractual arrangements. I think it would be bad for workers and work and business and employment.
If eventually we want to negotiate a phase 2 agreement, a Safe Harbour number 2, that is another matter, but the Commission has clearly not been so troubled by it over the years that they have had to look at it regularly. They have only looked at it once before.7 They have now come back with some fairly modest proposals. It has gained publicity, for reasons that you started with, Chairman, because of the national security implications, but ordinary business and trade and commerce has to go on. It would not be helpful either to threaten suspension or, in our view, to implement suspension. Improvement, yes, but let us build on what has been good and that other countries have clearly also thought is worth having.
Uruguay and Argentina are examples of countries with which there is also a similar agreement, and trade is growing with them too.
Q53 Lord Wasserman: Of course, all witnesses have said that it is good for companies, but many of our witnesses said it was not so good for individuals and it is terribly frustrating.
The Minister gave the very good example of Myspace, and so on. That is one example of the
FTC acting, but some of our witnesses, you remember, Lord Chairman, said that to get attention for a complaint is terribly frustrating, difficult, boring and all the rest of it.
Occasionally, I have no doubt a complaint gets through. With a good team of lawyers behind you and a fair wind you can get a resolution through the Federal Trade Commission, but on the whole, so we are told, it is very frustrating. Therefore, whereas none of us have thought about suspension and none of the witnesses talked about suspension, there is a real problem that it works for companies but not so well for the individual.
7 Note from witness after the evidence session: The Commission has actually reported twice on Safe Harbour: once in 2002 and again in 2004.
UK Government—Oral evidence (QQ33-46)
Q54 We have to be concerned with individuals’ rights and concerns. There would be more trade, perhaps, if individuals felt themselves more confident that their data was protected.
There might be even more business between this country and America than there is now because people might occasionally, before they press the send button or the click button or whatever it is, think about whether their data are going to be protected.
Simon Hughes: I absolutely accept that. The Government absolutely accept that, and the EU
Data Protection Supervisor enforced that view: greater clarity of principles, better communication of them to citizens so citizens know their rights, more inspections, and so on.
I will take just one example. I am sure that we all, as users of internet services, know that in order to proceed to book your flight or whatever you have to click the “accept terms and conditions” box. I am not going to be disrespectful, but I would be surprised if even
Members of your Lordships’ House checked every line of everything they signed up to when they were booking their summer break or whatever it might be. The reality is that we do not do that. What we could do—it is a cross-government issue, it is not just here—is make sure that there were common standard forms of wording where the company, if it wanted to deviate from that, had to flag up the difference so that we knew that the package, for example for a flight booking, was standard. That would help the citizen to know what they were booking. You could read through it all once to make sure that you were happy.
One last thing to encourage my Lord Chairman, Lord Wasserman and colleagues, though, is that this is a self-certification system and therefore not a draconian, imposed regulatory system. It is not a rubber stamp. I do not think you have had the evidence that I was given, but for those who are applying to be in the system, the Department of Commerce has sent back in the last nine months for which we have the figures—January to September last year—56% of applications to get right, as they were not in a fit state to be approved. And
UK Government—Oral evidence (QQ33-46)
27%—a surprisingly high number, over a quarter—of companies that came for renewal were told that they were not ready for renewal. It is not a rubber-stamping exercise that on behalf of the citizen makes sure that companies comply.
Lord Wasserman: We also heard of companies who claimed to be regulating themselves but, in fact, had forgotten to do so. They start terrific and then they decide—
Simon Hughes: That is why we need a regular oversight and ability to monitor and check more effectively. That is accepted, and the recommendations go down that road.
The Chairman: I think we are probably on a lot of common ground there, but that is a useful clarification.
Q55 Baroness Prashar: That brings us neatly to the question of greater transparency. In your introduction and in your subsequent answers you have touched on this. As you know, the Commission has recommended certain changes for increasing transparency. Do you think they go far enough? Are they sufficient?
Simon Hughes: They are a good start. Taking Lord Morris’s starting point, the citizen would want things to be more transparent and easier. If I can just look at the list, I have referred to some of them: public availability of all the conditions on a website in a very easy-to-find place, and a completely up-to-date link to the full list of companies so you know exactly. I am no computer expert so, like most laypeople, I give up if I do not get where I need to go within a few minutes. I do not have the staying power to try to navigate sites endlessly.
Sometimes that has applied even to parliamentary sites, but that is a separate responsibility.
