Export.gov logo and link to Export.gov Office of Public Affairs
Press Releases
Trade Statistics
Official Bios
Import Decisions

Data Protection Discussions



European Commission Press Briefing Room, Brussels, Belgium
February 22, 2000


We have had something like eight hours of discussion in the last couple of days. I think progress has been good. Those of you who are real aficionados might be able to say I often say "Progress has been good." But in fact that has been true, it has been good throughout these discussions and I think we do and we have made progress at each meeting. But I think that this week I see that the progress we've made is particularly constructive, and I think we are in the finalization stages for the whole complex package that is termed "safe harbor". We are hopefully in the final stages of that.

Even if we were today to have complete understanding with David Aaron - which of course we don't yet have, but if we were to - then we have a number of procedural and decisional routes to go through. First my own Commissioner, Mr. Bolkestein, who is the Commissioner of the Internal Market, will need to consider my recommendation and then put that, if he agrees with that recommendation, to put that matter before the College. If the College of Commissioners agrees - sorry, a little procedural but very important as you would appreciate - if the College agrees then we put the draft decision before the Member States in the Committee that considers these aspects, the so-called Article 31 Committee. The comitology decision of last summer dealing with all issues means that we shall at the same time give the Parliament the chance to scrutinize the arrangements to see how we are using comitology powers, and see that we are using them correctly. Not all of that can and needs to be done by the end of March, which is our publicly expressed ambition in terms of the target date for completing the dialogue. We will, of course, and have been keeping in touch with all the various interested parties, including the Parliament, about the process so that we do not leave people behind in their understanding and their appreciation. This afternoon I shall be having a further contribution to the Parliament.

My Commissioner, I should say, has taken a particular interest in this subject because he recognizes this as being both from a trade angle - which I am happy to say this has never become a trade dispute - from a trade angle and also from a citizens' right angle. I can say that David Aaron met the Commissioner briefly on Monday morning, and Mr. Bolkestein encouraged us to continue our efforts to finalize an arrangement that will bring benefits I am sure, both to the Union and to the U.S.

So cautious language when talking about progress, but I think we have a number of procedural requirements to go through. But another reason for some caution in my comments, is that safe harbor represents a balanced whole and it is not very meaningful to agree on parts of this. We have to look at the whole, the totality, before we can finally make out our own determination with regard to adequacy. But I perhaps feel sufficiently incautious to say that I think we have made something of a breakthrough on enforcement in our talks, that aspect of how we are to be sure that the issues that are of concern in terms of adequacy in the U.S. with regard to the data of EU subjects - how that is actually going to be enforced in the U.S. And I think across the board the whole emphasis of the discussions this morning has been one of finding solutions to the problems and not identifying any new obstacles. So, perhaps, a word or two in conclusion about enforcement, which I identified as being an issue of much concern to us in Europe, perhaps a couple of examples, because obviously I don't want to get into too much details for you sake as much as for mine. The first relates to the accuracy and the reliability of the list that the Department of Commerce will keep showing which of the organizations that are actually members of - party to - the safe harbor, and which will therefore gain from the benefits that the membership brings.

The U.S. has made proposals now which mean that the risk that we saw in the past of an organization being wrongly listed, unjustifiably listed, are now, I think, negligible.

Another important advance that we have seen is about the range of sanctions which dispute resolution bodies in the U.S. can apply when principles are violated. Sanctions are not so much there to be used but rather to anticipate problems by discouraging laxity or discouraging non-compliance. So it is the threat of the sanction, that is why we have laid some importance.

I think we have also identified a number of possible ways forward, again without coming to a final conclusion. And I have put into this category the issues surrounding access, in a way of integrating U.S. privacy laws appropriately into the safe harbor principles.

The discussions are going to continue now, during today and probably part of tomorrow, between respective officials. And looking ahead from the point of view of the Union, we have a couple of meetings of this Committee that I have mentioned earlier - the Article 31 Committee of Member States - arranged in March, and also one meeting of the Working Party of Data Protection Commissioners, Commissioners of the so-called Article 29 Committee - references are to our framework directive Article 29. So we have a lot of intensive consideration and we shall therefore be taking them through our processes, including the Commission processes and in dealings with the Parliament, to try to set in place this arrangement to lead towards an eventual agreement.

