Förderverein Informationstechnik und Gesellschaft
US/EU: Data privacy talks near completion
By Deborah Hargreaves in Brussels
US and EU political leaders agreed at a joint summit last week to try to conclude their tortuous negotiations over data privacy by March. The talks are vital for businesses that want to see rules in place to protect the flow of personal data across the Atlantic.
The dispute arose when the EU passed legislation in October 1998 giving consumers the right to have access to personal information held electronically by companies. The EU directive also contained rules on how companies could use that data.
The US has no similar provisions, which theoretically means that EU data protection authorities could stop some information being sent to the US if they felt there was not adequate protection.
Talks with the US on reaching some kind of common solution to the different levels of protection offered to consumers in the EU and US have been going on for 20 months. "A lot of people in business are getting very impatient and want to see this resolved as quickly as possible," said Christiaan van der Valk, of the International Chambers of Commerce in Paris.
Companies are worried that if the dispute is not resolved, it could turn into a full-blown trade dispute and end up going through the World Trade Organisation procedures which would take even longer. "It's going to have to be resolved in the next few months, because patience may be running out and interest in getting this done may be running out," said Barbara Wellbery, counsellor to the US under- secretary for electronic commerce.
The EU and US negotiators are discussing a self regulatory scheme that US companies would sign up to, thereby committing themselves to a set of data protection principles. "It would give us a framework where now there is uncertainty, it would be good for business because it would simplify things and it would push upwards data protection in the US, but it isn't easy," said a European Commission official involved in the talks.
One of the main stalling points is the way the US so-called "safe harbour" scheme would be policed. "There is a lot of nervousness amongst member states that the first line of enforcement would be private sector bodies in the US with business organisations acting as referees and no compulsory set of rules for such bodies," the Commission official said.
Opinion 7/99 on the Level of Data Protection provided by the "Safe Harbor" Principles as published together with the Frequently Asked questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Department of Commerce
Opinion 7/99 on the Level of Data Protection provided by the "Safe Harbor" Principles as published together with the Frequently Asked Questions (FAQs) and other related documents on 15 and 16 November 1999 by the US Department of Commerce
Adopted on 3 December 1999
The Working Party on the Protection of Individuals with regard to the Processing of Personal Data
Set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 19951,
Having regard to Articles 29 and 30 (b) of the Directive,
Having regard to its Rules of Procedure and in particular to Articles 12 and 14 thereof
Has adopted the present Opinion 7/99:
The Working Party reaffirms its general policy on the methodology for assessing the adequacy of data protection in any third country, summarised in its Working Document of 24 July 1998 (WP 12: "Transfers of personal data to third countries: applying Articles 25 and 26 of the EU Data Protection Directive" 2).
The Working Party has followed closely the Commission's discussions with the US Department of Commerce, attaches importance to them and considers the "Safe Harbor" approach useful. It wishes to contribute to the successful outcome of these discussions and considers that a good result depends on a number of basic concerns being met.
In this context, the Working Party recalls that previous versions of the "Safe Harbor" principles and Frequently Asked Questions (FAQs) have been the subject of the following position papers:
1.Opinion 1/99 of 26 January 1999 (WP 15); 2.Opinion 2/99 of 19 April 1999 (WP 19); 3.Opinion 4/99 of 7 June 1999 (WP 21) and Working Document of 7 September 1999 concerning some of the FAQs (not public); 4.Working Document of 7 July 1999 (WP 23).
This Opinion refers to the latest version of the "Safe Harbor" principles, FAQs and related documents as published on 15 and 16 November 19993 . The Working Party regrets that, on such an important issue, the time left for taking a position was so short. It also notes that none of the documents is considered "final" and therefore reserves its position as regards any further development on the texts.
The Working Party notes that some progress has been made but deplores that most of the comments made in its previous position papers do not seem to be addressed in the latest version of the US documents. The Working Party therefore confirms its general concerns.
With a view to a possible finding of adequacy, and considering the particular impact that such positive finding would have as a reference point for other third countries, the Working Party considers that the "Safe Harbor" should offer legal security not only to the US organisations but also to the EU interested parties (data controllers wishing to transfer data to the US, data subjects whose data would be transferred, data protection authorities). Since its Opinion 1/99, the Working Party has constantly held the view that, in terms of substantive content, "any acceptable set of "Safe Harbor" principles must, as a minimum requirement, include all the principles set out in the OECD Privacy Guidelines" (adopted amongst others by the United States and recently re-endorsed at the OECD Ottawa Conference in October 1998).