The EU-US Safe Harbour Agreement

19-01-2012

The EU and the United States have very different philosophies on social regu­lation. One area in which this has been clearly demonstrated is e-commerce, and specifically the importance attached to data protection. This issue was brought to a head by the 1998 EU Data Protection Directive which required third countries, such as the US, to provide an equivalent ""adequate"" level of protection when dealing with data transmitted there from the EU. Following two years of negotiations, a Safe Harbour Agreement was signed between the two parties in 2000. It required US companies who wished to transfer data from the EU, to self-certify that they complied with the agreed priva­cy principles and with the accompanying enforcement procedure. The effectiveness of the Agreement was closely monitored not only from a data protection standpoint but for its wider potential as a model. Opinion, however, is divided on its success. The EU, in two early assessments, expressed concerns regarding the transparency of companies' privacy policies. Furthermore, more recent opinions also cast doubt on both actual compliance and effective enforcement. In response, the US Department of Commerce has strongly rebutted these criticisms. It points out that self-certifying companies take com­pliance very seriously. In addition it argues that the Agreement has played a crucial role in fos­tering a greater acceptance of the im­portance of data protection in the US.

The EU and the United States have very different philosophies on social regu­lation. One area in which this has been clearly demonstrated is e-commerce, and specifically the importance attached to data protection. This issue was brought to a head by the 1998 EU Data Protection Directive which required third countries, such as the US, to provide an equivalent ""adequate"" level of protection when dealing with data transmitted there from the EU. Following two years of negotiations, a Safe Harbour Agreement was signed between the two parties in 2000. It required US companies who wished to transfer data from the EU, to self-certify that they complied with the agreed priva­cy principles and with the accompanying enforcement procedure. The effectiveness of the Agreement was closely monitored not only from a data protection standpoint but for its wider potential as a model. Opinion, however, is divided on its success. The EU, in two early assessments, expressed concerns regarding the transparency of companies' privacy policies. Furthermore, more recent opinions also cast doubt on both actual compliance and effective enforcement. In response, the US Department of Commerce has strongly rebutted these criticisms. It points out that self-certifying companies take com­pliance very seriously. In addition it argues that the Agreement has played a crucial role in fos­tering a greater acceptance of the im­portance of data protection in the US.