European and U.S. negotiators today finalized an agreement on data privacy that puts to rest a simmering trans-Atlantic dispute over data protection, but U.S. observers say the accord underscores the fact that Europeans have far more privacy protection than Americans.
After more than two years of talks, negotiators announced at a press conference in Brussels today that the U.S.'s largely self-regulatory system based on so-called "safe harbor" principles represents "adequate protection" as defined and required by the rules of the European Union on the transfer of personal data outside the EU.
"The U.S. safe harbor principle meets the test of adequacy as required by the (privacy) Directive," said John Mogg, director general of the European Commission's Internal Market Directorate.
Under safe harbor principles, a U.S. company can, for example, only transfer or sell personal data to another company with the explicit agreement of the subject of the data. The safe harbor principles also allow EU citizens reasonable access to their personal data to review and possibly correct it. They also require adequate enforcement to ensure proper compliance. Companies wishing to adhere to the principles will sign up with the U.S. Department of Commerce and be placed in a database available to the public over the Internet.
But the EU's agreement that the safe harbor principles afford adequate protection is largely meaningless, several observers said, because the first time they're challenged, the case will go to a court in the home country of the citizen making the charge. Individual EU nations typically have strict privacy laws.
For example, a citizen of the U.K. who objects to the way his or her data was treated in the U.S. would take the case to a U.K. court, and the court would follow U.K. law on this issue, according to Simon Davies, director of Privacy International, a London-based watchdog group. "And that is so in each country, which is why this whole negotiation has been a farce," Davies said.
A U.S.-based observer agreed.
"It's an exercise in futility because Europeans still have their rights under their national laws," said Evan Hendricks, editor and publisher of "Privacy Times," a Washington-based newsletter.
Those national laws are much more strict than the safe harbor principles, which are "thoroughly inadequate in every respect," said Davies.
But however deficient Europeans find them to be, the safe harbor principles are more protection than Americans have currently, U.S. observers said. The final version of the safe harbor principles hasn't been announced yet, but the principles don't apply to Americans.
Unless they have been changed, the safe harbor principles apply to the export of data about citizens of European Union countries to the U.S., but not to data about U.S. citizens held by U.S. companies, said Barry Steinhardt, associate director of the American Civil Liberties Union in New York.
"It seems plain that Europeans who deal with American companies are going to have greater protection than Americans," Steinhardt said.
The safe harbor principles also mandate that the U.S. Federal Trade Commission (FTC) expedite complaints by EU citizens about the handling of their data in the U.S., requiring the agency to process those complaints faster than complaints from U.S. citizens, several observers said. Such a system — in which a U.S. government agency gives preference to complaints from noncitizens — is peculiar, they said.
"One of the linchpins of this whole agreement is now the FTC is going to become an aggressive pit bull for the privacy rights of Europeans," said Hendricks of Privacy Times.
The agreement reached today, which still must be approved by the 15 member states of the European Union and the Strasbourg-based European Parliament, doesn't include financial services — which appears to be a major gap.
"Financial services are not excluded; they are simply not yet included," said David Aaron, U.S. undersecretary of commerce for international trade. This means that financial service companies can still voluntarily agree to sign up to safe harbor principles. However, in view of the ongoing modernization of the U.S. banking sector, the EU might require or accept separate provisions for the sector in the future, once the reform is finalized.
"We agreed that including the financial services now would be like painting a moving train," said the European Commission's Mogg. Aaron pointed out that implementing regulations for the U.S.'s Financial Modernization Act aren't expected before May, after President Bill Clinton has also announced plans to propose specific legislation guaranteeing privacy in the financial services sector.
At issue is an EU directive that took effect in October 1998 to ensure the free flow of data across the 15 member states by establishing a high standard of data privacy. This directive also stipulated that data could be sent outside the EU only to those countries that have an adequate level of protection. Failure to fulfill this requirement could theoretically lead to the EU blocking data flows.
Negotiations with the U.S. have been plagued by EU concerns that the largely voluntary systems of data privacy in the U.S. couldn't meet the legislative requirements of the EU Directive. Today's accord means that the EU has agreed with the U.S. claim that safe harbor principles will achieve high levels of protection. Many privacy advocates still argue that the voluntary system is inadequate and they expect more legal and regulatory privacy protection for Internet data.