Up in the Air in Europe

THE OUTCOME OF the current European Union-United States talks on the EU’s data-protection directive-and of the so-called safe harbor measures proposed by the Americans-is still uncertain, according to Alastair Tempest, director general of public affairs and self-regulation for the Federation of European Direct Marketing.

“The Americans put forward what seemed to be a compromise but there are still major problems and disagreements,” especially in the area of consumer access to their personal data, Tempest said during FEDMA’s annual conference in Strasbourg, France last month.

American companies are worried they may leave themselves open to lawsuits, he noted. The directive forbids companies in EU countries to export personal data to outside countries deemed not to have adequate privacy protections.

It is generally assumed that the United States falls under that category.

The most important aspect of the safe harbor solution is that the directive could be complied with if an EU company and a U.S. company (or any company outside the EU) sign contracts assuring that the data is secure and treated properly.

Tempest said there are, to his knowledge, three different model contract proposals, the most recent from the International Chamber of Commerce. He added that, in his opinion, there would end up being more than one model contract used.

Like all EU directives, the data-protection directive, often called the privacy directive, mandates the EU member nations to make laws complying with it. At this point, only six of the 15 member nations have passed privacy laws and some of those are not up to compliance with the directive. But four countries seeking to become EU members-Poland, Hungary, Slovenia and the Czech Republic-have passed such laws.

Tempest worried that the slow compliance by European nations might lead U.S. companies to believe they have no need for urgency.

“We’ve been lucky that no one’s brought a court case,” he said, meaning that no European individual has sued an American company for violation of privacy rights, which would force the issue.