BRUSSELS (03/29/2000) - The U.S. has become the first country outside of the European Union to have its data privacy rules based on safe harbor principles accepted by the European Commission as providing "adequate" standards of protection for personal data, the Commission announced in a statement today.
"This is just the beginning of the formal EU authorization process," Jonathan Todd, Commission spokesman for Internal Market Commissioner Frits Bolkestein cautioned.
Member state representatives in two separate committees must also approve the classification and the European Parliament must provide an opinion, although the Commission can ignore its advice. All this should be completed in time for the June 5 summit between Commission President Romano Prodi and U.S. President Bill Clinton, who want to formally announce the agreement that ends nearly three years of talks, Todd said. Similar classifications for Switzerland and Hungary will follow, he said.
At issue is an EU directive which took effect in October 1998 to ensure the free flow of data across the 15 member states of the EU by establishing a high standard of data privacy. The directive also authorized the transmission of data outside the EU only if the importing country had an adequate level of protection. Failure to fulfill that requirement could theoretically have led to the EU blocking data flows.
Negotiations with the U.S. have been plagued by EU concerns that the largely voluntary system of data privacy existing in the U.S. could not meet the legislative requirements of the directive. In the end, however, the EU finally accepted that safe harbor principles will achieve high levels of protection, and EU and U.S. negotiators announced an agreement two weeks ago.
"But this decision is reversible," Todd said, explaining that if the EU determines that the safe harbor participants are not living up to their commitments, or that the U.S. Department of Commerce is not overseeing a high level of enforcement, the EU could withdraw the classification and possibly block data flows to the U.S.
Under the safe harbor arrangement in the U.S., the Department of Commerce will establish a list of companies adhering to a set of data protection rules and related enforcement requirements that the Commission has found to provide "adequate protection."
The safe harbor principles require that a company seek explicit agreement of a data subject before transferring personal data to another company. It also gives the data subject reasonable access to personal data to review and possibly correct it. The principles also require organizations using personal information to "take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction," according to the text of the arrangement.
The Commission decision comes on the eve of a debate within the European Parliament on the risks posed by the U.S.-led Echelon satellite intelligence to industrial competitiveness in the EU. The Echelon issue has raised questions about the capability of the EU data privacy directive to protect individuals because data collected for intelligence or security purposes are excluded from the scope of the directive.