Privacy Law and Policy Reporter
The latest news about the discussions between the US and the European Union about meeting the EU Data Protection Directive’s adequacy standard is contained in a joint statement issued at the end of June. The statement is reproduced in full below.
The Safe Harbour proposals and related materials can be found on the US Dept of Commerce Web Site at <http://www.ita.doc.gov/ecom/menu.htm>.
A joint report from the European Commission’s services and the US Department of Commerce on the EU/US Data Protection Dialogue was presented to the EU/US Summit in Bonn on 21 June. The report notes that the two sides plan to finalise the so-called ‘safe harbor’ arrangement during the autumn. This arrangement would provide a predictable framework for the application of the EU Directive on Data Protection to the transfer of personal data from the EU to the US with adequate protection for privacy. The text of the report is reproduced below.
We have made substantial progress in developing an arrangement that would provide a predictable framework for the application of the EU Directive on Data Protection to the transfer of personal data from the European Union to the United States with adequate protection for privacy. Work on the substantive aspects of data protection is particularly well advanced. On the procedural and enforcement aspects, work is also progressing but further work is needed on both sides. We plan to finalise this ‘safe harbor’ arrangement during the autumn.
The basic substantive principles, which are the core of the ‘safe harbor’ arrangement, have been the subject of detailed and intensive examination, and only a limited number of points are still at issue. Similarly, we have identified much common ground on implementation of the principles, which is articulated in the form of ‘frequently asked questions’. Several other ‘frequently asked questions’ remain to be discussed and finalised.
On the EU side, the Member States support in principle the proposed form of the arrangement, which will involve a decision on the basis of Article 25.6 of the EU Directive on Data Protection. The decision will create a presumption of adequate privacy protection for US-based organisations that self-certify their adherence to the principles and frequently asked questions and are subject to the jurisdiction of the US Federal Trade Commission or other body with similar statutory powers.
Several aspects of enforcement and implementation on both sides need to be further examined. The final arrangement will need to ensure effective protection of individual privacy rights while at the same time ensuring a predictable framework and maximum legal certainty for US organizations participating in the safe harbor. Discussions so far show that the final arrangement on the EU side will guarantee due process for US organizations participating in the safe harbor if they are the subject of non-compliance complaints. Those organisations will also be ensured non-discriminatory treatment.
On the US side, clarification will be provided concerning the role of independent complaint resolution mechanisms, especially as regards complaint investigation and sanctions for non-compliance that will be sufficiently meaningful to ensure compliance.
As to the role which the US side would like to see EU data protection
authorities play in the
The final arrangements will ensure that US organisations have time to evaluate whether they wish to participate in the safe harbor and to take measures necessary to comply with the principles and frequently asked questions.
The dialogue has taken place in a positive and constructive atmosphere, created to an important extent by the willingness both at Member State- and EU- level to avoid disrupting data flows to the United States. Continuing to avoid disruptions to data flow is essential for the successful conclusion of the dialogue.
Comment: Despite the optimistic tone of this report, there is no sign of a breakthrough. It is difficult to see how the US scheme will be given effective enforcement mechanisms. And yet without these, it is equally difficult to see how the US proposal can meet with EU approval without a major ‘climb down’ from the EU. The approach of requiring compliance not only on agreed principles but also on ‘frequently asked questions’ also appears somewhat bizarre. Further clarification of the current state of negotiations may be available at the International Data Protection Commissioners Conference in Hong Kong in September — Editor.