IMPORTANT LEGAL NOTICE - The information on this site is subject to a disclaimer and a copyright notice.
No 15 (December 98/Décembre 98/Dezember 98)
The EU's data protection Directive (95/46/EC - see last issue of SMN) is prompting fruitful discussions with the Union's trading partners on ways of ensuring high levels of protection for personal data in the digital age. The Directive has helped to raise awareness of the personal data protection issue amongst companies and governments in non-EU countries. The main reason for this is that Article 25 of the EU Directive provides that the transfer of personal data from the Union to non-EU countries can take place only if the third country in question ensures "an adequate level of protection".
Even though Article 25 is subject to a number of exceptions, its potential impact is providing a powerful incentive to improve the level of data protection in certain non-EU countries. The situation is particularly interesting in the United States, where the Administration has challenged the private sector to live up to its claims that it will ensure the necessary levels of protection by self-regulatory means. Meanwhile, pressure from public opinion and privacy advocates, who are sceptical about industry's claims, continues to favour some degree of legislative underpinning. There is at least a clear consensus about the need for levels of privacy protection in the US to be improved. On 31 July this year, Vice-President Gore committed the Administration to an "electronic bill of rights" embodying four key privacy principles, and a number of bills are pending before Congress dealing with issues which are yet not covered by Federal legis lation, such as the protection of medical data. Legis lation has recently been adopted on children's on-line privacy and identity theft in the area of financial services.
The prospects are that the protection of personal data in key sectors of the US
economy is likely to continue to rely on self-regulation for the time being.
This is not a problem in itself as regards the Directive: Article 25 requires
that adequate protection be assessed in
This is the background against which DG XV is conducting an informal but intensive dialogue with the US Department of Commerce, with the twin goals of "establishing high standards of data protection while maintaining the free flow of personal data between the EU and the US". The dialogue has allowed the two parties to reach a better understanding of each other's approaches and indeed to ascertain that, despite differences in approach, there is a great deal of overlap between EU and US views of the protection that needs to be provided. DG XV reports regularly to the Member States represented in the Committee established by Article 31 of the Directive. This Committee has to vote on any proposed Commission findings on adequate or inadequate protection.
At the Committee's meeting of 26 October 1998,
On 4 November 1998, the US Department of Commerce issued for consultation a set of privacy principles designed to offer a "safe harbour" to companies and organisations that adhere to them. On 19 November 1998, the Article 31 Committee held a first discussion on the US principles. The Committee saw these principles as a positive development, but felt that improvements and clarifications would be necessary before the principles could be judged as offering "adequate protection" as required by the Directive. The Member States encouraged the Commission to pursue its discussions with the Department of Commerce, through and beyond December if necessary.
TEL: (+32 2) 295 73 77
FAX: (+32 2) 296 80 10