3.5 CARACTERIZACIÓN DEL RIESGO SOBRE LA SALUD

On 27 November 2013, the European Commission presented a package setting out actions to be taken in order to restore trust in data flows between the EU and the US following concerns about revelations of large-scale US intelligence collection programmes, which have had a negative impact on the transatlantic relationship.

The package consisted of a strategy paper in the form of a Communication on transatlantic data flows setting out the challenges and risks following the revelations of US intelligence collection programmes, as well as the steps that need to be taken to address these concerns; an analysis of the functioning of Safe Harbour, which regulates data transfers for commercial purposes between the EU and US; a factual report on the findings of the EU-US Working Group on Data Protection set up in July 2013; a review of the existing agreements on Passenger Name Records (PNR); and a review of the Terrorist Finance Tracking Programme (TFTP) regulating data exchanges in these sectors for law enforcement purposes. The Commission called for swift adoption of the EU's data protection reform; making Safe Harbour safer; strengthening data protection safeguards in the law enforcement area; using the existing Mutual Legal Assistance and Sectoral agreements to obtain data; addressing European concerns in the on-going US reform process; and promoting privacy standards internationally.

3.2.1 Rebuilding Trust in EU-US Data Flows

The Communication sets out six areas in which action is required:

A swift adoption of the EU's data protection reform: the strong legislative framework, as proposed by the European Commission in January 2012, with clear rules that are also enforceable in situations when data is transferred and processed abroad is a necessity now more than ever. The EU institutions should therefore continue working towards the adoption of the EU data protection reform by spring 2014, to make sure that personal data is effectively and comprehensively protected.

Making Safe Harbour safer: the Commission today made 13 recommendations to improve the functioning of the Safe Harbour scheme, after an analysis also published today found the functioning of the scheme to be deficient in several respects. Remedies should be identified by summer 2014. The Commission will then review the functioning of the scheme based on the implementation of these 13 recommendations.

Strengthening data protection safeguards in the law enforcement area: the current negotiations on an “umbrella agreement” for transfers and processing of data in the context of police and judicial cooperation should be concluded swiftly. An agreement must guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic. Notably, EU citizens that are not residents in the U.S. should benefit from judicial redress mechanisms.

Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data: As a general principle, the U.S. administration should commit to making use of a legal framework like mutual legal assistance and sectoral EU-U.S. Agreements such as the Passenger Name Records Agreement and Terrorist Financing Tracking Programme whenever transfers of data are required for law enforcement purposes. Asking the companies directly should only be possible under clearly defined, exceptional, and judicially reviewable situations.

Addressing European concerns in the on-going U.S. reform process: U.S. President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens. The most important changes should be extending the safeguards available to US citizens to EU citizens that are not residents of the US, increased transparency, and

Promoting privacy standards internationally: The US should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (“Convention 108”), as it acceded to the 2001 Convention on Cybercrime.

The Commission also makes clear that standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership.

3.2.2 Report on the Findings of the ad hoc EU-US Working Group on Data Protection

This report followed revelations as to the existence of a number of US surveillance programmes involving the large-scale collection and processing of personal data which concern the collection of personal data from US internet and telecommunication service providers and the monitoring of data flows inside and outside the US, which has the potential to significantly affect individuals in the EU. Clarifications were requested from the US authorities on a number of aspects, including the scope of the programmes, the volume of data collected, the existence of judicial and administrative oversight mechanisms and their availability to individuals in the EU, as well as the different levels of protection and procedural safeguards that apply to US and EU persons. Subsequently, an ad hoc EU-US Working Group was established to ascertain the facts about US surveillance programmes and their impact on fundamental rights in the EU and personal data of EU citizens.

The US provided information regarding the legal basis upon which surveillance programmes were based and carried out, and clarified that the President's authority to collect foreign intelligence outside the US derived directly from his capacity as commander-in-chief, as well as from his competence in foreign policy as provided in the US constitution.

The report concluded that, under US law, a number of legal bases allowed large-scale collection and processing, for foreign intelligence purposes, including counter-terrorism, of personal data that has been transferred to the US or is processed by US companies. The US has confirmed the existence and the main elements of certain aspects of these programmes, under which data collection and processing is done with a basis in US law that lays down specific conditions and safeguards. The number of EU citizens affected by these surveillance programmes and the geographical scope of surveillance programmes is unclear.

There are differences in the safeguards applicable to EU data subjects compared to US data subjects – collecting the data of US persons is generally not authorised. Where authorised, it is considered to be "foreign intelligence" only if it is necessary for that specified purpose. This necessity requirement does not apply to data of EU citizens which is considered to be "foreign intelligence" if it relates to the purposes pursued. This results in lower thresholds being applied for the collection of the personal data of EU citizens.

The targeting and minimisation procedures are aimed at reducing the collection, retention, and dissemination of personal data of, or concerning, US persons, and do not impose specific requirements or restrictions with regard to the collection, processing, or retention of personal data of EU individuals. Oversight of the surveillance programmes aims primarily at protecting US persons. US persons benefit from constitutional protections (respectively, First and Fourth Amendments) that do not apply to EU citizens not residing in the US.

Different levels of data protection safeguards apply to different types of data (meta-data vs. content data) and different stages of data processing (initial acquisition vs. further processing/analysis). The use of other available legal bases, and the existence of other surveillance programmes, is not clear.

Since the relevant orders of the FISC are classified and companies are required to maintain secrecy with regard to the assistance they are required to provide, there are no avenues, judicial or administrative, for either EU or US data subjects to be informed about whether their personal data is being collected or

further processed. There are no opportunities for individuals to obtain access to, rectify, or erase data, or any administrative or judicial redress.

