The European Commission and the United States are again at loggerheads over the free flow of data from Europe to U.S. companies, only eight months after the two sides reached an agreement on “safe harbor” provisions.
The issue this time is a standard contract the EC has proposed for U.S. companies that do not want to sign on to safe harbor. The International Chamber of Commerce and other industry groups have drafted such model contracts, but the EC has found none of them acceptable.
In January the commission issued a draft of its own that has reignited the conflict. The Direct Marketing Association issued a scathing attack on the proposal this week. A press release from the DMA said U.S. companies in the European Union “would be subject to ad-hoc privacy policies that would be privately negotiated with individual regulators” and urged the European Parliament to reject the proposal.
Charles Prescott, the DMA's international vice president, said the proposal “makes it more difficult to achieve a uniform level of privacy protection for all European consumers and creates legal obstacles to international enterprises in the EU.”
It is “detrimental to business and consumers,” he continued, and reverses normal rules of law by creating “a presumption of liability for any two companies involved in database marketing.”
In Europe, the Federation of European Direct Marketing told EC officials the “model contracts are too difficult to implement for business” and present “substantial legal risks and administrative cost.”
Also, the draft “contains insufficient protection for confidential information, extends disclosure requirements beyond those in the general [data protection] directive with little obvious benefit and runs the risk of exposing EU companies to punitive damage claims,” the federation said.
In the United States, the Treasury and Commerce departments have weighed in with their objections. Commerce officials wrote a letter to the EC in February saying the draft “may create several adverse consequences for U.S. enterprises.
“We are concerned that adoption of this proposal could undermine agreement to use the Safe Harbor principles as the basis of model contracts,” the letter said. “Generally, the proposal appears to impose burdensome requirements … that exceed what was contemplated in the safe harbor principles.”
Commerce Department staff followed up with a point-by-point critique of the EC proposal, including liability for violations for both exporters and importers of data. The department held it was unreasonable to blame the importer for actions of the exporter.
The Treasury Department sent a letter March 23 to John Mogg, the chief EC negotiator for safe harbor, arguing that the proposed standard clauses are not a workable alternative model. “They impose unduly burdensome requirements incompatible with real-world operations,” it said.
Banks and insurance companies are barred from adhering to the safe harbor provisions because they are not subject to Federal Trade Commission supervision, a key EU demand. Treasury now wants the EC to take more time with a final draft.
The EC has yet to answer either communication, though officials said a reply would be forthcoming shortly. But they tended to dismiss U.S. concerns as unfounded.
“It would appear from the letter that the U.S. administration has not understood what we are currently doing in terms of the model contract,” said Jonathan Todd, spokesman for the internal market of the EC. “They seem to link the model contract with the issue of adequacy of protection offered by financial services legislation in the U.S. They are separate and distinct issues.”
What's more, Todd said, nobody has to sign these contracts. “They are an alternative to safe harbor,” he said. “All we are doing is clarifying to business what we are looking for in such a contract. There are no new obligations.”
Todd pointed out that the data flow has never been interrupted because “there were no instances where data commissioners had reason to believe that data did not enjoy adequate protection.”
Alastair Tempest, FEDMA's director general, conceded that nothing has happened yet. “But I don't think we can say that because it hasn't happened it won't happen.”
It took two years to negotiate a safe harbor agreement, which is based on seven principles that bring signatories into compliance with the EU directive demanding adequate legal protection for transferred data.
The agreement, which is not a formal treaty, was opened to U.S. companies in November. So far only 35 companies have signed on, with Hewlett-Packard the largest. Most of the others are small and medium-sized enterprises.
An official at the Commerce Department explained that some companies are holding out for a better model contract deal, while others need time to work on compliance issues or are betting on “the standstill” agreement not to halt the data flow.