Nearly five months after U.S. companies began signing up for an agreement aimed at averting disruptions in the flow of personal data from Europe to the U.S., some U.S. interests are calling for clarifications to the deal.
So far, only 35 U.S. companies have signed up for the “safe harbor” agreement, negotiated between the U.S. and European Union to provide U.S. companies with a way of complying with the EUs data privacy directive.
The EU law potentially impacts companies doing business in Europe because it calls for blocking the transfer of personal information to those countries that do not provide “adequate” privacy protections. The safe harbor enables U.S. companies to meet this adequacy requirement.
Industry representatives said some U.S. companies are having a hard time deciding whether to join the safe harbor due to concerns about some provisions and the need for clarifications. One concern relates to whether U.S. Web sites are subject to the directive. They also asked what is meant by a “third party” in transferring personal data.
David Aaron, former Department of Commerce undersecretary for international trade, who helped negotiate the safe harbor, said both EU and US negotiators expected that clarifications might be needed. They could possibly be addressed when the EU reviews how the safe harbor is working later this year, he said.
An EU official said some of the issues can be answered informally. For example, he said Web sites that collect personal information from Europe should assume they are subject to the EU law. But it may be difficult to implement more substantive changes, he added.
The Bush administration and some U.S. companies also have concerns about another means of complying with the EUs privacy law through contracts. An EU committee approved a “model contract” March 27 that some industry officials said is more onerous than the safe harbor.
Experts said many companies are simply waiting on safe harbor to see if the EU enforces it.
“Many American firms have decided not to sign up for the safe harbor because so far they believe the enforcement risk is low and the safe harbor is strict enough that they would rather take their chances outside of the system,” said Ohio State University law professor Peter Swire.