- EU JOINT PRESS BRIEFING:
Data Protection Discussions
DAVID L. AARON, U.S. UNDER SECRETARY OF COMMERCE
FOR INTERNATIONAL TRADE
JOHN MOGG, EUROPEAN COMMISSION DIRECTOR GENERAL
FOR THE INTERNAL MARKET
Commission Press Briefing Room, Brussels, Belgium
February 22, 2000
We have had
something like eight hours of discussion in the last couple of days.
I think progress has been good. Those of you who are real aficionados
might be able to say I often say "Progress has been good." But in
fact that has been true, it has been good throughout these discussions
and I think we do and we have made progress at each meeting. But
I think that this week I see that the progress we've made is particularly
constructive, and I think we are in the finalization stages for
the whole complex package that is termed "safe harbor". We are hopefully
in the final stages of that.
Even if we
were today to have complete understanding with David Aaron - which
of course we don't yet have, but if we were to - then we have a
number of procedural and decisional routes to go through. First
my own Commissioner, Mr. Bolkestein, who is the Commissioner of
the Internal Market, will need to consider my recommendation and
then put that, if he agrees with that recommendation, to put that
matter before the College. If the College of Commissioners agrees
- sorry, a little procedural but very important as you would appreciate
- if the College agrees then we put the draft decision before the
Member States in the Committee that considers these aspects, the
so-called Article 31 Committee. The comitology decision of last
summer dealing with all issues means that we shall at the same time
give the Parliament the chance to scrutinize the arrangements to
see how we are using comitology powers, and see that we are using
them correctly. Not all of that can and needs to be done by the
end of March, which is our publicly expressed ambition in terms
of the target date for completing the dialogue. We will, of course,
and have been keeping in touch with all the various interested parties,
including the Parliament, about the process so that we do not leave
people behind in their understanding and their appreciation. This
afternoon I shall be having a further contribution to the Parliament.
I should say, has taken a particular interest in this subject because
he recognizes this as being both from a trade angle - which I am
happy to say this has never become a trade dispute - from a trade
angle and also from a citizens' right angle. I can say that David
Aaron met the Commissioner briefly on Monday morning, and Mr. Bolkestein
encouraged us to continue our efforts to finalize an arrangement
that will bring benefits I am sure, both to the Union and to the
language when talking about progress, but I think we have a number
of procedural requirements to go through. But another reason for
some caution in my comments, is that safe harbor represents a balanced
whole and it is not very meaningful to agree on parts of this. We
have to look at the whole, the totality, before we can finally make
out our own determination with regard to adequacy. But I perhaps
feel sufficiently incautious to say that I think we have made something
of a breakthrough on enforcement in our talks, that aspect of how
we are to be sure that the issues that are of concern in terms of
adequacy in the U.S. with regard to the data of EU subjects - how
that is actually going to be enforced in the U.S. And I think across
the board the whole emphasis of the discussions this morning has
been one of finding solutions to the problems and not identifying
any new obstacles. So, perhaps, a word or two in conclusion about
enforcement, which I identified as being an issue of much concern
to us in Europe, perhaps a couple of examples, because obviously
I don't want to get into too much details for you sake as much as
for mine. The first relates to the accuracy and the reliability
of the list that the Department of Commerce will keep showing which
of the organizations that are actually members of - party to - the
safe harbor, and which will therefore gain from the benefits that
the membership brings.
The U.S. has
made proposals now which mean that the risk that we saw in the past
of an organization being wrongly listed, unjustifiably listed, are
now, I think, negligible.
advance that we have seen is about the range of sanctions which
dispute resolution bodies in the U.S. can apply when principles
are violated. Sanctions are not so much there to be used but rather
to anticipate problems by discouraging laxity or discouraging non-compliance.
So it is the threat of the sanction, that is why we have laid some
I think we
have also identified a number of possible ways forward, again without
coming to a final conclusion. And I have put into this category
the issues surrounding access, in a way of integrating U.S. privacy
laws appropriately into the safe harbor principles.
are going to continue now, during today and probably part of tomorrow,
between respective officials. And looking ahead from the point of
view of the Union, we have a couple of meetings of this Committee
that I have mentioned earlier - the Article 31 Committee of Member
States - arranged in March, and also one meeting of the Working
Party of Data Protection Commissioners, Commissioners of the so-called
Article 29 Committee - references are to our framework directive
Article 29. So we have a lot of intensive consideration and we shall
therefore be taking them through our processes, including the Commission
processes and in dealings with the Parliament, to try to set in
place this arrangement to lead towards an eventual agreement.
