Förderverein Informationstechnik und Gesellschaft

Data Protection and the US - latest developments

Data Protection and the US - latest developments

Substantial progress on arrangements for protection of personal data transferred from the EU to the United States was made at the 28 May meeting in Brussels between John Mogg, European Commission Director General for the Internal Market and Financial Services, and David Aaron, US Under Secretary of Commerce. The objective was to try to resolve outstanding differences in time for the EU/US Summit on 21 June However, important differences remain on various elements of the package under consideration, which will aim to facilitate the flow of data while ensuring it enjoys "adequate" protection in accordance with the requirements of the EU's Data Protection Directive (95/46/EC). At this stage the two sides do not know if it will be possible to conclude their dialogue in time for the Summit. They agreed to remain in close contact over the coming days, however, and will continue to work to meet the target date of 21 June.

The "safe harbor" arrangement which is under discussion will provide a predictable framework for transfers of personal data from the EU to US companies or organisations which adhere to a set of principles to be issued by the Department of Commerce. On the EU side, the principles would be met by a decision recognising that they represented an "adequate protection" standard, as required by the EU Data Protection Directive for transfers of personal data to third countries. A formal decision under the Directive (Article 25.6) to approve the "safe harbor" principles as providing "adequate protection" would require the support of a qualified majority among the Member States.

To complete the framework, it is necessary to have, in addition to the principles themselves, a clear understanding on how the "safe harbor" would work. The focus of discussions has now shifted to these additional questions, some of which have been resolved (for example, the Department of Commerce will maintain a list of organisations that have signed up to the "safe harbor" principles, so there will be certainty about who is entitled to "safe harbor" benefits) and some have not (for example, how long should US companies have to sign up to the "safe harbor" and implement the principles).

The package as a whole is designed:

to provide guidance to companies and other organisations in the US who want to meet the "adequate protection" standard provide the necessary legal certainty for those adhering to the agreed standard that their data transfers will not be interrupted and create thereby a more predictable and less administratively burdensome framework, ensuring high data protection standards for data transfers to the US.

The key feature of the "safe harbor" approach is that it creates a bridge between the EU's legislative approach to data protection and that of the US, which - while having considerable legal underpinning - relies mainly on self-regulation.

The Commission will consult Member States on the current state of play in the dialogue with the US at meetings scheduled on 10 and 14 June in the framework of the Committee established under Article 31 of the Directive. The issue will also be discussed with the advisory group of Member States' data protection commissioners (Article 29 Committee) on 7 June.

Date: 31 May 1999 For further details: