EC Pushes to Finalize Safe Harbor by June
US and EU negotiators reached the agreement on March 14 after more than two years of negotiations. US companies that adhere to the "safe harbor" principles are deemed to offer the "adequate" protection the EU's data protection directive requires.
The US hopes that the EU will run through approval procedures in time for the EU-US summit early in June. But that deadline, observers said, may be hard to meet given the procedural and other obstacles yet to overcome.
As a first step the commission authorized Frits Bolkestein, the Internal Market Commissioner, to seek approval of the agreement from a "qualified majority" of member states represented in the so-called Article 31 committee.
He must also obtain support from the data protection commissioners of the member states who make up the Article 29 committee, and submit the agreement to the European parliament, "which will check that the Commission is using its powers under the directive correctly."
Preliminary discussions with all three groups were held earlier this month. The timetable then called for the Article 29 committee to give its opinion on May 15 and 16 with the Article 31 committee's views due on May 30 and 31, a week before the June 5 EU-US summit.
Opposition from the parliament and the data commissioners who make up the Article 29 committee is possible but not fatal. Only the member states in the Article 31 Committee have the deciding vote.
The "qualified majority," said Jonathan Tann, spokesman for DGXV, the department in the EC headed by chief EU negotiator John Mogg, is "a two-thirds majority in terms of numbers of votes."
This is important because "each member state has differently weighted votes depending on population," meaning that the bigger countries have more votes than the smaller ones whose opposition would not be decisive.
But while the "qualified majority" in the Article 31 committee seems assured, a sizable and vocal minority among the national data commissioners gathered in the Article 29 group is likely to oppose "safe harbor."
The Italians have led the opposition and made their views known across every forum in Brussels that would listen to them. As a result, the Americans and some Eurocrats have tended to dismiss their complaints.
Yet the Italian data commissioner has said he will apply the Italian law, the strictest adaptation of the directive into national law so far in Europe, to restrict the data flow to the US.
He has already argued that "safe harbors" are not strict enough and said that Italian law demands consent from every Italian whose data is transferred overseas.
Alastair Tempest, director general of FEDMA and chief industry lobbyist in Brussels, called the Italian "a tough cookie" and said that if he feels snubbed "he'll find a case and take it to court to see who's right."
He would probably pick a multinational and haul the company before an Italian court, and if he wins there move on to the European court. Italy has some support in this, notably from Greece and a few other smaller nations.
Still, Tann noted, this is not an easy procedure because technically, if the Italian thought a "particular data transfer to a safe harbor company in the US did not in fact offer an adequate level of protection, he would have to notify the European Commission.
"The EC would then have to notify all the other member states, and only if the other members and the EC agreed with the Italians, would the data flow actually be stopped. The directive exists to avoid taking such divergent decisions."