We have made substantial progress in developing an arrangement that would provide a predictable framework for the application of the EU Directive on Data Protection to the transfer of personal data from the European Union to the United States with adequate protection for privacy. Work on the substantive aspects of data protection is particularly well advanced. On the procedural and enforcement aspects, work is also progressing but further work is needed on both sides. We plan to finalise this "safe harbor" arrangement during the autumn.
The basic substantive principles, which are the core of the "safe harbor" arrangement, have been the subject of detailed and intensive examination, and only a limited number of points are still at issue. Similarly, we have identified much common ground on implementation of the principles, which is articulated in the form of "frequently asked questions". Several other "frequently asked questions" remain to be discussed and finalised.
On the EU side, the Member States support in principle the proposed form of the arrangement, which will involve a decision on the basis of Article 25.6 of the EU Directive on Data Protection. The decision will create a presumption of adequate privacy protection for U.S.-based organisations that self-certify their adherence to the principles and frequently asked questions and are subject to the jurisdiction of the U.S. Federal Trade Commission or other body with similar statutory powers.
Several aspects of enforcement and implementation on both sides need to be further examined. The final arrangement will need to ensure effective protection of individual privacy rights while at the same time ensuring a predictable framework and maximum legal certainty for U.S. organizations participating in the safe harbor. Discussions so far show that the final arrangement on the EU side will guarantee due process for U.S. organizations participating in the safe harbor if they are the subject of non-compliance complaints. Those organizations will also be ensured non-discriminatory treatment.
On the U.S. side, clarification will be provided concerning the role of independent complaint resolution mechanisms, especially as regards complaint investigation and sanctions for non-compliance that will be sufficiently meaningful to ensure compliance.
As to the role which the U.S. side would like to see EU data protection
authorities play in the enforcement of the "safe harbor"
principles, these authorities, through the working party set up under Article
29 of the Directive, have expressed their intention to give further positive
consideration to undertaking such a role, especially as regards complaint
handling. Possible constraints on their ability to do this under current
law are being examined.
The final arrangements will ensure that U.S. organisations have time to evaluate whether they wish to participate in the safe harbor and to take measures necessary to comply with the principles and frequently asked questions.
The dialogue has taken place in a positive and constructive atmosphere, created to an important extent by the willingness both at Member State- and EU- level to avoid disrupting data flows to the United States. Continuing to avoid disruptions to data flow is essential for the successful conclusion of the dialogue.