We shall not be issuing any new versions of the text. Again, those of you who may have been following this will know that, I think in November. we put a large number of texts on to the internet. Because these texts are changing quite significantly and we want to fix them, now for the final processes, we feel that we are best to keep this shuttling text between us for the time being until we reach and achieve our objective of concluding the dialogue by the end of March. Thank you.


Thank you very much. First of all I would like to concur in that assessment by John. I do believe that we have had a breakthrough on enforcement. In addition to the points that he made, I think it is quite clear that we have reached a great measure of agreement on the remedies that would be available to individuals on the process, the due process they would receive. Also, on the way in which we are going to take the self-regulatory bodies and place them within the context of U.S. law so that they are in fact supervised in effect by the Federal Trade Commission and by the U.S. justice system.

I also agree that we are basically in the final laps of our discussion. We too have steps that we need to take. I need to consult with my authorities in Washington on some of the points that we reached accord on today. We discussed the matter with Secretary Daley who was also taking an intense interest and who gave me a letter to deliver to Commissioner Bolkestein. And also of course, I will have to discuss it with our National Economic Council and we will have a process of public consultation with our industry, with our privacy groups, and so forth.

I want to express my appreciation for having had the opportunity to meet with Commissioner Bolkestein. I assured him and he assured me of our equal determination of both sides to try to conclude this effort by the end of March. We think that is extremely important. You just look at the calendar, and what may or may not happen, if we cannot hit this target that is coming up, it could be a long time before we can sort of get the discussions back on track. We have tried in our efforts, in these discussions today, to respond to each and every question raised by the Member States in their earlier review and discussion of the safe harbor proposals. We cannot do everything that they may have asked for but we have tried to be as responsive as possible on every one of them. As usual, the discussions were extremely constructive. I will be leaving here part of our team to continue to work on the language, for those issues that are unresolved, many of them in fact are trying to come down to capturing our sense of accord in language and this will be worked on over the next several days. Thank you.


Would you say that all the substantive issues have been cleared up now and that you really have just fine tuning to do and can you perhaps go into some more detail about some of the issues that are still on the table and that you are still discussing?


I guess I would say that I think we have really characterized and responded to that point in what we have said already. To give you some examples of the issues that we really need to still work out - and again much of this, but perhaps not all of it, comes down to language - I would mention three. One is to how to properly integrate U.S. national privacy laws into the safe harbor. We have an extensive legislative framework for privacy in the United States. We want that to be part of the safe harbor; I think that the European Union also wants that to be the case. Trying to capture that and integrate that is part of the challenge that we still face.

Secondly is how to limit any exceptions. There are many exceptions as you know in the European Data Directive that, in order to apply this sensibly to areas of competing obligations and so forth - there are problems of public safety and public interest where disclosure is important - we want to also try to keep those exceptions, to limit those as carefully as possible.

And then there is the adequacy decision itself that is to be taken by the Article 31 Committee and there we need to try to capture this carefully. If I am not mistaken, this will be the first adequacy decision, likely to be the first adequacy to be taken by the Article 31 Committee, so everybody is being very careful that the details are precisely right. So, those are some of the issues that we need to complete.


I would just like to support what David just said. Just perhaps a further clarification. In a number of areas where we have refined our understanding between the two sides, we need to see the texts to translate that and I think that that is not to hide the fact that we believe in this agreement but rather to make sure that we have understood it.

Secondly, I think we are very interested as we have made clear in the enforcement issue and we are very keen to make sure that we have fully understood the really quite wide ranging enforcement mechanisms that exists within the United States, for example the FTC, but there are other agencies that also contribute towards the re-enforcement of the self-regulation approach. Perhaps just a slight comment on David's final remarks. We are also in consideration of a number of other countries in terms of the adequacy of their legislation and perhaps, that is not sure yet, but perhaps a couple of them will even pip the U.S. to the post in terms of their achieving the Article 25/6 decision.


Has the spate of recent cyber attacks, if you want to use that term, had any bearing on your discussions as to the frailty of data transmission and security? For Mr. Aaron or anyone who cares to answer...


I think President Clinton commented on that extensively during the cyber summit that was held in Washington last week. But it doesn't bear directly on these discussions, except insofar as we have agreed, and I don't think there is any difference between us, on the importance of maintaining and the obligation of those people who are handling personal data, and their obligation to maintain that in the most secure measure as possible. The particular recent attacks of course were different kinds of... they were not attacks that revealed information, they were attacks that tried to overwhelm web sites by sort of spurious requests. So it is pretty far afield from privacy. But nonetheless, in the general area of internet security, this is an important obligation. To be frank, I think most companies understand how important it is that they do maintain that security.


