16 October 1998
Source:
http://www.usia.gov/current/news/latest/98101607.wlt.html?/products/washfile/newsitem.shtml
See related Aaron speech on encryption policy: http://jya.com/aaron101398.htm
USIS Washington
File
_________________________________
16 October 1998
(Sees "significant overlap of principles" between US, EC) (1670) Brussels -- Under Secretary of Commerce David Aaron told reporters here October 15 that the United States and Europe "have gotten to a significant, if not identical overlap of basic principles on what needs to be done to protect privacy" of electronic data. "I think we have reached the stage where we need to actually begin a real negotiation, where we can begin trying to hammer out an agreement that would on the one hand ensure European customers, European individuals, that their data being transmitted across the Atlantic -- that they could have confidence that it would be protected adequately (and) on the other hand, where our companies would be in a position that, if they adopted certain practices and principles, that they would feel that they were safe and doing what was required under the [European] Data [Privacy] Directive and they would not be subject to suits," Aaron said. Following is transcript of U.S. Under Secretary of Commerce David Aaron press briefing on data privacy discussions: (Begin transcript) UNDER SECRETARY OF COMMERCE DAVID AARON Press Conference Brussels October 16, 1998 I can say this: we have been meeting with the Commission now for roughly seven months at least and we probably have had four, five, maybe six meetings at my level and innumerable sessions both in person and by video and by e-mail at other levels, and I think it's fair to say that these have been, first of all, consultations and not negotiations. I think that is a very important point, because what we have been trying to accomplish is to see if we had a meeting of the minds as to how to increase and protect the privacy of our citizens, and secondly on how we could ensure that data would continue to flow across the Atlantic when the European Data Privacy Directive came into effect. And those really have been our principal goals. As we have discussed in effect the European approach, criteria, and so forth and our approach, I think it's fair to say that we have come to see that there is a significant overlap in our approaches even though our procedures and our structures are very different. As I have explained to our European friends, the concept of an overall law that defined one's privacy, that established data commissioners who would implement and otherwise define what is permissible and what is not permissible in terms of the exchange of personal data, all of that would be regarded in the United States as an invasion of privacy. So we have a very different approach which is a mixed approach, that involves law -- in the case of financial information, regulation -- as it applies to financial information and information about children, regulation -- as it applies to, again, financial information and medical information and some other categories, and self-regulation. All of this in the context in which self-regulation takes place in the context of our fraud statutes and the responsibility of the Federal Trade Commission to pursue misrepresentation and deceitful practices. So we have a mixed situation which is more complicated. In the course of these conversations, I think the privacy situation in the United States has evolved dramatically. We now have at least three online privacy services that are available to businesses, that establish systems, principles and procedures to ensure people's privacy, that respond to the basic elements of affected privacy which the Clinton Administration promulgated in January, and which provide for independent dispute resolution, and that sort of thing. As we have drawn upon this evolving situation in the United States, we tried to compare our basic elements with their views of what is adequate privacy protection, and I think we have gotten a significant, if not identical, overlap of basic principles on what needs to be done to protect privacy. Now, I think we have reached the stage where we need to actually begin a real negotiation, where we can begin trying to hammer out an agreement that would, on the one hand, ensure European customers, European individuals -- that their data being transmitted across the Atlantic -- that they could have confidence that it would be protected adequately, on the other hand, where our companies would be in a position that if they adopted certain practices and principles, that they would feel that they were safe and doing what was required under the Data Directive and they would not be subject to suits and so forth. That's sort of where we are. The Commission now is consulting with member states; they are going to have some meetings that are scheduled over the next few weeks, and we are hopeful that, based on those consultations, they will be able to move to the stage of actual negotiations and working out promptly the necessary agreements or arrangements, however they might be expressed. Question: Can you explain to us how exactly these sort of safe harbors, or sort of voluntary agreements, would work ? Under Secretary Aaron: I think the idea is this. If, for example, the Commerce Department sets forth a set of principles that companies could adhere to and procedures that companies could adhere to, and if those principles and procedures were deemed to be adequate by the European Union, then these companies would be in a "safe harbor." In other words, they would have done things necessary to conform to the European Union's view of what is adequate privacy protection. Now, that wouldn't necessarily protect them from complaints, because that could happen -- nobody can keep that from happening -- but the practices themselves would not be the issue, the issue would be is the company actually doing what it says it is doing. Question: What's the significance of moving to a formal negotiation as opposed to talks, I mean, will you now come forward then with formal proposals, or how does it affect...? Under Secretary Aaron: I think that's the point. The Commission has not been negotiating. We have put forward some ideas and they have said, "That's interesting," and now we need to get a real response from them. Do they think this is the right way to go? Is safe harbor really something that they think is -- can we get down to the real process of working something out in concrete terms? Question: Have you given them some proposals, some concrete proposals ? Under Secretary Aaron: We have raised these ideas, but we haven't given them concrete proposals in the negotiating sense because they haven't reached that stage yet. Question: But is this the next step, then, that the Commerce Department will draw up these principles, or have you already done that ? Under Secretary Aaron: No, we would have to elaborate those, and we would have to formally present them. I think the next step before that would be for the Commission to get support from the member states in moving forward in this direction, and that's what they are seeking now. You know, these principles are not a mystery; they are contained in the practices of these online privacy alliances. They are contained in our basic elements; it's a matter of reducing that to real language. Question: Do you have a guarantee that the third parties, which oversaw the safe harbors, were conforming to -- the safe harbors were indeed doing what they were meant to be doing? Would the government have to guarantee that or would it be banks or trusted organizations who could do that job ? Under Secretary Aaron: I think our view is that there are three ways that that could be done. One is that the companies could get together and create an independent body that would do that, and that's sort of what these online privacy groups do. The second is that some of our industries are very heavily regulated - that's the banking sector, that's the insurance sector and so forth, where a lot of personal information is transmitted. They are very heavily regulated and in effect that regulation would serve that same purpose. The third, of course, is that the companies could offer -- it seems to us, this is just our idea -- but the companies could offer to cooperate with the European data protection authorities to give them this assurance. Question: The Commission seems to be saying that the most important thing is that there be enforcement. They don't want some voluntary codes that aren't enforced and they cite evidence that in the U.S. their problem is with actually companies living up to the commitment that they're making. Under Secretary Aaron: I guess one of my responses to that is, that's certainly true in Europe as well. We just came from Germany where the federal data protection officer was talking just about things at the federal level, which means the government's own actions. They have 3,000 complaints a year, so this problem is by no means limited to U.S. companies. We believe that there should be some independent process here, and that's a point that I think represents an evolution in our thinking. I also might add that, in addition to that, the FTC (Federal Trade Commission) itself has made clear to the Commission that claims that the companies might make as to their privacy practices, if they proved to be untrue, would be -- in Europe, vis-a-vis Europeans -- would be treated just as that same sort of fraudulent or deceitful practice would be in the United States, and it would be subject to FTC investigation and action. Question: What's coming up on the 26th? Are we going to have any data block? Under Secretary Aaron: I would hope not. Certainly, we have had a very cooperative, very constructive set of meetings here and I think we are moving along in a genuine mutual problem solving mode here. Thank you. (End transcript)