Offering few details, federal negotiators said they reached a preliminary agreement this week with the European Union on new privacy-protection provisions that U.S. companies must agree to before transferring electronic data on EU citizens across international borders.
The agreement, which has been in the works for more than two years and still requires approval on both sides of the Atlantic, is designed to allow for the uninterrupted flow of information between the two continents. Without a negotiated standard, some U.S. companies have feared legal reprisals or possible trade sanctions for violating EU member nations’ laws on privacy.
John Mogg, the European Union’s primary negotiating representative, characterized the tentative agreement as fundamentally solid, saying, “The basic structures of the arrangements are there, [but] we have a number of procedural and decisional routes to go through.”
U.S. chief negotiator David Aaron, Undersecretary of Commerce for International Trade, agreed, noting that businesses collecting personal data on European citizens would generally have to abide by the protection standards set up for companies within the 15-nation EU. But Aaron, who will leave his post for the private sector at the end of March, noted the urgency of both sides to settle the details as soon as possible.
“Given this is an election year and a new administration is coming on, it could be another two years before we might even get back to the table,” Aaron said, adding that details of the most recent terms will be fine-tuned between now and March 31, which is when a self-imposed deadline by both parties goes into effect. The agreement probably will require that U.S. companies support the extension of more privacy rights to European citizens than their American counterparts will like.
“The company has to give you access, has to give you notice about what they’re collecting, has to give you notice and choice if they give the information to a third party and has to give you notice and choice if they use the data for a different purpose,” he said.
Any business that violates the regulations once enacted would be subject to prosecution by the Federal Trade Commission and the states.
Business groups are expected to applaud the deal, which appears to indulge a long-held view that self-regulatory measures present the best model – even if they must be partially retrofitted to accommodate the EU across electronic borders.
Privacy groups, however, are already seeing loopholes, saying that what Aaron characterizes as details are actually key issues: the same ones that have always existed for U.S. companies regarding the international use of marketing information, how it will be stored and how it will be disclosed to inquiring European consumers. They also said the agreement doesn’t go far enough – that it does not fully establish the U.S. marketplace as a “safe harbor” for EU consumer information and electronic data.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, Washington, characterized the proposal as simply “unenforceable under U.S. law.” And in Europe, Giovanni Buttarelli, head of the Italian government’s data protection authority, said the accord would be far too costly to EU citizens.
“Any deal that denied Europeans control over personal data exported to the U.S. could land the case in the European Court of Justice in Luxembourg,” Buttarelli was quoted as saying.
The EU’s Data Protection Directive protects private information in seven key areas:
• Notice that data are being collected.
• Choice to opt out.
• Access to the information.
• Notice of transfer to third parties.
• Notice if data are to be used for purposes other than originally stated with a choice to opt out.
• Provisions for enforcement.
• Dispute resolution.