They are good start questions. Could they and should they go further? I do not think we have put any new and additional proposals into the Commission, as far as I know.
Baroness Prashar: Do you intend to put any further new ideas?
Simon Hughes: I do not think we currently have anything on the table. I am looking to my colleagues to tell me whether there have been discussions that have included anything. Mr
UK Government—Oral evidence (QQ33-46)
James says no, we do not have anything. Lord Chairman, if your Committee has heard evidence of further things that we could submit—obviously it is an EU-wide proposal—we would be absolutely open.
My job, it seems to me, is to make sure that citizens have the best protection for their data, but we have the most open Government and transparent transactions possible. It seems to me that that is a dual responsibility of government. My Lady, if you have suggestions that you and your colleagues want to make and go further in the Commission that add to transparency, we will be very open to that. We do not have any currently on the table.
Q56 Lord Sharkey: Minister, I think that self-regulation works best if people are confident of compliance. In general, compliance is two things. It is the handling of complaints in an appropriate, timely and accessible way and it is also checking on whether the people inside the system are in fact compliant, independent of complaints being received. I do not think we know how many compliance checks have recently been made by the FTC or whether in fact there is a regime in place within the FTC for the routine checking of compliance. My question is: what action do you think should be taken to ensure that both those aspects of compliance are in place? Do you think the Commission’s proposed adjustments to enforcement in fact go far enough?
Simon Hughes: Thank you very much. I have indicated what we understand has happened so far, which is that if there is a false claim, which was referred to by one of your Lordship’s colleagues, that is always investigated. Some of the investigations have resulted in sanctions, and we have the list of those. Fourteen companies had orders issued against them by the
Federal Trade Commission on this point earlier this year. It looks, therefore, as if the regulator has been more observant, or interventionist—whichever word you suggest. I do not have, and I do not think I have seen anything, that suggests in detail the frequency of the checking of each of the 3,000 signatory companies. It is a question for them as to how they
UK Government—Oral evidence (QQ33-46) use their resources and what they think is an effective use of time in monitoring and checking. Of course, you are right: random checks, when the participants do not know the frequency of the checks, are going to be more effective to keep them on their toes to make sure they are behaving, bluntly.
We accept the premise of the follow-up of initial investigations. Making sure that once an initial investigation has happened—I referred to one—that it is then followed up and people are taken to task seems to us be the right way, but I will see whether we have any specific figures. I have not seen any, but my colleagues might have seen some or exchanged some.
Lord Sharkey: I do think it is quite important to consider the kind of random checking you are talking about, alongside the handling of complaints. In order to generate the kind of consumer confidence you were talking about earlier, people need to know that both things are going on, not just responsiveness to complaint.
Tim Jewell: The Committee may be interested to look at the FTC’s contribution to the
Commission’s proposals, in which it sets out its proposed future position on enforcement activity. I imagine the Committee has those comments already, but if not we can send a link to them if that would be helpful. That provides some indication of their enforcement activity from an American point of view.
Q57 Lord Wasserman: The Minister has already mentioned the EU Data Protection
Supervisor’s proposals. For the record, could you tell us what your assessment is of his analysis of the problems?
Simon Hughes: Yes. We think his analysis is reasonable. Obviously it is one of their jobs to do that and we are glad that they—
Lord Wasserman: It does not necessarily follow.
Simon Hughes: No, it does not follow, but it is their job and their duty to try to make sure they are looking after data and they are the citizens’ guardian, taking Lord Morris’ concern.
UK Government—Oral evidence (QQ33-46)
We think the analysis is reasonable. We are clear that we need still better communication of the principles to the citizen and to the corporate world. We do not think that as yet all the work has been done to give the trust that there needs to be.
Interestingly, so far there are 3,000-plus subscribers to the Safe Harbour arrangement. My advice is that only fewer than 50 companies have made their own commercial contractual arrangement8 as an alternative, which is a relatively very small number. That suggests that in this field the preferred option is the Safe Harbour route and signing up to that. That suggests that it generally has a good reputation and is thought on balance to be both beneficial in terms of practicality and not so oppressive or complicated. But the supervisor has a regular responsibility to come back with recommendations, and obviously each time they do that we will look at them. A good proposal so far is more inspections by the Federal Trade
Commission—Lord Sharkey’s point earlier—and much better publicity, both in the States and across the EU. That is what we would like to see.
