Förderverein Informationstechnik und Gesellschaft

EU/US- Data protection dialogue - 14 June meeting

EU/US- Data protection dialogue - 14 June meeting of EU Member States

EU Member State representatives discussed the latest state of the dialogue on data protection between the European Commission and the US Department of Commerce at an all day meeting on 14 June of the Committee set up under Article 31 of the EU's Data Protection Directive (95/46/EC). The Commission, chairing the meeting, informed the Member States that the two sides had concluded that it was not possible to reach agreement on all aspects of the "safe harbor" arrangements under discussion in time for the EU/US Summit on 21 June, as previously intended.

The Committee welcomed the progress made throughout the dialogue and in particular as a result of the most recent meetings with the US side, including the 28 May meeting in Brussels between John Mogg, European Commission Director General for the Internal Market and Financial Services, and David Aaron, US Under Secretary of Commerce. The Committee took the view that a number of points require further work to bring the dialogue to a successful conclusion. These are linked in particular to various aspects of enforcement. The Commission will convey the Committee's views to the US Department of Commerce.

The Committee encouraged the Commission to continue its efforts and indicated its support for the broad shape of the arrangements under discussion. The Committee confirmed its willingness to examine the outstanding issues with a view to finalising the arrangements as soon as possible.

The nature of the package is that nothing is agreed until everything is in place. This said, the main focus of discussion is a number of points that concern the structure of the arrangements, the way they will work and the time to implement effectively the principles. The arrangements have to meet both the goals of the dialogue - providing security for data flows, and safeguarding the right of individuals to high data protection standards.

The "safe harbor" arrangement which is under discussion will provide a predictable framework for transfers of personal data from the EU to US companies or organisations which adhere to a set of principles to be issued by the Department of Commerce. On the EU side, the principles would be met by a decision recognising that they represented an "adequate protection" standard, as required by the EU Data Protection Directive for transfers of personal data to third countries. A formal decision under the Directive (Article 25.6) to approve the "safe harbor" principles as providing "adequate protection" would require the support of a qualified majority among the Member States.

To complete the framework, it is necessary to have, in addition to the principles themselves, a clear understanding on how the "safe harbor" would work. The focus of discussions has now shifted to these additional questions, some of which have been resolved (for example, the Department of Commerce will maintain a list of organisations that have signed up to the "safe harbor" principles, so there will be certainty about who is entitled to "safe harbor" benefits) and some have not (for example, how long should US companies have to sign up to the "safe harbor" and implement the principles).

The package as a whole is designed:

to provide guidance to companies and other organisations in the US who want to meet the "adequate protection" standard provide the necessary legal certainty for those adhering to the agreed standard that their data transfers will not be interrupted and create thereby a more predictable and less administratively burdensome framework, ensuring high data protection standards for data transfers to the US.

The key feature of the "safe harbor" approach is that it creates a bridge between the EU's legislative approach to data protection and that of the US, which - while having considerable legal underpinning - relies mainly on self-regulation.

The issue was also discussed with the advisory group of Member States' data protection commissioners (Article 29 Committee) on 7 June. The Committee issued an opinion on the status of "frequently asked questions", part of the "safe harbor" package.