A shell-shocked European Commission next week will analyze the implications of the European Parliament's resolution asking the EC to reopen talks with the United States over the “safe harbor” issue before announcing its next move.
Frits Bolkestein, the EC commissioner in charge of the internal market that includes data protection, said the implications went beyond his own area of responsibility and that he had to consult with the other commissioners.
The commissioners meet on July 12, and EC spokesmen said no decision or position would be made public before then. But they said the vote would have no immediate impact on the free flow of data from the European Union to the United States.
While no formal moratorium on banning the data flow exists, the two sides tacitly agreed during the negotiations not to interrupt it.
“I don't think that is going to change,” one spokesman said.
A spokesman for the U.S. Department of Commerce would say only that “we are watching developments in Brussels closely to see what the EC will do next.”
Parliament, he noted, had not voted yes or no on the safe harbors provisions, but passed a vaguely worded resolution open to several interpretations. The EC could reopen negotiations or could ignore Parliament.
“The U.S. continues to believe that the proposed safe harbor is the most effective vehicle for bridging our different approaches to privacy,” the Commerce Department spokesman said. “Safe harbor will protect EU privacy and create the necessary environment for e-commerce.”
An EC official said, “We have been in touch with the Americans, but no specific [approaches] have been made by the U.S. side. They are curious to know what we make of it, and we tell them we're thinking about it.”
The EU's data protection directive — which went into effect October 1998 — bars data transfer from the EU to countries outside the Union without “adequate” privacy protection. Since the United States does not have a privacy law, the safe harbor agreements were hammered out in two years of talks.
The agreement commits companies that agree to abide by “safe harbor” to adhere to seven principles designed to protect private data from misuse. Violators would face regulatory action.
Parliament made clear it was not happy with the current draft of the agreement and suggested several changes, including:
• Recognition of an individual's right of appeal to an independent body regarding alleged violation of the principles.
• Obligation of firms that sign on to compensate for damages.
• The delivery of an EC report within six months “on the proper functioning of the system.”
• Close monitoring of the safe harbor system.
Bolkestein warned Parliament before the vote that he categorically excluded going back to the negotiating table because the EU had already “obtained the best possible result.”
But what happens next is unclear. Officials pointed out that Parliament acted under a new provision and that no precedent existed. They said the resolution would be debated in committee with the outcome dependent upon what the EC decides to do.
They also blamed “recent events” for Parliament's move, specifically revelations about Echelon, the U.S.-United Kingdom secret service telecom interception network that monitored global electronic messages.
Parliament was not only concerned about individual rights, but also felt the United States was passing industrial espionage secrets to American firms.
“Without Echelon, Parliament would have been more likely to say 'Yes, but' to safe harbor. Instead it seems to be taking a position between 'Yes, but' and 'No, unless,'” one source said.
While the resolution is not legally binding, the EC is unlikely to ignore it. Parliament could take the EC to court on charges of exceeding its powers.
“It boils down to this,” another source said. “Parliament has refused to give unequivocal approval of U.S. data protection measures and has asked the EC to change the agreement. It is now waiting to see whether the EC will do so and then decide on its next step.”