EU Cites U.S. Data Transfer Pact Progress Amid Privacy Regulation Reform Negotiations

By Stephen Gardner  

June 6 — The European Union and the U.S. are close to an agreement on the trans-Atlantic transfer of data for law enforcement purposes, and on a strengthening of the EU-U.S. Safe Harbor Framework for data transfers by companies, European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding said June 6.

On trans-Atlantic transfers for law enforcement, “95 percent of what could be agreed has been agreed,” Reding told reporters after meeting in Luxembourg of justice ministers from the 28 EU member states.

Negotiations to strengthen the U.S.-EU Safe Harbor Program, which allows companies to transfer personal data outside the European Economic Area if they self-certify their compliance with privacy principles similar to those found in the 1995 Data Protection Directive (95/46/EC), are being held up by a difference of views on the extent to which national security justifications can be used to access the data of EU citizens, she said.

The meeting of justice ministers from the 28 EU member states was called to discuss the draft data protection regulation proposed in January 2012 to replace the Data Protection Directive.

The European Parliament adopted its position on the draft regulation in March.

Reding said that the ministerial meeting showed that EU member state representatives had “clearly moved from dormant to dynamic negotiations” over agreeing on the proposed regulation and that “it looks as if the data protection reform will be ready at the end of this year.”

But there was disagreement among delegations regarding certain international data transfer rules and the move to establish a system under which data protection complaints about a company would be handled by the data protection authority in the member state where a company has its EU headquarters.

Following up on the May 13 EU Court of Justice ruling that EU data subjects have the right to request deletion of certain Internet search results even if the search engine is located outside of the EU, Reding said that “data protection law will apply to non-European companies if they do business on our territory.”

Umbrella Law Enforcement Agreement

The EU and U.S. started negotiations on an umbrella agreement to govern data exchange for law enforcement purposes in 2011, but talks only picked up momentum after the disclosures by former U.S. National Security Agency contractor Edward Snowden about mass surveillance programs operated by the U.S. and other governments.

In March, EU officials predicted that an agreement would be concluded by the summer.

Reding said June 6 that an EU demand for a right of redress in U.S. courts for EU citizens regarding the use of their personal data hasn't been accepted by U.S. negotiators.

“Data protection law will apply to non-European companies if they do business on our territory.”

Viviane Reding, European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship

She added that “that is basic; you cannot make an agreement if you do not have judicial redress.”

Reding's spokeswoman Mina Andreeva told Bloomberg BNA June 6 that the commission was asking for an amendment enabling court access in the U.S. for EU citizens to be added to U.S. legislation under consideration in Congress designed to strengthen oversight of NSA surveillance activities.

Reding said that “the Snowden revelations were a real wake-up call” and showed the need for the EU to “secure our companies and our citizens from undue snooping.”

EU and U.S. officials are scheduled to meet June 25 in Athens for further discussions on the umbrella agreement.

Safe Harbor Revision

Reding said that the U.S. Department of Commerce, which administers the Safe Harbor Program in the U.S., had agreed to 12 of 13 requirements for the continuation of Safe Harbor that the commission published in November 2013.

These cover transparency, redress, enforcement and access by the U.S. authorities to data transferred under the program, she said.

The point to which U.S. authorities didn't agree is an exception that would allow U.S. national security bodies to access data covered by Safe Harbor only if access was strictly necessary and proportionate, Reding said.

The EU has “a problem of definition here. We want to make it clear that an exception is exceptional, she said. An exception shouldn't allow U.S. officials to vacuum up data, Reding said.

Andreeva said that the Commerce Department had agreed to the redress requirements put forward by the commission for Safe Harbor. But the redress at play in that context relates to redress through alternative dispute mechanisms, rather than access to courts, she noted.

The U.S. has agreed to give EU citizens free access to alternative dispute mechanisms under Safe Harbor, Andreeva said.

Data Protection Reform

The justice ministers reached a limited agreement that international transfers out of the EU might be permitted either to foreign jurisdictions judged to have an adequate framework for protection of the personal data of EU citizens, or under the use of alternative safeguards, such as transfers under the U.S.-EU Safe Harbor Program or pursuant to binding corporate rules for a company approved by the EU.

Ministers also provisionally agreed to a list of exceptions under which transfers would also be allowed, including “for important reasons of public interest.”

But despite Reding's comments that negotiations on the draft regulation were moving forward, several EU member state delegations—including those from Austria, France, Poland and the U.K.—expressed reservations during the justice ministers' meeting about the draft rules on data transfers and said that they wouldn't finally agree to the provisions without further discussions.

Greek Justice Minister Charalambos Athanasiou, who chaired the meeting, said at the meeting that “we do not rule out further changes” to rules on data transfers. Greece presently holds the rotating presidency of the EU Council, which represents the governments of EU member states.

One-Stop Shop Stalemate

The ministers' discussions also showed that little progress has been made to overcome a stalemate over the “one-stop shop” system for cross-border data disputes included in the proposed data protection regulation.

Under the one-stop shop approach, a complaint against a company would be handled by the data protection authority in the country in which the company has its “main establishment,” which might not be the same country in which the processing took place, or in which the data subject resides.

Discussions on the “collapsed” at a meeting of justice ministers in December 2013.

Danish Justice Minister Karen Hækkerup said during the justice ministers meeting that “we would have a problem with our constitution” if foreign DPAs could issue decisions with binding effects on companies in Denmark.

Other country representatives, including those from Belgium, Croatia, France and Hungary, said that in cross-border disputes, the European Data Protection Board, which would be established under the proposed regulation, should be given the power to adjudicate and issue binding decisions.

But Irish Justice Minister Frances Fitzgerald said “we do remain opposed to giving the board legal personality and the power to make binding decisions.”

Athanasiou said of the one-stop shop that “we are obviously not at a stage where an agreement can be envisaged on this very difficult and sensitive issue.”

Greece's presidency of the EU Council finishes June 30, when Italy will take over.

Reding said that differences between ministers on the one-stop shop were narrowing and that the Italian EU presidency “can finish this discussion in a positive way.”

With assistance from Aoife White in Brussels

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

A document outlining the conclusions of the June 6 EU justice ministers' meeting is available at http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/143119.pdf.