Skip to main content
Find a Lawyer

Recent Developments in Finalizing the US-EU Safe Harbor Program for the EU Data Directive

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed July 06, 2017

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

Negotiators for the United States ("US") and the European Union ("EU") recently announced that they have reached agreement on several key issues regarding adoption of "safe harbor" principles under which US companies can comply with the EU Data Directive ("Directive").

The Directive, which went into effect in 1998, contains stringent requirements for the protection of personal information originating within the EU. Significantly, it prohibits entities in the EU from exchanging data with entities located in other countries (including the United States) that do not provide what the EU considers an "adequate" level of data protection. For two years, the Clinton administration has been negotiating with the EU to obtain its approval of a system of self regulatory measures, backed up by the threat of government enforcement by agencies such as the Federal Trade Commission, as providing such "adequate protection." Until the recent breakthrough, the EU was hesitant to approve as "adequate protection" a privacy regime based primarily on industry self regulation. Such approval now appears near, and if obtained will constitute an important victory for the Clinton administration.

Safe Harbor Qualification

Under the US "safe harbor" proposal, organizations seeking to exchange data with EU entities could sign up with self regulatory organizations, like BBBOnLine or TRUSTe, and commit to published guidelines for the handling of personal data. Individuals contending that such guidelines had been violated would appeal to the company itself in the first instance, then to the self regulatory organization if satisfaction was not obtained. The self regulatory body would have the right to take certain limited disciplinary action if a violation was found. As a final step, the Department of Justice or the Federal Trade Commission could investigate egregious violations of stated privacy guidelines and impose federal sanctions if necessary.

US and EU negotiators have also agreed on three other ways that US entities can come within the safe harbor.

  • First, a US company can voluntarily agree to subject itself to the data protection authority in one of the 15 European Union countries.
  • Second, it can demonstrate that it is subject to US laws that have privacy provisions similar to the EU Directive - for example, national laws governing medical or financial privacy.
  • Third, a company can agree to refer privacy disputes to a panel of European regulators, although this last method mostly applies to companies that do not exchange data on-line.

The Department of Justice has also promised to publish and maintain a list of companies that qualify for safe harbor treatment, thereby giving individuals and companies the comfort of knowing that the company with whom information is being shared provides adequate levels of protection.

The two sides hope to negotiate and resolve the remaining issues that divide them during the week of March 13, 2000 when the Under Secretary of International Trade, Ambassador David Aaron, will travel to Brussels for negotiations. Negotiators ultimately hope to finalize the safe harbor agreement by the end of March when Ambassador Aaron resigns. Additional factors speeding up negotiations include the industry's growing focus on privacy issues and the upcoming US elections.

Issues that remain to be resolved include, how US companies can comply with the Directive during the interim period between the signing of the agreement and its implementation, and what effect existing US privacy statutes will be given as part of the safe harbor. Even if an agreement is finalized in March it will be subject to a series of procedural steps prior to becoming effective. The US will allow for comment by the public and the National Economic Council. The safe harbor provisions also must pass the review of the EU Commissioner of the Internal Market, the College of Councils, and Parliament. As a result, the interim compliance period will likely be in place for some period of time.

Conclusion

The EU and US appear closer than ever to achieving an agreement on the safe harbor principles which do allow personal data exchange between the two jurisdictions, however many issues remain to be resolved. Until a final resolution is reached, US companies should continue to review their existing privacy practices, and consider the costs and benefits of participating in a self regulatory organization such as BBBOnLine or TRUSTe.

*article courtesy of Thelen Reid & Priest LLP.

Was this helpful?

Copied to clipboard