EC Committee Approves Disappointing Model Privacy Clauses
March PIF Follow-Up
On March 27, a European Commission ("EC") committee voted unanimously (with one abstention) in favor of adopting the model contract privacy clauses reviewed in the March Privacy In Focus ("EC Produces Disappointing Draft Model Contract Privacy Clauses"). The committee, composed of representatives of each of the fifteen European Union member states, accepted the clauses over the objection of the United States that they would impose burdens beyond those required by EU privacy law. As discussed in last month's article, the model clauses fail to establish a single set of privacy obligations, impose joint and several liability for breach of privacy provisions (to which data subjects are third-party beneficiaries), and effectively subject U.S. parties to EU law and EU authorities.
The committee's favorable opinion effectively closes debate on the content of the model privacy clauses. The European Parliament could decide by the end of April that the EC would overstep its authority in adopting the model clauses, or the EC could disregard the committee's opinion and refer the matter to the European Council. Neither course seems likely, however, given public statements by EU officials. The clauses could well be operational by Fall 2001.
The legal effect of EC enactment would be to bind the EU member states to acknowledge that the model clauses provide "adequate" privacy protection. Thus, no enforcement action to cut off personal data flows could be taken on the basis that a party to a model contract is not bound to provide adequate safeguards. Entering into these contracts would be one of several options for satisfying an EU law restricting personal data flows to countries, like the United States, not deemed to provide "adequate" privacy protection for personal information.
Future in Flux
The model clauses illustrate the continuing tension between the U.S. and EU approaches to privacy protection. The U.S. Government criticized the clauses, saying they were "unduly burdensome" and "incompatible with real world operations"; the EC replied that the U.S. had an "utter absence of understanding" of the EC's objective to "make life easier for companies" transferring personal data from the European Union. U.S. parties have criticized the EU for placing high hurdles for U.S. companies to clear while failing to enforce the Privacy Directive against EU-based businesses. A study released on April 3 by the London Chamber of Commerce is the latest in a series of reports that EU web sites widely ignore rules about data protection and cross-border trade.
Despite the failure to modify the model clauses, U.S. objections may have influenced the EC agenda at least slightly, as the Commission announced its intention to issue decisions covering "lower risk" personal data transfers that would prescribe a "lighter approach" than the privacy obligations imposed by the model contract provisions. In addition, the EC was careful to explain that the adoption of the model privacy clauses will have "no effect" on ongoing EU-U.S. negotiations on an agreement for the free flow of financial data across the Atlantic.
For additional information, please contact Amy Worlton (202.719.7458).