US Department of Commerce has published draft 'safe harbour' principles under which US companies can comply with EU requirements on data privacy as part of the ongoing talks on how the US will meet EU demands, the European Commission said.
Commission officials said this is the first time there has been a clear publication of where the two sides still have problems in the talks. Under the EU's data protection directive, the US must provide 'adequate protection' for EU personal data transferred to the US.
"We are certainly closer than we were previously but there are still issues to discuss. This is the first time as far as I know anything has been published with explicit details of where we have a problem. I still think it is possible to reach a deal by June," a commission official said.
EU member state representatives backed the way the commission is handling the talks and agreed that further work needs to be carried out on a number of issues on the safe harbour privacy principles, as already noted by the DoC, as well as, "one or two other issues."
DoC undersecretary for international trade, David Aaron, said in a statement accompanying the draft principles that the two sides have achieved, "a substantial level of consensus on both the content of the privacy principles themselves and on the practices that will govern transatlantic data transfers."
The two sides have agreed that the safe harbour principles, "will create the assumption that companies within the safe harbour provide adequate data protection (rather than the opposite) and data flows to those companies will continue," the DoC said.
Claims against US organisations will be limited to claims of non compliance with the principles and European consumers will be expected to first try and settle with the US organisation before appealing to their data commissioner, it said.
Other parts of the deal are that only the commission can interrupt personal data flows from the EU to a US organisation and that US companies will have a grace period to implement safe harbour policies, it said.
The safe harbour principles cover requirements for organisations to inform individuals about information held about them, for individuals to choose how that information is used, including onward transfer and that firms must maintain secure systems to ensure data integrity, access and scope for enforcement of these principles.
Organisations can meet these principles via compliance with private sector developed privacy programmes, so long as they include effective enforcement and dispute resolution, or with supervisory authorities, or by cooperating with data privacy organisations in the EU, it said.
The commission still has queries over the way the safe harbour principles deal with manual processing, where US plans are not in line with the directive; on onward transfers to US companies not complying with safe harbour; and other more detailed points, it said.
The DoC also published 'frequently asked questions' on data privacy, where the commission has some reservations, and more of these FAQs are planned on pharmaceutical and employee information, it said.
Further consultations between the commission and national data commissioners are planned shortly as well as further talks in Washington between commission and DoC officials, commission sources said.
To comment on this story, email [email protected]
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff