Stalled US-EU Privacy Negotiations Set New March Deadline
Both sides said they were close to agreeing on outstanding issues -mainly involving enforcement mechanisms against companies that violate the "safe harbor" provisions.
These are a set of principles that will bring US companies who promise to abide by them in compliance with the EU's data protection directive that bars data transfers to countries without "adequate" privacy protection.
But the March deadline is no more certain than earlier targets for agreement. "We have to set a deadline, otherwise the whole thing becomes ridiculous," said a spokesman for the EU's Directorate General 15, in charge of privacy.
"It was never going to be easy to build a bridge between the European legislative approach and the American self-regulatory one. But both sides can see their mutual interest in reaching a safe harbor agreement."
Since the data protection directive went into effect within the EU on Oct. 24, 1998 - it has only been adapted into national law by a handful of member states -there has been a tacit arrangement not to cut off the flow of data from Europe to the US so long as meaningful discussions continue.
But one European source emphasized that no formal "standstill" agreement existed between the two sides on this point. "Strictly speaking there is no standstill and there never has been.
"But the fact that data continues to flow across the Atlantic is an indication that the data commissioners in the various member states have not felt that any data transfer since Oct. 24, 1998, has given rise to any particular concern."
However, he indicated that should such concern arise, individual data commissioners could ask the European Commission to act and cut off data sent to a company considered in violation of directive regulations.
The Americans are more up-beat. Daniel Cruise, a spokesman for chief US negotiator David Aaron, said so long as good faith negotiations continue "there is no risk that they would apply the directive."
The Europeans conceded that "there has been quite a lot of progress on the question of enforcement," specifically that US authorities would be responsible for doing so in "an effective manner."
But one official warned that even if formal agreement on safe harbor was reached, the EU would revoke it if the US failed to "apply and enforce" it properly.
For now, he said, "there are still outstanding issues concerning definition of the scope of safe harbor, the availability of reliable and accurate lists of safe harbor participants, and additional guarantees on enforcement.
"The whole question of 'teeth' has not been totally resolved and neither has the problem about assuring payment of damages in cases where individuals suffered a loss as a result of violating the safe harbor principles."
Chief EU negotiator John Mogg met Aaron in Paris in September when the December deadline was set, and again in November in Washington when they realize that differences could not be bridged in time for the summit.
The two sides, the official said, "are committed to doing all they can to resolve outstanding difficulties by March, but if the differences are still too great bridge for the time being I don't see anybody pulling a loaded gun. No axe is coming down at the end of March."
He noted that blocking data transfer was "not in the interest of any European country, in fact, it would be bloody awkward and it will happen only if a serious problem arises, and if there hasn't been a serious problem so much the better."
Nor was he overly concerned about failure to agree on all the terms of the principles and how they should be applied. "That may be too bad but we will have to continue as we have been, perhaps with more uncertainty, and on a case by case basis," he said.
The Europeans, another official said, never asked the Americans to go down the legislative track on the privacy issue. "They have their own way of doing things and we expect the Americans to respect our way of doing them."
US business opposed to safe harbor may fear that "those principles once agreed upon could serve as a basis for American privacy legislation." There has been growing pressure in Congress for such legislation.
The lengthy negotiations also have a good side, the DMA's International VP Charles Prescott said.
"It has provided a learning time and experience for European officials on the information age and has increased and supported the policy discussions in the US on privacy."