This article is also available in:
Deutsch: USA macht weiter Druck auf EU-Kommission und gegen die geplante Datens...

The US Department of Commerce has circulated a second informal note with comments on the proposals for a data protection regulation and a directive on data protection in the field of law enforcement. This time, its criticism focuses on the following concerns: the regulation could hinder commercial interoperability and be even counter-productive for consumer privacy protection, it could have negative impact on the freedom of speech and other human rights, on law enforcement cooperation, on cooperation between regulatory authorities and on civil litigation.

The high-level interference with the internal processes of the European Commission by the United States is quite extraordinary. Undoubtedly, a degree of concern can legitimately be expressed as the final decisions are being made on a piece of legislation which has international significance. However, this amount of interference, before either the European Parliament or Council (the Member States) have been able to have their say, implies a significant level of disrespect for the institutions of the Union and their ability to resolve any issues with what is, after all, the first draft in a legislative process which will last two to three years.

According to the DoC's informal note, the Safe Harbor Agreement enabled transfer of personal data and is a "vital component of transatlantic trade". The DoC thereby completely ignores the findings of several external evaluations on the EU-US Safe Harbor Privacy Principles which attacked the agreement in terms of compliance and enforcement and is today widely considered to be entirely without credibility.

The note praises Article 40 and its provisions regarding Binding Corporate Rules (BCR) as a legal basis for transfers of personal data to third countries but asks for more detail regarding the type of verification data protection authorities will consider sufficient. The document also states that codes of conduct (of the kind that have failed to develop in the existing Directive, but are nonetheless envisaged in the USA) can lead to an increase in interoperability and enhanced consumer protection and suggests that the EU looks into mechanisms to convert codes of conduct into BCRs.

However, the provision for explicit consent with a single standard is heavily criticized since, it is argued, if it is not simplified and meaningful, it could easily overburden individuals. The DoC states that asingle standard is ill-suited for institutions and types of commerce that offer financial products and services.

The DoC then criticises the Regulation's specifications regarding "privacy by design" and the broad authority given to the EU Commission to set out the technical standards - without presenting any valid arguments against the proposed principle of privacy by design itself.

The informal note also qualifies some provisions as being infeasible, since they would impose burdens on businesses without enhancing consumer protection, such as data breach notification and the right to be forgotten.

In contrast to its first note from December 2011 the DoC now admits that the US itself has several federal laws regarding breach notification but repeats its criticism of the first informal note regarding the obligation to notify data subjects within 24 hours arguing that the period is "simply too short", that it could lead to "massive fines" for companies and to confusing "false alarms" for consumers.

The draft Regulation is also considered to be inconsistent with the global nature of the Internet since it would assert jurisdiction over persons operating websites without a legal nexus with Europe (i.e. exactly what the US is proposing in its current draft proposals on intellectual property). According to the DoC, the term "directed to" is neither sufficiently defined in paragraph 15 nor does the limiting principle go far enough. Oddly enough, the "directed to residents of the US" provision of the planned Protect IP Act (PIPA) raises no similar concerns in the US.

As mention above, the note qualifies the "right to be forgotten" as undermining freedom of expression, as technically impracticable and as ignoring the open and decentralised nature of the Internet. The DoC expresses concern that exceptions in article 80 are narrower than the freedom of expression, that the "right" to be forgotten is not an internationally recognised right and protected expression will be deleted. However, the DoC seems to ignore that this article is based on an already existing right as set out by the EU (1995/46/EC, article 12 b) and that these concerns can easily be addressed by clarification of the wording of the current draft of the Regulation.

Of course, the DoC is also very concerned about the draft Police and Criminal Justice Data Protection Directive saying that it would limit information and evidence sharing to "the minimum necessary" - which is a useful, albeit unintentional, confirmation that the proposal is legal under the Charter of Fundamental Rights. They are also unhappy about the fact that other legal information-sharing instruments with EU Member States would probably not suffice under the proposed Directive since existing instruments must meet specific and "problematic" privacy protection requirements. Moreover, the DoC fears that the "strong system of privacy protection" existing in the United States (which, incidentally, does not cover EU citizens) would disappear since it would be forced to adopt the European style of data protection.

The DoC criticises the data transfer provisions of the draft Regulation (art. 37-41) arguing that they would undermine cooperation and data sharing processes among regulatory authorities in the US, the EU and the EU's Member States based on cooperative arrangements.

The document then specifically targets article 42 stating that its restrictions could block or delay access to information held by US firms and have an impact on investigations of EU firms and citizens. Bizarrely, the US DoC is worried about regulating a currently unregulated situation which would permit data exchange in the absence of a legal framework and legal safeguards. According to the note, article 42 might even affect the US-registered companies located in the EU and their ability to conduct business in the US. It is noteworthy that the US currently uses instruments such as the Foreign Intelligence Surveillance Act to retrieve data on foreign individuals' political activities, who may have no contact whatsoever with the USA, via companies with US offices. This legal vacuum would be addressed by article 42.

An unusually high number of Commission services issued negative internal opinions to the draft legislation, thus delaying the inter-service process (see 2 opinions below). This was partly as a result of this significant lobbying campaign (including high-level phone calls to top level staff in the European Commission) against the leaked draft proposal for a Regulation by the United States Department of Commerce and the Federal Trade Commission, the official draft proposal of which is now expected to be published on the 25 January.

First informal note circulated by the US (21.12.2011)
http://edri.org/US-DPR

Second informal note by the US (16.01.2012)
http://www.edri.org/files/US_lobbying16012012_0000.pdf

Opinion DG Trade (21.12.2011)
http://www.edri.org/files/21122011_DGTradeOpinion.pdf

Opinion DG Infso (21.12.2011)
http://www.edri.org/files/120112_DGINFSO_negativereply.pdf

Chris Connolly (Galexia), US Safe Harbor - Fact or Fiction?, Privacy Laws and Business International, issue 96, December 2008
http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fict...

The implementation of Commission Decision 520/2000/EC on the adequate protection of personal data provided by the Safe Harbour privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce SEC(2004)1323
http://ec.europa.eu/justice/policies/privacy/docs/adequacy/sec-2004-13...

(Contribution by Kirsten Fiedler - EDRi)