EU Agrees to Self-Regulation Principles, But Doubts RemainBRUSSELS/WASHINGTON - European negotiators have agreed to accept the concept of self-regulation as the basis for "adequate protection" of private data sent from European Union countries to the United States.
As a result, the U.S. believes it can reach agreement with the EU in the long-running privacy dispute in time for the next EU-U.S. summit to be held in Washington Dec. 17.
Sources at the European Commission in Brussels, however, are less sanguine. They said EC officials in the Directorate General XV, which handles privacy issues, want "to know precisely" how self-regulation would be enforced.
"We need to see the teeth," one said, "and to make sure the teeth are there if required. Member states are not going to agree unless they are satisfied that there is truly effective enforcement."
Still, another source said, "there is a desire on both sides to come to an agreement in time for the summit," but he cautioned that under no circumstance could the deal "be sealed, signed and delivered" in time.
Under Secretary of Commerce David Aaron, the chief U.S. negotiator, conceded that "the devil is in the detail" and that a lot of issues need to be worked out first.
He told a press briefing in Washington last month that working group meetings had been scheduled in October and November. "More consultation is required," he said, to follow up on his September meeting in Paris with John Mogg, his EC counterpart.
But he called European willingness to put more responsibility on the US self-regulatory system a "promising concept" in solving differences over enforcement of privacy rules.
Europeans have been "favorably impressed" by the U.S. self-regulatory proposals, especially by the appeals mechanism.
Both state and federal law have provisions to crack down on deceptive business practices. "If a company signs on to the self-regulatory principles and is found not to live up to them, the FTC and the state attorneys general could get into the act."
But Europeans don't know how far the FTC's jurisdiction would reach or what other authorities would take over in cases beyond FTC control.
"It is essential that some kind of intervention by the public authorities take place if that proved necessary," one official said. "It is not sufficient for the privacy organizations to police themselves."
"We're looking for clarification," another said, "about the mechanism of the teeth. At the very least we want to know which authority would be responsible in which situation.
"If a problem occurred in such and such a sector, what would actually happen to rectify the situation? We want the i's dotted and t's crossed."
Aaron said US law would apply in handling any violations of the safe harbor provisions - seven principles companies must agree to honor if the flow of their data from Europe to the US is not to be interrupted.
That's fine with the Europeans so long as the laws punish companies guilty of violations. But if "at some future date" the EU found that enforcement was not working it reserved the right to ditch the safe harbor agreement.
One unresolved American concern is whether European data protection authorities would be involved once US law was invoked to punish safe harbor violators.
"My concept is that they would not be but we have a question about that. We want to avoid a situation where there are in fact two layers of enforcement," Aaron said.
Europeans concede that the Americans are looking for clarification on this point, but insisted there would not be two layers of enforcement, although they conceded it was possible, but not likely, for individual data protection commissioners to participate.
Previous negotiations had stumbled over the role European data protection people would play in the self-regulatory process.
If they were involved, Aaron said, "we want to be sure that interpretation of these principles was the same on our side and among all the 15 member states of the EU. We want to be sure they treat us no differently than any other country."
Working party meetings are being held in Washington and Brussels to iron out contentious points. Mogg and Aaron may meet again next month "depending on how things are going at the lower levels," one European said.
Aaron also made these points:
The Europeans will not cut off the flow of data from the EU to the U.S. so long as "good faith" negotiations continue. "The Europeans have not set a time limit."
No agreement has been reached on implementation time. The Europeans wants six months. The U.S. insists on two years.
The new initiative came from one of the member states Aaron would not name, and not from the EC. The UK, Aaron said, supported the proposal.