European privacy deadline nears
The EU will not disrupt the flow of data between Europe and the United States, even though strict new privacy protections took effect in Europe yesterday.
The new European Union privacy directive prohibits sending personal data to nations whose privacy protections aren't as vigorous as in the 15-country bloc, but Commerce undersecretary David Aaron said today that the Europeans have agreed to open formal negotiations on how U.S. firms can comply with it.
U.S. diplomats have been discussing the issue with the European Commission for six months, in talks described as discussions rather than as negotiations.
"We believe we can reach a resolution, and we think it is imperative that we do so promptly," Aaron said, naming December 15 as a target to close the matter.
"The U.S. premise is that the United States has effective privacy protection but that the approach here is different than in Europe," he said. "We will seek an arrangement that provides a workable framework on both sides of Atlantic, where data will be secured and disruption of transatlantic data flows will be avoided."
The EU's privacy directive, if enforced, could prevent database marketing firms, Web sites, U.S. firms with European employees, and credit card companies from sending personal data back to the United States. That's because the privacy directive bars export of data to nations whose protection of personal data is not certified to be as strong as Europe's.
The issue remains a sticking point despite earlier hints from the White House that the problem would be settled by now.
Months of discussions have led U.S. officials to hope that the private sector-led approach favored by the Clinton administration can be reconciled with strict privacy laws in many European nations.
The United States is proposing a concept dubbed "safe harbor:" In the absence of U.S. privacy legislation, American firms could voluntarily adhere to a set of privacy practices such as those from TRUSTe, the business-backed U.S. privacy group pushing voluntary privacy guidelines on the Internet. The U.S. and the European Union will negotiate as to the content of privacy guidelines that would be considered acceptable protections to allow U.S. firms to send personal data on individuals from Europe to the United States.
"If companies did that, privacy protections would be considered 'adequate,' and there would be a presumption that data would be able to flow," the U.S. official said.
TRUSTe executive director Susan Scott has spoken favorably in recent weeks about the safe harbor concept, and she outlined the idea to the Europeans earlier this year.
But privacy law advocate Marc Rotenberg, executive director of the Electronic Privacy Information Center, isn't sure the safe harbor concept will fly.
"The U.S. had been saying there was going to be some big agreement, but there isn't one," said Rotenberg, who favors strong U.S. privacy laws. "So there is still a question as to whether U.S. firms will be blocked by the EU directive."