The European Parliament has rejected the current system of U.S. data privacy protection contending that it does not represent the adequate level of protection required by European legislation, because the system of "safe harbor" principles is not yet in place in the U.S.
The vote, however, might have little impact on the transatlantic agreement reached earlier this year between the European Commission and the U.S government, recognising the U.S. system based on safe harbor principles as representing adequate protection, an EU official who asked not to be identified told IDG Thursday.
Although the European Parliament represents voters in the 15 member states of the EU, in May those 15 governments agreed with the Commission that the U.S. system presented adequate standards of privacy as defined by a 1995 EU directive. That directive stipulated that personal data from databases maintained in the EU could only be transmitted to countries outside the EU provided they respected similar standards of data privacy.
However, the European Parliament has decided otherwise.
"The Parliament takes the view that the adequacy of the (U.S.) system cannot be confirmed and, consequently, the free movement of data cannot be authorised until all the components of the safe harbor system are operational and the United States authorities have informed the Commission that these conditions have been fulfilled," according to the opinion drafted by Elena Ornella Paciott, an Italian member of the Parliament's Socialist Group. The Parliament's plenary session endorsed this position 279-259, with 22 abstentions.
Although the Parliament's opinion is not legally binding, it would nevertheless be politically delicate for the Commission to publicly ignore the warning. Indeed, the Commission is downplaying the situation until it has examined how best to respond to the Parliament's vote.
"The Commission is disappointed that the European Parliament did not give us a clear endorsement. We will now carefully study the resolution and reflect on the next step," said Jonathan Todd, the spokesman for Frits Bolkestein, European Internal Market Commissioner, in an interview.
But other sources question the importance of the European Parliament vote.
"The European Parliament's opinion is not binding, and if the Commission complies with the negative opinion, it sets a dangerous precedent for the powers of the Commission in the future," said an EU official who asked not to be identified.
As a result, perhaps as soon as later this month, but more probably in September, Commissioner Bolkestein will propose that the full Commission formally recognize the U.S. safe harbor principles as representing adequate data privacy standards, the official said.
Earlier this year, the Commission reached an agreement with the U.S. that a system based on safe harbor principles did represent adequate levels of data privacy, after the U.S. administration agreed to reinforce consumer access rights and set up dispute settlement procedures for consumers.
The safe harbor principles require that a company seek explicit agreement of a data subject before transferring personal data to another company. It also gives the data subject reasonable access to personal data to review and possibly correct it. The principles also require organizations using personal information to "take reasonable precautions to protect it from loss, misuse and unauthoried access, disclosure, alteration and destruction," according to EU documents.