It's my impression that the discussion with the American side is being surrealistic to some extent because the aim is to protect data, but at the same time we know there are massive violations of our privacy by the Americans, because we know that they intercept our faxes, our mail, and so on. So I am not really sure what this discussion is because I know that Echelon should be applied in the broadest sense to national security considerations. But if that is not going to be the case, then how can we discuss this security and the protection of private data?


I think I would like to answer this in two ways. First, the direct application of the question, and second, the more general comments in relation to U.S. data privacy.

It's quite clear that I am talking about the Framework Directive on Data Privacy that is being introduced. In the Union, it is now in the process of being implemented in member states, some regrettably behind the deadlines. Within that directive there are certain provisions relating to the exemptions from the provisions of the directive. Quite properly for example, there is a concern that in some cases it's necessary, in the public interest, to intrude into the normal rules relating to data privacy. I think quite properly, and that is understood and set out in our legislation. Now with regard to the particular instance, we don't think that this directive is applicable.

With regards to the more general, substantive issue, I think one of the very interesting developments that we had over the past eighteen months or so, is to understand better the way in which self-regulation applies - as though we were not in existence for the time being - applies to American data subjects. I have to admit to a certain surprise that American data subjects are indeed not only protected by self-regulatory but also by quite extensive legislation, sometime not as explicit as ours, sometimes not as horizontal as ours, but nevertheless, which bring to bear a level of enforcement that I think we have gradually understood and gradually appreciated. I say that because I think that this has allowed both to debate that is in the U.S. in relation to data privacy to develop against the background where the Union was talking from its own strong high level of data privacy legislation, was allowed to understand the usefulness of self-regulation. And I would indeed acknowledge that I think in the Union we now in different areas, areas other than privacy, there is quite a surprising increase in the use of self-regulatory arrangements in order to reinforce, to fill in the cracks in legislation as necessary. So the answer to your first question is, we don't see this directive as applying to the particular instance that you are describing because it is specifically carved out as an exemption. With regard to the more general issue, I think that the characterization of U.S. privacy protection and actions is a little harsh.


Just a follow-up. I don't think that you have really answered. I don't think you have given me a real answer. In fact, speaking personally, what would give me a personal assurance that my privacy would be respected by the Americans, that in the context of their national interest and their national security, that my private life is going to be respected? I don't see to what extent I have assurances that I will have protection for my private life. There is a kind of U.K. collusion in this too, I think, and pressure perhaps could be exerted on this one member state...


This is a question where I am not competent nor willing to respond to. In relation to this directive, there are certain exemptions with regard to a number of issues. Public interest is one, security is another. In relation to that and in these circumstances the directive does not impose an obligation of privacy, The directive does not as it exists. Now with regard to the confidence that we have in relation to the way in which the U.S. Administration will apply the arrangements, the whole exercise in which we are currently engaged in is to reassure ourselves in the terms of the relevant article, article 26, is to reassure ourselves that there is indeed an adequacy of protection in the U.S. in respect of your, my data if it goes out of the Union.

And that is what we are seeking to do within the terms of our directive: to decide whether EU data, when it gets into the U.S. scene will be adequately protected. And what we have been seeking to do over these long months is to find a way, since we in Europe have a legislatively-based system, to find a way of reassuring ourselves that it does indeed secure that level of adequacy of protection. And I have mentioned the stages through which we have to go. We have to be sure that the member states agree with that. That the data protection authorities have had views on this and the views from the Parliament. But I can assure you that we have been particularly concerned within the terms of this directive to ensure that there is adequate enforcement of this provision. And that is why I particularly singled that out in my opening remarks.


A question for both gentlemen. You have said that there has been a breakthrough in the enforcement side, and you have sort of just hinted that this means that the FTC and the U.S. justice system would ultimately enforce the rules on the U.S. side. Could you be a little bit more specific in how this would work? What would a European citizen have to do if felt his data has been unjustly manipulated?


Basically like this: first of all, companies have four different ways to fulfill their obligations to enforce the rules of the Safe Harbor.

