BRUSSELS/WASHINGTON – The US and the EU are likely to reach “agreement in principle” at their June 21 summit in Berlin on safe harbor provisions allowing continued transfer of data from Europe to the US.
But the agreement, if concluded, will leave experts to work out details and that could take until the end of the year. The two sides have been at odds over the data protection directive for many months.
A May 28 meeting in Brussels between Undersecretary of Commerce David Aaron and John Mogg, the EU’s Director General for the Internal Market and Financial Services, made “substantial progress,” but left key issues unresolved.
Both sides conceded final agreement may not be reached in time, despite intensified negotiations and inter-European talks among member state governments and among the data protection registrars who oversee implementation of the directive.
But even failure to reach agreement in principle won’t stop the flow of data to the US. Aaron spokesman Daniel Cruise noted that the June 21 deadline was self-imposed by the US and that “if it slips by it is no big deal.”
The “standstill” agreement in force since the directive went into effect last Oct. 24 will remain “so long as we have constructive discussions,” Cruise said, adding that everything should be wrapped up by the end of the year, “since the bulk of substantive issues are behind us.”
Still, some major stumbling blocks remain, specifically differences about enforcement of the principles and the time given US companies to comply with them. The EU wants six months. The US insists on two years.
The European Commission has agreed to the Department of Commerce’s maintaining a “list of organizations that have signed up to the safe harbor principles, so there will be certainty about who is entitled to safe harbor benefits,” the EC said in a statement issued May 31.
Member states must still give their assent in two meetings scheduled after press time. And the data protection commissioners may throw in their two cents in a third meeting. But sources close to the negotiations maintained the “fix was in” with broad agreements on the principles to be announced at the June 21 summit.
“Compared to just a month ago,” one source said as DM News International went to press, “things are moving forward much more quickly than we ever expected them to do. They can’t sort out all the details in the next two weeks of course, but this is an important step.”
Other experts noted the devil was in the details and that things could still go awry. Not all US companies are eager to sign onto the seven principles. The first principle tells individuals what type of information is collected and what it will be used for. The second gives individuals the right to decide how information can be used. The third provides access to information. Enforcement is fourth, followed by onward transfer, security and data integrity. Defining enforcement and access are still under discussion.
Companies that don’t sign up may find the contractual route more palatable, i.e. signing contracts to provide adequate protection for data brought from Europe to the US.
Both individual member governments or the data registrars, however, could take action against companies in egregious violation of the EU directive, even though not all members have enacted it into national law.
Only a handful of countries have done so. While the UK has enacted the directive, it is still working on regulations on how it should be implemented, and that is unlikely to be completed until November at the earliest.
The French government expects to publish a legislative draft this summer, which the National Assembly will probably approve in November or December. Germany is still working on its law. Sweden, Italy, Spain and Greece have enacted the directive into law.
Nevertheless, the directive is in place and both the EC and the registrars could use it to crack down on individual US companies or industries.
“If the registrars were to look at some companies that have not adopted safe harbor principles, the Europeans could start making some nasty threats,” said Alastair Tempest, director general for public affairs at the Federation of European Direct Marketing.
“It is conceivable that a member of the Article 29 committee (the national data protection registrars) recommend halting the data flow and that somebody could file law suits in a national court charging violation of the direction,” said DMA International VP Charles Prescott.
The US, he noted, has more at stake than the Europeans “since we are a service economy with 75 percent of the money coming from service. The Europeans are much less so.”
But he also noted that Europeans are heavily invested in the US and that their companies here would suffer equally from a cut off. The French alone, he said, own 434 companies in the US Northeast.
