BRUSSELS/WASHINGTON – After failing to reach agreement on data protection in time for the June 21 EU-U.S. summit in Bonn, the European Union and the United States expect to wrap up a pact after the summer break, perhaps by October.
The EU and the U.S. issued a statement June 23 noting that enough progress had been made on the so-called “safe harbor” provisions to finalize the pact in autumn. So long as discussions continue, the flow of data from Europe to the U.S. will not be interrupted.
A joint report submitted to the summit said “we have made substantial progress in developing an arrangement that would provide a predictable framework for the transfer of personal data from the EU to the U.S. with adequate protection for privacy.”
The report said “only a limited number of points are still at issue” about safe harbor provisions and about “frequently asked questions,” meaning how the principles would be applied in practice.
EU member states “support in principle” the idea of creating “a presumption of adequate privacy protection for U.S.-based organizations that self-certify their adherence to the principles and frequently asked questions and are subject to the jurisdiction of the FTC or other body with similar statutory power.”
Observers noted that “support in principle” left the door wide open for EU member opposition to the final draft. Enforcement, implementation and phase-in also remain unresolved, all issues sticky enough to take the balance of the year to resolve.
But the fact that the EU and the U.S. have agreed on what needs to be agreed on shows how far the two sides have come together, according to Charles Prescott, the DMA’s international vice president.
The phase-in period may be troublesome, he conceded. The U.S. favors a two-year transition while the EU wants the agreement in force in six months.
U.S. negotiators, he added, need only point out to the Europeans that fewer than half of member states have integrated the EU’s data protection directive into national law. “That should embarrass them enough to be realistic,” he said.
Differences on enforcement pit U.S. demands for self-regulation against European insistence on more formal rules.
Europeans argue that the Federal Trade Commission doesn’t have the necessary resources for enforcement and therefore will not provide help to EU nationals who feel a U.S. company has violated their privacy rights.
That’s true, Prescott said, but it also holds for an Austrian trying to get help in a similar case from a Swedish data protection commissioner. “Indeed the FTC is more likely to take action than the Swede,” he said.
Still, implementing a system for giving EU citizens relief for privacy invasions when dealing with US companies will take time.