One, they can have a contract with a data protection authority in Europe, to ensure that any data that comes over is protected properly and subject themselves to their authority.

The second, is that those groups of companies that are in fact regulated by law in the United States, and that ranges through a lot of sensitive information, from financial information to health information and some things that are a little different, including the protection of the privacy of minors.

Third, they can be part of a self-regulatory body, and for a long time, I think that it has been a view in Europe that maybe this self-regulation was some kind of 'fox guarding the chicken coop' situation. What I think we have been able to explain - and partly by inviting members of the Article 31 Committee to come to the United States to meet with our self-regulatory bodies, to meet with the FTC and the Department of Justice, and the Treasury and all those people - is to make clear to them that in the United States, if you are a company and you say that you are going to follow certain privacy rules, join a privacy organization, adopt the Safe Harbor rules and practices, and you don't do that, that's a deceptive business practice. And that is not only wrong, it is a crime. And this can and will be followed up by the Federal Trade Commission. It can and will be followed up by the Attorney General and the Attorney Generals of the various states, which are also keenly interested in privacy. And indeed the FTC has said that if a European has a problem - they go to the company, they don't get satisfaction, they go to the self-regulatory body, they don't get satisfaction - those cases will be taken to the FTC and the FTC will treat them as a matter of priority. We think that is going a long way to make sure that the European data will be sufficiently protected.

And finally, for companies that are not on-line, the European data protection authorities have agreed to establish a panel, so that in case of any enforcement questions or problems that come up, American companies can commit themselves, in joining the Safe Harbor, to abide by the activities and the decisions of this panel of European data privacy officials. So, we have four different ways to make the adherence to these systems effective.


I was just getting ready to provide other more concrete explanations. We can't go into too much detail - these are already very complex issues. But first, I think we are very concerned about the accuracy and transparency of the list that exists, because on that rests the list of companies that are in the Safe Harbor. And we have had a very useful exchange about what the list will conclude, what it will not include, how accurate it will be, how problems will be identified. Secondly, we are very interested in the transparency more generally, the publicity that will be accorded in the event of breaches. I think it is quite clear, one only needs to look at the drop in share price of companies that have in some way violated commitments or undertakings that they have said in the past - I am talking about U.S. companies particularly - veritable collapses and all that. So transparencies are very strong weapons to avoid unnecessary breaches of the sort of privacy that we want. And thirdly, David mentioned extensively the FTC. There are other bodies that are also relevant in enforcement and here we are obtaining information from the U.S. authority with regard to their powers - statutory powers, real enforcement powers - to make sure that we have a complete indication of what their powers are and how they can apply them in cases of difficulty. These are some, of quite a lot of other things, where the aspect of enforcement has been successful.


One more very quick question.


This is a question for either one of you. If you could just clarify, if there is any agreement on implementation. There seems to be some discussion about the timing. The EU law has been on the books since 1998. The U.S., it seems like, would like a little bit of delay. The EU on the other hand would like to see this wrapped up rather quickly because you have already waited two years. Can you tell us about that?


We are looking at this with some interest at the present time. I think the concerns clearly that we wanted the U.S. companies have sufficient time to see the final arrangement because otherwise they wouldn't know what they might be signing up to. U.S. companies are very interested in looking at alternative methods. David outlined a number of these in terms of the contractual solutions. So we recognize that there may be a need for some time. Whether we would define it precisely or whether we would look in a different way, I think that is an open question at the present time. But we have certainly discussed it and I think that won't remain an obstacle at the end of the day, at least as far as this bit of the Commission is concerned.


I might just add that there is no less sense of urgency on the side of the United States than on the side of Europe. Indeed, in some respects, we may even have a keener sense of urgency because our companies, now that Y2K has passed, our companies are turning their attention to privacy which is an important issue in the United States as it is in Europe. And they are starting to make investments in software and hardware and structures to implement privacy policies that are important to their business and their business reputations. They need our advice, now, because if we don't give them guidance, as to how they should do this, they are going to have to make decisions anyway. And my concern, I think everyone's concern is, we need to be able to give them timely guidance, or we may end up with situations that are much more difficult to reconcile. So this is the time to give that guidance to U.S. industry and we hope it will be effective.


Thank you very much.



Contact Us  |  About ITA  |  Site Map |  Privacy Statement  Disclaimer
U.S.Department of Commerce  |  International Trade Administration