Privacy & Information Security Law Blog

On March 19, 2012, the European Commission hosted this year’s Safe Harbor Conference in Washington, D.C., to address the transfer of data from Europe to the United States. Although it appears the Safe Harbor framework will remain unchanged for the time being, it seems unlikely the United States will be considered adequate, or even interoperable, with the EU for purposes of cross-border data transfers.

On January 25, 2012, the European Commission released its proposed data protection law reform package, followed a month later by the Obama Administration’s call for federal legislation in the U.S. and release of a Consumer Privacy Bill of Rights. The Safe Harbor conference sponsored by the European Commission was in many ways an exploration of whether these two proposals would narrow the differences between the United States and Europe. At the time of its release, the European Commission’s draft raised questions about the sustainability of the Safe Harbor Framework under the new law. The administration’s paper promotes interoperability between national privacy protection regimes that have similar goals and protections. Opening remarks by Justice Commissioner and European Commission Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson made it clear that Safe Harbor is not in jeopardy, explicitly stating that “the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework.”

With regard to the possibility of the U.S. being found “adequate” under the existing directive or future regulation, numerous U.S. officials, including General Counsel of Commerce Cameron Kerry, have emphasized interoperability between the EU and the United States based on common values and a commitment to enforcement. There was, however, no explicit conversation about what interoperability might mean in this context.

Ending the conference, Commission Director General for Justice Françoise Le Bail indicated that establishing interoperability would require that the Commission review a comprehensive law from the United States to assess the U.S. commitment to principles that protect European citizens. Accordingly, a great deal of work must be done to establish new mechanisms for data transfers. Specifically, the United States will need to demonstrate the binding nature of voluntary codes of conduct and how such codes align with corresponding provisions in European law, and implement an enforcement mechanism that promotes interoperability with European Binding Corporate Rules. For its part, Europe will need to reconcile the fact that interoperability is not the same as harmonization of laws. Finally, both parties will need to reach a common understanding of interoperability.