We shall not
be issuing any new versions of the text. Again, those of you who
may have been following this will know that, I think in November.
we put a large number of texts on to the internet. Because these
texts are changing quite significantly and we want to fix them,
now for the final processes, we feel that we are best to keep this
shuttling text between us for the time being until we reach and
achieve our objective of concluding the dialogue by the end of March.
Thank you very
much. First of all I would like to concur in that assessment by
John. I do believe that we have had a breakthrough on enforcement.
In addition to the points that he made, I think it is quite clear
that we have reached a great measure of agreement on the remedies
that would be available to individuals on the process, the due process
they would receive. Also, on the way in which we are going to take
the self-regulatory bodies and place them within the context of
U.S. law so that they are in fact supervised in effect by the Federal
Trade Commission and by the U.S. justice system.
I also agree
that we are basically in the final laps of our discussion. We too
have steps that we need to take. I need to consult with my authorities
in Washington on some of the points that we reached accord on today.
We discussed the matter with Secretary Daley who was also taking
an intense interest and who gave me a letter to deliver to Commissioner
Bolkestein. And also of course, I will have to discuss it with our
National Economic Council and we will have a process of public consultation
with our industry, with our privacy groups, and so forth.
I want to express
my appreciation for having had the opportunity to meet with Commissioner
Bolkestein. I assured him and he assured me of our equal determination
of both sides to try to conclude this effort by the end of March.
We think that is extremely important. You just look at the calendar,
and what may or may not happen, if we cannot hit this target that
is coming up, it could be a long time before we can sort of get
the discussions back on track. We have tried in our efforts, in
these discussions today, to respond to each and every question raised
by the Member States in their earlier review and discussion of the
safe harbor proposals. We cannot do everything that they may have
asked for but we have tried to be as responsive as possible on every
one of them. As usual, the discussions were extremely constructive.
I will be leaving here part of our team to continue to work on the
language, for those issues that are unresolved, many of them in
fact are trying to come down to capturing our sense of accord in
language and this will be worked on over the next several days.
Would you say
that all the substantive issues have been cleared up now and that
you really have just fine tuning to do and can you perhaps go into
some more detail about some of the issues that are still on the
table and that you are still discussing?
I guess I would
say that I think we have really characterized and responded to that
point in what we have said already. To give you some examples of
the issues that we really need to still work out - and again much
of this, but perhaps not all of it, comes down to language - I would
mention three. One is to how to properly integrate U.S. national
privacy laws into the safe harbor. We have an extensive legislative
framework for privacy in the United States. We want that to be part
of the safe harbor; I think that the European Union also wants that
to be the case. Trying to capture that and integrate that is part
of the challenge that we still face.
how to limit any exceptions. There are many exceptions as you know
in the European Data Directive that, in order to apply this sensibly
to areas of competing obligations and so forth - there are problems
of public safety and public interest where disclosure is important
- we want to also try to keep those exceptions, to limit those as
carefully as possible.
And then there
is the adequacy decision itself that is to be taken by the Article
31 Committee and there we need to try to capture this carefully.
If I am not mistaken, this will be the first adequacy decision,
likely to be the first adequacy to be taken by the Article 31 Committee,
so everybody is being very careful that the details are precisely
right. So, those are some of the issues that we need to complete.
I would just
like to support what David just said. Just perhaps a further clarification.
In a number of areas where we have refined our understanding between
the two sides, we need to see the texts to translate that and I
think that that is not to hide the fact that we believe in this
agreement but rather to make sure that we have understood it.
think we are very interested as we have made clear in the enforcement
issue and we are very keen to make sure that we have fully understood
the really quite wide ranging enforcement mechanisms that exists
within the United States, for example the FTC, but there are other
agencies that also contribute towards the re-enforcement of the
self-regulation approach. Perhaps just a slight comment on David's
final remarks. We are also in consideration of a number of other
countries in terms of the adequacy of their legislation and perhaps,
that is not sure yet, but perhaps a couple of them will even pip
the U.S. to the post in terms of their achieving the Article 25/6
Has the spate
of recent cyber attacks, if you want to use that term, had any bearing
on your discussions as to the frailty of data transmission and security?
For Mr. Aaron or anyone who cares to answer...
