Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
June 6 — The European Union and the U.S. are close to an agreement on the trans-Atlantic transfer of data for law enforcement purposes, and on a strengthening of the EU-U.S. Safe Harbor Framework for data transfers by companies, European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding said June 6.
On trans-Atlantic transfers for law enforcement, “95 percent of what could be agreed has been agreed,” Reding told reporters after meeting in Luxembourg of justice ministers from the 28 EU member states.
Negotiations to strengthen the U.S.-EU Safe Harbor Program, which allows companies to transfer personal data outside the European Economic Area if they self-certify their compliance with privacy principles similar to those found in the 1995 Data Protection Directive (95/46/EC), are being held up by a difference of views on the extent to which national security justifications can be used to access the data of EU citizens, she said.
The meeting of justice ministers from the 28 EU member states was called to discuss the draft data protection regulation proposed in January 2012 to replace the Data Protection Directive.
The European Parliament adopted its position on the draft regulation in March.
Reding said that the ministerial meeting showed that EU member state representatives had “clearly moved from dormant to dynamic negotiations” over agreeing on the proposed regulation and that “it looks as if the data protection reform will be ready at the end of this year.”
But there was disagreement among delegations regarding certain international data transfer rules and the move to establish a system under which data protection complaints about a company would be handled by the data protection authority in the member state where a company has its EU headquarters.
Following up on the May 13 EU Court of Justice ruling that EU data subjects have the right to request deletion of certain Internet search results even if the search engine is located outside of the EU, Reding said that “data protection law will apply to non-European companies if they do business on our territory.”
The EU and U.S. started negotiations on an umbrella agreement to govern data exchange for law enforcement purposes in 2011, but talks only picked up momentum after the disclosures by former U.S. National Security Agency contractor Edward Snowden about mass surveillance programs operated by the U.S. and other governments.
In March, EU officials predicted that an agreement would be concluded by the summer.
Reding said June 6 that an EU demand for a right of redress in U.S. courts for EU citizens regarding the use of their personal data hasn't been accepted by U.S. negotiators.
“Data protection law will apply to non-European companies if they do business on our territory.”Viviane Reding, European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship
She added that “that is basic; you cannot make an agreement if you do not have judicial redress.”
Reding's spokeswoman Mina Andreeva told Bloomberg BNA June 6 that the commission was asking for an amendment enabling court access in the U.S. for EU citizens to be added to U.S. legislation under consideration in Congress designed to strengthen oversight of NSA surveillance activities.
Reding said that “the Snowden revelations were a real wake-up call” and showed the need for the EU to “secure our companies and our citizens from undue snooping.”
EU and U.S. officials are scheduled to meet June 25 in Athens for further discussions on the umbrella agreement.
Reding said that the U.S. Department of Commerce, which administers the Safe Harbor Program in the U.S., had agreed to 12 of 13 requirements for the continuation of Safe Harbor that the commission published in November 2013.
These cover transparency, redress, enforcement and access by the U.S. authorities to data transferred under the program, she said.
The point to which U.S. authorities didn't agree is an exception that would allow U.S. national security bodies to access data covered by Safe Harbor only if access was strictly necessary and proportionate, Reding said.
The EU has “a problem of definition here. We want to make it clear that an exception is exceptional, she said. An exception shouldn't allow U.S. officials to vacuum up data, Reding said.
Andreeva said that the Commerce Department had agreed to the redress requirements put forward by the commission for Safe Harbor. But the redress at play in that context relates to redress through alternative dispute mechanisms, rather than access to courts, she noted.
The U.S. has agreed to give EU citizens free access to alternative dispute mechanisms under Safe Harbor, Andreeva said.
The justice ministers reached a limited agreement that international transfers out of the EU might be permitted either to foreign jurisdictions judged to have an adequate framework for protection of the personal data of EU citizens, or under the use of alternative safeguards, such as transfers under the U.S.-EU Safe Harbor Program or pursuant to binding corporate rules for a company approved by the EU.
Ministers also provisionally agreed to a list of exceptions under which transfers would also be allowed, including “for important reasons of public interest.”
But despite Reding's comments that negotiations on the draft regulation were moving forward, several EU member state delegations—including those from Austria, France, Poland and the U.K.—expressed reservations during the justice ministers' meeting about the draft rules on data transfers and said that they wouldn't finally agree to the provisions without further discussions.
Greek Justice Minister Charalambos Athanasiou, who chaired the meeting, said at the meeting that “we do not rule out further changes” to rules on data transfers. Greece presently holds the rotating presidency of the EU Council, which represents the governments of EU member states.
The ministers' discussions also showed that little progress has been made to overcome a stalemate over the “one-stop shop” system for cross-border data disputes included in the proposed data protection regulation.
Under the one-stop shop approach, a complaint against a company would be handled by the data protection authority in the country in which the company has its “main establishment,” which might not be the same country in which the processing took place, or in which the data subject resides.
Discussions on the “collapsed” at a meeting of justice ministers in December 2013.
Danish Justice Minister Karen Hækkerup said during the justice ministers meeting that “we would have a problem with our constitution” if foreign DPAs could issue decisions with binding effects on companies in Denmark.
Other country representatives, including those from Belgium, Croatia, France and Hungary, said that in cross-border disputes, the European Data Protection Board, which would be established under the proposed regulation, should be given the power to adjudicate and issue binding decisions.
But Irish Justice Minister Frances Fitzgerald said “we do remain opposed to giving the board legal personality and the power to make binding decisions.”
Athanasiou said of the one-stop shop that “we are obviously not at a stage where an agreement can be envisaged on this very difficult and sensitive issue.”
Greece's presidency of the EU Council finishes June 30, when Italy will take over.
Reding said that differences between ministers on the one-stop shop were narrowing and that the Italian EU presidency “can finish this discussion in a positive way.”
With assistance from Aoife White in Brussels
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
A document outlining the conclusions of the June 6 EU justice ministers' meeting is available at http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/143119.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)