- European and US negotiators has finalised an agreement on data privacy that puts to rest a simmering trans-Atlantic dispute over data protection, but US observers say the accord underscores that Europeans have far more privacy protection than Americans.
After more than two years of talks, negotiators announced at a press conference in Brussels yesterday that the US's largely self-regulatory system based on so-called safe harbor principles represents "adequate protection" as defined and required by the rules of the European Union on the transfer of personal data outside the EU.
"The US safe harbor principle meets the test of adequacy as required by the (privacy) Directive," said John Mogg, director general of the European Commission's Internal Market Directorate.
Under safe harbor principles a US company can, for example, only transfer or sell personal data to another company with the explicit agreement of the subject of the data. The safe harbor principles also allow EU citizens reasonable access to their personal data to review and possibly correct it and require adequate enforcement to ensure proper compliance. Companies wishing to adhere to the principles will sign up with the U.S. Department of Commerce and be placed on a database available to the public over the Internet.
But the EU's agreement that the safe harbor principles afford adequate protection is largely meaningless, several observers said, because the first time there is a challenge to the safe harbor principles, the case goes to the national court of citizen making the charge, and individual EU nations typically have strict privacy laws.
For example, a citizen of the UK who objects to how his or her data was treated in the U.S. takes the case to a UK court and follows UK law on this issue, according to Simon Davies, director of Privacy International, a London-based watchdog group. "And that is so in each country, which is why this whole negotiation has been a farce," Davies said.
A US-based observer agreed.
"It's an exercise in futility, because Europeans still have their rights under their national laws," said Evan Hendricks, editor and publisher of Privacy Times, a Washington, DC-based newsletter.
Those national laws are much more strict than the safe harbor principles, which are "thoroughly inadequate in every respect," Privacy International's Davies said.
But however deficient Europeans find the safe harbor principles, they are more protection than Americans have currently, US observers said. The final version of the safe harbor principles have not yet been announced, but they do not apply to Americans, which highlights a real paradox, they said.
Unless they have been changed, the safe harbor principles apply to the export of data on Europeans to the U.S. and not to Americans' data held by American companies, said Barry Steinhardt, associate director of the American Civil Liberties Union (ACLU) in New York.
"It seems plain that Europeans who deal with American companies are going to have greater protection than Americans," Steinhardt said.
The safe harbor principles also mandate that the USFederal Trade Commission (FTC) expedite complaints by EU citizens about how their data was handled in the U.S., processing them faster than complaints from U.S. citizens, several observers said. The ensuing system, whereby a U.S. government agency gives preference to complaints from noncitizens, is peculiar, they said.
"One of the linchpins of this whole agreement is now the FTC is going to become an aggressive pit bull for the privacy rights of Europeans," said Hendricks of Privacy Times.
The agreement reached today, which must be approved by the 15 member states of the European Union and the Strasbourg-based European Parliament, does not include financial services -- an apparently major gap in the agreement.
"Financial services are not excluded; they are simply not yet included," David Aaron, U.S. under secretary of commerce for international trade explained. This means that financial service companies can still voluntarily agree to sign up to safe harbor principles. However, in view of the ongoing modernization of the U.S. banking sector, the EU might require or accept separate provisions for the sector in the future, once the reform is finalized.
"We agreed that including the financial services now would be like painting a moving train," Mogg said.
Aaron pointed out that implementing regulations for the U.S.'s Financial Modernization Act are not expected before May, when U.S. President Bill Clinton has also announced plans to propose specific legislation guaranteeing privacy in the financial services sector.
At issue is an EU directive that took effect in October 1998 to ensure the free flow of data across the 15 member states by establishing a high standard of data privacy. This directive also required that data could be sent outside the EU only to those countries which had an adequate level of protection. Failure to fulfill this requirement could theoretically lead to the EU blocking data flows.
Negotiations with the U.S. have been plagued by EU concerns that the largely voluntary systems of data privacy in the U.S. could not meet the legislative requirements of the EU Directive. Today's accord means that the EU has agreed with the U.S. claim that safe harbor principles will achieve high levels of protection.
But most observers charged the U.S. and the EU with playing politics, including Privacy International's Davies.
"This is to do with stabilizing trust in trade and investment and has nothing to do with privacy protection," Davies said.
Privacy Times' Hendricks charged U.S. and EU officials with ignoring the will of the people, who have a legitimate interest in protecting their privacy.
"You've heard of B-to-B? This is G-to-G. Government to government, ... even though the subject is people's personal data," Hendricks said.
Nonetheless, several observers, including Hendricks, expressed confidence that strong U.S. privacy protections would eventually be established. As consumers discover more and more error-ridden credit reports and an increase in personal information showing up in unwanted places, they will push for reform, just as they did with the Fair Credit Reporting Act, which restricts the sharing of consumer data with third parties, according to Hendricks.
"Ultimately, it's a human rights issue in the information age," Hendricks said.