I think President
Clinton commented on that extensively during the cyber summit that
was held in Washington last week. But it doesn't bear directly on
these discussions, except insofar as we have agreed, and I don't
think there is any difference between us, on the importance of maintaining
and the obligation of those people who are handling personal data,
and their obligation to maintain that in the most secure measure
as possible. The particular recent attacks of course were different
kinds of... they were not attacks that revealed information, they
were attacks that tried to overwhelm web sites by sort of spurious
requests. So it is pretty far afield from privacy. But nonetheless,
in the general area of internet security, this is an important obligation.
To be frank, I think most companies understand how important it
is that they do maintain that security.
It's my impression
that the discussion with the American side is being surrealistic
to some extent because the aim is to protect data, but at the same
time we know there are massive violations of our privacy by the
Americans, because we know that they intercept our faxes, our mail,
and so on. So I am not really sure what this discussion is because
I know that Echelon should be applied in the broadest sense to national
security considerations. But if that is not going to be the case,
then how can we discuss this security and the protection of private
I think I would
like to answer this in two ways. First, the direct application of
the question, and second, the more general comments in relation
to U.S. data privacy.
clear that I am talking about the Framework Directive on Data Privacy
that is being introduced. In the Union, it is now in the process
of being implemented in member states, some regrettably behind the
deadlines. Within that directive there are certain provisions relating
to the exemptions from the provisions of the directive. Quite properly
for example, there is a concern that in some cases it's necessary,
in the public interest, to intrude into the normal rules relating
to data privacy. I think quite properly, and that is understood
and set out in our legislation. Now with regard to the particular
instance, we don't think that this directive is applicable.
to the more general, substantive issue, I think one of the very
interesting developments that we had over the past eighteen months
or so, is to understand better the way in which self-regulation
applies - as though we were not in existence for the time being
- applies to American data subjects. I have to admit to a certain
surprise that American data subjects are indeed not only protected
by self-regulatory but also by quite extensive legislation, sometime
not as explicit as ours, sometimes not as horizontal as ours, but
nevertheless, which bring to bear a level of enforcement that I
think we have gradually understood and gradually appreciated. I
say that because I think that this has allowed both to debate that
is in the U.S. in relation to data privacy to develop against the
background where the Union was talking from its own strong high
level of data privacy legislation, was allowed to understand the
usefulness of self-regulation. And I would indeed acknowledge that
I think in the Union we now in different areas, areas other than
privacy, there is quite a surprising increase in the use of self-regulatory
arrangements in order to reinforce, to fill in the cracks in legislation
as necessary. So the answer to your first question is, we don't
see this directive as applying to the particular instance that you
are describing because it is specifically carved out as an exemption.
With regard to the more general issue, I think that the characterization
of U.S. privacy protection and actions is a little harsh.
Just a follow-up.
I don't think that you have really answered. I don't think you have
given me a real answer. In fact, speaking personally, what would
give me a personal assurance that my privacy would be respected
by the Americans, that in the context of their national interest
and their national security, that my private life is going to be
respected? I don't see to what extent I have assurances that I will
have protection for my private life. There is a kind of U.K. collusion
in this too, I think, and pressure perhaps could be exerted on this
one member state...
This is a question
where I am not competent nor willing to respond to. In relation
to this directive, there are certain exemptions with regard to a
number of issues. Public interest is one, security is another. In
relation to that and in these circumstances the directive does not
impose an obligation of privacy, The directive does not as it exists.
Now with regard to the confidence that we have in relation to the
way in which the U.S. Administration will apply the arrangements,
the whole exercise in which we are currently engaged in is to reassure
ourselves in the terms of the relevant article, article 26, is to
reassure ourselves that there is indeed an adequacy of protection
in the U.S. in respect of your, my data if it goes out of the Union.
And that is
what we are seeking to do within the terms of our directive: to
decide whether EU data, when it gets into the U.S. scene will be
adequately protected. And what we have been seeking to do over these
long months is to find a way, since we in Europe have a legislatively-based
system, to find a way of reassuring ourselves that it does indeed
secure that level of adequacy of protection. And I have mentioned
the stages through which we have to go. We have to be sure that
the member states agree with that. That the data protection authorities
have had views on this and the views from the Parliament. But I
can assure you that we have been particularly concerned within the
terms of this directive to ensure that there is adequate enforcement
of this provision. And that is why I particularly singled that out
in my opening remarks.
for both gentlemen. You have said that there has been a breakthrough
in the enforcement side, and you have sort of just hinted that this
means that the FTC and the U.S. justice system would ultimately
enforce the rules on the U.S. side. Could you be a little bit more
specific in how this would work? What would a European citizen have
to do if felt his data has been unjustly manipulated?
this: first of all, companies have four different ways to fulfill
their obligations to enforce the rules of the Safe Harbor.
