US and EU in Talks to Resolve Differences over Transfer of Personal Data from the EU to the US: Will Private Businesses Get a Piece of the Pie?

The New York Times reported today that diplomats from the EU and the US may be nearing agreement on a "binding international agreement" to enable law enforcement and security agencies to obtain and process personal data from the EU without the restrictions that are currently placed on the onward transfer of personal data from the EU to the US.

In an internal report obtained by the New York Times, officials from the United States Homeland Security, Justice and State Departments, and their European Union counterparts stated that they were nearing agreement on the a draft agreement that would eliminate the current barriers to onward transfer of personal data from the EU to the US.  Currently, the only ways personal data collected in the EU may be transferred to the US are: (1) with unambiguous consent of the data subject; (2) using very restrictive model contract clauses provided by the EU data protection authorities; (3) obtaining approval for "Binding Corporate Rules" from each member states; or (3) participation in the EU Safe Harbor Program administered by the US Department of Commerce.  In practice, each of these methods presents costly and cumbersome compliance hurdles for public and private entities alike.  Many US business simply refuse to collect personal data in the EU due to the risks of running afoul of EU data protection laws that are far more restrictive than US laws. 

Apparently, several sticking points remain in the negotiations.  For example, under the new agreement, will EU citizens have legal recourse against US companies or the US government regarding the treatment of their personal data in the US?  Likewise, will the agreement extend to private businesses, or will it merely facilitate exchange of data between law enforcement, government, and/or judicial bodies?  The article states:

American and European Union officials are trying to head off future confrontations “by finding common ground on privacy and by agreeing not to impose conflicting obligations on private companies,” said Stewart A. Baker, the assistant secretary for policy at the Department of Homeland Security who is involved in the talks. “Globalization means that more and more companies are going to get caught between U.S. and European law,” he said.

Some Europeans fear that the compromises required to reach such an agreement will only dilute privacy rights in the EU due to the fact that the US does not protect privacy as stringently as EU Member States.