 | |
| |
TechnologyDaily Mobile
EU, U.S. Deal On Privacy Not A Done Deal
After months of tense transatlantic negotiations, U.S. officials could reach an online privacy agreement Wednesday with a skeptical European Union — only to watch it disintegrate as U.S. companies refuse to sign on to the deal.
Despite all the work that's been put into developing an agreement, American companies that move data between Europe and the United States are not bound by any deal reached between U.S. and EU officials over how to comply with the Union's strict privacy directive. The directive, which went into effect in October, goes far beyond the U.S. approach to privacy by requiring that personal data from EU member states be blocked to third countries without adequate privacy protections.
Given that the United States relies on a mix of industry self-policing and minimal regulation, some U.S. organizations were unsure whether they would be in compliance with the directive.
As a result, Commerce Department Undersecretary for International Trade David Aaron has been holding talks since last year with the European Union on a set of privacy principles that would provide companies that abide by them with a "safe harbor" from the directive.
Aaron will be holding what could be the last round of face-to-face talks with his EU counterpart, John Mogg, this week in Washington. Aaron and Mogg, the European Commission's director general for the single market and financial services, have said they want to have a deal in hand in time for the EU/U.S. summit June 21.
But while U.S. companies have been supportive of the process, it is still unclear whether they will ultimately embrace a safe harbor deal.
"Generally speaking, no deal is better than a bad deal," said one U.S. high-tech industry source who spoke on condition of anonymity.
If There Is A Deal, Then What?
EU and U.S. industry officials say the directive provides them with other options for compliance. Chief among those other options is providing "adequate" privacy protections via contracts between data exporters and importers that would be approved by EU member state data commissioners.
"Companies like IBM that have done business in Europe for many years have worked under data protection laws and we have figured out ways to comply," said Harriet Pearson, IBM's director of public affairs and chairwoman of the outreach committee for the Online Privacy Alliance, an industry coalition that has developed privacy guidelines aimed at staving off regulation. "The challenge you have now is that with the world being much more networked... [data flows] now are much more decentralized."
Industry also could gain the consent of individuals before sending data about them outside Europe. Another option, though generally opposed by industry and not favored at this point by the Clinton Administration, would be for the United States to enact privacy legislation that provides the assurances the EU is seeking.
"It is a possibility" to find other ways to comply, said Gerard de Graaf, first secretary for trade with the European Commission's Washington delegation. Some fear "it will be costly, particularly for small companies."
Industry officials and others say those most likely to benefit from a safe harbor are small and medium-sized companies that do not have the resources to comply with the directive on their own.
There are others who say despite the alternative options, industry officials will find that the benefits of the safe harbor outweigh the potential costs.
"Industry has supported and will support [the safe harbor initiative] because they have no alternative," said Sheila O'Neill, the Information Technology Association of America's vice president of global affairs.
In announcing the most recent draft privacy principles released April 19 by the Commerce Department, Aaron cited several benefits from the safe harbor. They include an assurance that all 15 EU states will abide by a finding that companies that participate in the safe harbor will be considered to have "adequate" privacy protections.
De Graaf added that companies in the safe harbor "will have the presumption that data flows will continue." He said for those companies that choose not to abide by the safe harbor, "there's almost a presumption of non-compliance."
But he added that there are benefits for the European Union as well. De Graaf said having to police U.S. companies would require a certain amount of "micromanagement" that would place additional burdens and costs on EU member states. At the same time, he said U.S. citizens might see some benefit if the directive leads to additional protections in the United States.
De Graaf and others say these benefits, as well as the uncertainty and potential trade implications caused by a failure to come to an agreement is putting pressure on both sides to reach an acceptable compromise.
"We need each other," said Jerry Cerasale, senior vice president for the Direct Marketing Association. "That kind of pressure will force us down to some compromise that's workable."
Existing Problems
Yet, even Cerasale would not say for sure whether he thinks the two sides will ultimately come together.
EU member state officials said the most recent draft needed improvement, pointing in particular to access and enforcement as those provisions that should be strengthened.
These are the same areas of concern cited by industry officials, though they say the access and enforcement language in the draft safe harbor principles goes too far. The provision requiring U.S. companies to provide EU citizens with access to information held about them appears to be the more significant issue at this point.
Some industry officials are concerned that European officials are seeking unreasonable access to information. They would like some reasonability standard imposed. But the two sides have been split over how to define "reasonable."
John Kamp, senior vice president in the Washington office of the American Association of Advertising Agencies, argues that it appears the Europeans want "unbridled subpoena power to proprietary information."
But privacy advocates say the access language proposed in the draft privacy principles, which the EU has disagreed with, still leaves too much up to the discretion of companies.
There are additional outstanding issues. For example, it is still unclear how heavily regulated industries such as banks can comply with the safe harbor. These industries argue that they are already subject to considerable regulatory oversight and that the nature of their business requires them to be sensitive with personal data. As a result, they have pushed for automatic coverage from the safe harbor.
EU officials have so far balked at this request, saying that they would consider it if these heavily regulated companies can point to specific provisions in their regulations that correspond with the privacy principles.
In addition to the cost and burden of complying with the safe harbor, there are other implications for industry in agreeing to a deal — the potential that it may impact the domestic debate over online privacy.
"Avoiding a trade war with Europe is a good idea. Having a way to facilitate [data] transfers is a good idea," said Martin Abrams, vice president of information policy and privacy for Experian, one of the three major credit reporting companies. "Where the issues become more difficult is what exactly does it say and what are the consequences not just internationally but domestically."
Aaron has insisted that the safe harbor principles should not be viewed as a potential model for U.S. legislation or regulation. But even industry officials concede that it is likely to have some impact on the domestic debate.
It is an argument that privacy advocates have attempted to use in their push for stronger domestic privacy protections.
"It becomes I think a very embarrassing position for American companies to say we will agree to strong protections for Europeans but we won't do it for Americans," said Fordham University Law Professor Joel Reidenberg.
—by Juliana Gruenwald
NEW FEATURE
-Advertisement-