One, they can
have a contract with a data protection authority in Europe, to ensure
that any data that comes over is protected properly and subject
themselves to their authority.
is that those groups of companies that are in fact regulated by
law in the United States, and that ranges through a lot of sensitive
information, from financial information to health information and
some things that are a little different, including the protection
of the privacy of minors.
can be part of a self-regulatory body, and for a long time, I think
that it has been a view in Europe that maybe this self-regulation
was some kind of 'fox guarding the chicken coop' situation. What
I think we have been able to explain - and partly by inviting members
of the Article 31 Committee to come to the United States to meet
with our self-regulatory bodies, to meet with the FTC and the Department
of Justice, and the Treasury and all those people - is to make clear
to them that in the United States, if you are a company and you
say that you are going to follow certain privacy rules, join a privacy
organization, adopt the Safe Harbor rules and practices, and you
don't do that, that's a deceptive business practice. And that is
not only wrong, it is a crime. And this can and will be followed
up by the Federal Trade Commission. It can and will be followed
up by the Attorney General and the Attorney Generals of the various
states, which are also keenly interested in privacy. And indeed
the FTC has said that if a European has a problem - they go to the
company, they don't get satisfaction, they go to the self-regulatory
body, they don't get satisfaction - those cases will be taken to
the FTC and the FTC will treat them as a matter of priority. We
think that is going a long way to make sure that the European data
will be sufficiently protected.
for companies that are not on-line, the European data protection
authorities have agreed to establish a panel, so that in case of
any enforcement questions or problems that come up, American companies
can commit themselves, in joining the Safe Harbor, to abide by the
activities and the decisions of this panel of European data privacy
officials. So, we have four different ways to make the adherence
to these systems effective.
I was just
getting ready to provide other more concrete explanations. We can't
go into too much detail - these are already very complex issues.
But first, I think we are very concerned about the accuracy and
transparency of the list that exists, because on that rests the
list of companies that are in the Safe Harbor. And we have had a
very useful exchange about what the list will conclude, what it
will not include, how accurate it will be, how problems will be
identified. Secondly, we are very interested in the transparency
more generally, the publicity that will be accorded in the event
of breaches. I think it is quite clear, one only needs to look at
the drop in share price of companies that have in some way violated
commitments or undertakings that they have said in the past - I
am talking about U.S. companies particularly - veritable collapses
and all that. So transparencies are very strong weapons to avoid
unnecessary breaches of the sort of privacy that we want. And thirdly,
David mentioned extensively the FTC. There are other bodies that
are also relevant in enforcement and here we are obtaining information
from the U.S. authority with regard to their powers - statutory
powers, real enforcement powers - to make sure that we have a complete
indication of what their powers are and how they can apply them
in cases of difficulty. These are some, of quite a lot of other
things, where the aspect of enforcement has been successful.
One more very
This is a question
for either one of you. If you could just clarify, if there is any
agreement on implementation. There seems to be some discussion about
the timing. The EU law has been on the books since 1998. The U.S.,
it seems like, would like a little bit of delay. The EU on the other
hand would like to see this wrapped up rather quickly because you
have already waited two years. Can you tell us about that?
We are looking
at this with some interest at the present time. I think the concerns
clearly that we wanted the U.S. companies have sufficient time to
see the final arrangement because otherwise they wouldn't know what
they might be signing up to. U.S. companies are very interested
in looking at alternative methods. David outlined a number of these
in terms of the contractual solutions. So we recognize that there
may be a need for some time. Whether we would define it precisely
or whether we would look in a different way, I think that is an
open question at the present time. But we have certainly discussed
it and I think that won't remain an obstacle at the end of the day,
at least as far as this bit of the Commission is concerned.
I might just
add that there is no less sense of urgency on the side of the United
States than on the side of Europe. Indeed, in some respects, we
may even have a keener sense of urgency because our companies, now
that Y2K has passed, our companies are turning their attention to
privacy which is an important issue in the United States as it is
in Europe. And they are starting to make investments in software
and hardware and structures to implement privacy policies that are
important to their business and their business reputations. They
need our advice, now, because if we don't give them guidance, as
to how they should do this, they are going to have to make decisions
anyway. And my concern, I think everyone's concern is, we need to
be able to give them timely guidance, or we may end up with situations
that are much more difficult to reconcile. So this is the time to
give that guidance to U.S. industry and we hope it will be effective.
Thank you very