I think the view is that the principles were not clearly designed for access in the intelligence and other fields, and a separate agreement is in place, as you will know, in relation to data communications. Separate agreements are being negotiated at the moment on trade generally, so there are other places that are governed by other forms of agreement. This is not the only place to which somebody seeking to exchange data between Europe and the
States would look for their rules and regulations and protection.
Q58 The Chairman: I have one last question about the discussions that are going on between the Commission and the United States Administration that were clearly set out in the 13 points that the Commission communicated to the United States last November. How do you see this process being brought to a conclusion? Is it going to be the basis for a
8 Note from witness after the evidence session: There are fewer than 50 binding corporate rules (BCRs), not contractual clauses. There are 48 BCRs in existence, with the majority of them approved by the UK’s Information Commissioner’s Office and France’s regulatory body, the CNIL. There are no known statistics for the use of contractual clauses.
UK Government—Oral evidence (QQ33-46) completely new Safe Harbour, what you called Safe Harbour 2—which could well run into problems with the European Parliament, I would have thought, and lead to complications with the wider negotiations with the United States—or will it be brought to a satisfactory conclusion, if it can be, by less formal processes? Do you have any views on that?
Simon Hughes: Yes, I can help you, and I hope briefly. You are right: the European
Commission is currently engaged in bilateral discussions with the US Government. The proposal and the timetable that we anticipate are that a proposed new Safe Harbour decision—to answer your explicit question—will be ready by this summer 2014. The process is that the Commission, on our side of the Atlantic, has to present the relevant committee, which is comprised of member states’ representatives, with a draft revised Safe
Harbour set of rules. If the committee agrees under qualified majority voting, that is sufficient for adoption. If there is either no agreement or an objection, it gets referred to the
Council of the European Union, to a Minister sitting as the Council, who can come up with their own alternative. There is a qualified majority rule in relation to that, too.
The timetable is to get to the end of the road by this summer. Member states will need to be consulted on the final proposals and will be before they are put forward for agreement.
We also understand that the Commission plans to carry out a public consultation, when I hope the sorts of points made by Lords and her Ladyship this morning will be fed in. There will be a public consultation. We will do our bit to make sure it is as well publicised as possible in the UK, and the Information Commissioner will do the same. The European
Parliament will also be consulted, although it does not have a formal decision-making role in the process, as you understand, between now and the end of the process.
So in 2014, I do not know whether it will be called Safe Harbour 2 but it will be Safe
Harbour 1-plus or beefed-up Safe Harbour or better Safe Harbour. I do not know what it will be called.
UK Government—Oral evidence (QQ33-46)
The Chairman: It is usually better to say clarified Safe Harbour.
Simon Hughes: Clarified, yes. It is above my pay grade to know what it will be called. But the answer is this year, so the work of your Lordships’ Committee will be appreciated. We will feed that straight back in and we will look at what we can do. We will feed in any ideas, and hopefully we will have a more citizen-friendly, as well as consumer-friendly and business- friendly, operation with more rigorous policing for those who enter into it and then do not abide by the rules.
The Chairman: Thank you very much indeed, and thank you for coming along and helping us pick our way through a fairly complex issue.
Simon Hughes: I did admit, when I was first told you wanted to quiz me on this as my first outing before a Lords Committee that it was not a subject that I would have chosen for my
“Mastermind” or “University Challenge” preferred subject. But with the help of the team behind me I am in a better place, I hope, today than I was—
The Chairman: Your Home Office colleague, Norman Baker, found himself in front of this
Committee talking about psychoactive substances only two days after he took over the job.
Simon Hughes: I have probably drawn the better straw, or less dangerous straw, in that case.
The Chairman: Thank you, that is very helpful. As I say, I hope we will be able to convey our views to the Department of Justice early in May. Of course, we will want to be kept informed on how the whole process advances, as part of our responsibilities for scrutinising.
As I said at the beginning, the wider issue of the new data protection regulation and directive is going to be a big issue in the next two years. I am sure we will need to keep in very close touch about that.
Simon Hughes: My Lord Chairman, may I trespass on your indulgence for 30 seconds just on that subject, because we would be grateful for any views. Our view is that we would
UK Government—Oral evidence (QQ33-46) expect realistically to get there next year on the wider directive, probably not much before, in spite of any best efforts. If your Lordships were able to give it some time in the second half of this year, in good time for that process before its conclusion, that would be very helpful.
The Chairman: That is a very useful and helpful offer that I am quite sure my successor will take up in due course. Thank you very much indeed.