There is judicial oversight for activities that involve a capacity to compel information. There is no judicial approval of individual selectors to query the data collected or that which is tasked for collection. There is no judicial oversight of the collection of foreign intelligence outside the US, which is conducted under the sole competence of the Executive Branch.

3.2.3 Communication on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies established in the EU

In 2000, the Commission adopted Decision 520/2000/EC, recognising the Safe Harbour Privacy Principles and Frequently Asked Questions issued by the Department of Commerce of the United States as providing adequate protection for the purposes of transfers of personal data from the EU to the US. The Safe Harbour decision therefore enables the transfer of personal information from the EU to companies in the US which have signed the Privacy Principles, in circumstances in which the transfer might otherwise not meet the EU requirements for an adequate level of protection of personal data. The functioning of the Safe Harbour arrangement relies on the commitments and the self-certification of member companies. Signing these arrangements is voluntary, but the rules are binding for those who sign. The fundamental principles of such an arrangement are transparency of the companies' privacy policies, the incorporation of the Safe Harbour principles in companies' privacy policies, and enforcement, including by public authorities.

Safe Harbour has to be reviewed as a result of the exponential increase in data flows, the rapid growth of the digital economy, and significant developments in data collection, processing and use; the importance of data flows to the transatlantic economy; the increase in the number of companies joining Safe Harbour (eight-fold since 2004), and information recently revealed about US surveillance programmes, raising questions on the level of the protection the Safe Harbour arrangement is deemed to guarantee.

The Communication is based on evidence gathered by the Commission, the work of the EU-US Privacy Contact Group in 2009, a study prepared by an independent contractor in 2008, and information received in the ad hoc EU-U.S Working Group established following the revelations of US surveillance programmes. It follows the Commission Assessment Reports in 2002 and 2004.

The Communication acknowledges that Safe Harbour has been a vehicle for EU-US flows of personal data, and US companies have hundreds of millions of EU clients, and the volume of transfers is on a scale which was unimaginable at the outset.

Areas requiring attention include transparency of privacy policies of Safe Harbour members, effective application of Privacy Principles by companies in the US, and effectiveness of enforcement. The large scale access by intelligence agencies to data transferred to the US via Safe Harbour certified companies also raises questions about the continuance of data protection rights of Europeans when their data in transferred to the US.

The Commission therefore recommended, as regards transparency, that: - self-certified companies should publicly disclose their privacy policies;

- privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbour website which lists all the current members of the scheme;

- the Department of Commerce website should clearly indicate all companies which are not current members of the scheme.

In relation to redress, the Commission recommends:

- the privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel;

- ADR should be readily available and affordable;

- the Department of Commerce monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedures they use and the follow-up they give to complaints.

Regarding enforcement, the Commission recommends that:

- following the certification or re-certification of companies under Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance regarding their privacy policies (going beyond control of compliance with formal requirements);

- whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to a specific follow-up investigation after 1 year;

- in case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority;

- false claims of Safe Harbour adherence should continue to be investigated As far as access by US authorities is concerned, the Commission recommends that:

- privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour; and

- the national security exception contemplated by the Safe Harbour Decision be used only to an extent that is strictly necessary or proportionate.

3.2.4 Terrorist Finance Tracking Programme (TFTP) evaluation report

In this report on the value of the data provided by the TFTP to counter terrorism investigations, the Commission concludes that the TFTP has generated significant intelligence that has helped detect terrorist plots and trace their authors. This information has been used to investigate the April 2013 Boston marathon bombings, threats during the London Olympics, and EU-based terrorists training in Syria.

TFTP data provides key insight into the financial support networks of terrorist organisations, helping to identify new methods of terrorist financing and persons involved in the US, the EU and elsewhere. EU Member States and Europol benefit from such information and receive valuable investigative leads. Over the last three years, in response to 158 total requests made by the Member States and the EU, 924 investigative leads were obtained from the TFTP.

Regarding recent allegations of access to financial messaging data in the EU contrary to TFTP agreement, written reassurances were received that the US Government had not breached the agreement and would continue to fully respect it. As at 2013, it was considered that there was no need for further consultations with the US on the implementation of the TFTP agreement.

Further to requests from the European Parliament and the Council, the Commission also assessed the options for establishing a European Terrorist Finance Tracking System (TFTS), weighing each option in terms of safeguarding fundamental rights, necessity, proportionality and cost effectiveness, as compared to the current situation.

It was concluded that there was no case for establishing such a system in the EU, inter alia because it would be necessary to create and manage a new database containing information about all EU citizens' financial transfers, and the database would raise serious challenges in terms of the data storage, access and protection, and technical and financial efforts.

3.2.5 EU US Passenger Name Record (PNR) Agreement joint review report

The EU-US PNR agreement on the transfer of air passengers' data for flights from the EU to the US entered into force on 1 July 2012. Following a review by EU and US experts, it was found that the US authorities had been implementing the agreement in accordance with the standards and conditions it contained.

The agreement provides an efficient tool to fight serious transnational crime and terrorism, while setting clear limits on what purposes PNR data may be used for, as well as a series of strong data protection guarantees.

The joint review report also finds that US authorities respect their obligations regarding access rights of passengers, and have a regular oversight mechanism in place to guard against unlawful discrimination. The masking and deletion of sensitive data are respected. The sharing of data with domestic US agencies and with third countries is in line with the Agreement.