As we predicted last week, the US Department of Commerce has released a set of guidelines in an attempt to convince US companies doing business in the European Union that they should adhere to the EU’s data protection laws that were stepped up last fall (04/15/99). The EU data directive of October 1998 makes it illegal to transfer data about EU citizens from EU countries to countries that do not afford that data an adequate level of data protection – and that category includes the US.
The release from the DoC is merely a set of guidelines and FAQs, rather than an update of the safe harbor principles the DoC released last November and it is up to US companies whether or not they wish to adhere by the safe harbor principles. But seven of the 15 EU countries already have legislation in place that conforms to the data directive, so they would have to risk breaking European law if they did not adhere.
The DoC makes it clear that should companies adopt the principles, the scope for any EU citizen suing the US company would be limited to non-compliance with the principles. Only the European Commission will be permitted to interrupt data flows between the two continents and US companies will get some sort of grace period in which to adopt the principles – probably between six months and a year. The DoC and EU officials are aiming at an announcement of a compromise at a summit in Bonn, Germany on June 21. The DoC says it will issue further FAQ’s for vertical markets and a public comment period on all the proposals us open through May 10.
