Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

In search of adequacy: update on US developments [1999] PLBIRp 40; (1999) 50 Privacy Laws and Business International Report 6

In search of adequacy: update on US developments

A report by Charles Raab

THERE IS NO EU DECISION YET on the level of protection afforded to personal data in the US, but progress is being made with model contracts. Also, talks on the safe harbour continue between the EU and the US.

Model contracts were discussed at length at the Privacy Laws & Business 12th Annual International Conference in June. The session was of particular interest not only because of the continuing saga of negotiations between the European Commission and the US Department of Commerce over the question of the adequacy of data protection in the US, but also because of the proposed contractual solutions to the question of transborder data flows.

Speaking on behalf of the US Government, Professor Peter Swire, the newly-appointed Chief Counsel for Privacy (PL&B May '99 p.2) in the US Office of Management and Budget (OMB), led off with a description of his role within the Executive Office of the President. He remarked that he was 'drawn and quartered' between privacy advocates, business interests, the EU's stringent requirements for 'guaranteed adequacy' and the American 'safe harbor' (SH) solution (PL&B May '99 p.13). Yet he was optimistic that there was an opportunity to make progress on privacy in the information age, and to find a balance between data flows and the requirements of privacy.

AMERICANS FEAR LITIGATION

Peter Swire taps into a reservoir of expertise and experience in performing his role, which involves responsibility for US public sector uses of personal data and coordination for the private sector. He also serves as a point of contact on the international scene. With the goal of having the Federal Government setting an example, all Federal agencies are now required to post privacy policies on their websites.

Of particular interest in Peter Swire's talk was his account of the SH issue. Observing wryly that 'the American political system is not always fully aware of the rest of the world in all its details', he thought it was easy to overstate the magnitude of the effect that the SH affair was having on privacy debates in the US. Nonetheless, it was a very important issue in government, and he was in close contact with the Department of Commerce's David Aaron over developments in the negotiations.

He described the American fear of having precise rules laid down that were then not followed. The legalistic nature of US public affairs leads to a great reluctance to agree to rules that create enforceable obligations where compliance cannot be assured, and which will result in a great deal of litigation.

SAFE HARBOUR BY END OF THE YEAR?

However, there was already much progress on SH, with only the last few percent of the 'bridge' of agreement to be put in place. He was optimistic for a completion in the Autumn of 1999. The enormous financial value of trade between the US and countries of the EU pointed up the advantages to companies of the assumption of adequacy under SH. He noted that there was already agreement on some issues. Further clarification was needed on the status of 'frequently asked questions' (FAQs) that had been produced by David Aaron earlier this year. They were important and would have a significant legal effect on concrete situations.

CONTRACTS PLAY A PART IN ACHIEVING ADEQUACY

Peter Swire saw contracts as a supplement to the main US Government goal of creating a wide 'safe harbor' as a framework of understanding of what should be done to improve the adequacy of data protection. He concluded by pointing to the valuable political prominence of privacy issues, as evidenced by President Clinton's speech in May, and in Vice- President Gore's Presidential election campaign.

P&AB CONTRACT BASED ON A GERMAN MODEL

Dr Alan Westin, Publisher of Privacy and American Business, spoke next explaining the model contract solution which the organisation has been developing with others. He observed that the thousands of multinational US firms need assurance about how to operate in the new context of the Directive and national laws concerning transborder flows of human resources data, customer data, and a variety of internal and external business- to-business communications. There was a clear opportunity to develop contractual solutions.

Because companies could not wait upon the sluggish US political process or the conclusion of a SH agreement, discussions began in 1997 amongst Member States' data protection commissions, EU officials, Professor Spiros Simitis (University of Frankfurt) and others to see if a model contract could be developed that would cover questions such as onward transfer of personal data.

This model contract built upon the one that Citibank had devised for the German Railway credit card a few years ago, and therefore had the benefit of those earlier discussions that had involved data protection and banking authorities in Germany and the US (PL&B Oct '97 p.9, PL&B Dec '96 p.6-10).

70 COMPANIES INVOLVED

Some 70 firms are now involved in the current model contract project, including American Express, Equifax, Chrysler, Ford, and other leading multinationals across the world of business. The contract would be between a US firm in Europe (data exporter) and the firm's US head-quarters (data importer). The importers would agree to comply fully with the relevant EU Member State's national data protection law when handling personal data from that country in the US.

Annual audits, available to the data protection authority for investigative purposes, would be part of the process. The contract would create an enforceable right for a data subject who claims that violations had taken place. The US data importer would agree, after a fair procedure, to be bound by the ruling of the Member State's authority. The contracting parties would indemnify each other for violations.

PILOTS POSSIBLE SOON

Participants in Alan Westin's project had met in Frankfurt in April with Professor Simitis and some German Land Data Protection Commissioners, and a further meeting took place at the end of July. They thought that the project was on the right track and more focused than the International Chamber of Commerce (ICC) model contract, but suggested an experiment in which a few US companies would be asked to fill in a contract to see how it works.

Alan Westin thought that, even if SH became a reality, the model contract would still be valuable in making the principles concrete. Because many industries and firms have no regulatory bodies to enforce rules, the contract would provide assurance of remedies, audits and rights.

Moreover, US companies were worried that they would be exposed to the privacy advocates' complaint that it was anomalous to provide rights to EU citizens, but not to Americans under a SH agreement. Contracts avoid this politically embarrassing position. They give rights to EU citizens whose data are processed in the US, but do not pronounce on what would be the best way forward for US citizens.

MODEL CONTRACTS WOULD BE FLEXIBLE

Alan Westin argued that contracts are enforceable and more flexible than legislation. There would be no problem of a vast proliferation of different contracts. Over time, the model contract would become a precedent, avoiding a fresh approval process for each contract for every company. The model contract, he concluded, was not a total solution but a very useful vehicle.

UK SUPPORTS MODEL CONTRACTS

Other speakers in this conference session were Francis Aldhouse, UK Deputy Data Protection Registrar and member of the Article 29 Working Party under the EU Directive, Graham Sutton of the Home Office, and Geofrey Master of EDS.

Aldhouse explained that the UK supports model contracts, and encourages the work done by the ICC and the Confederation of British Industry (CBI). However, he wondered whether some contracts would work better for some importing or exporting countries than others. There were other possibilities, for instance business-to-customer contracts, which could provide novel solutions.

Graham Sutton of the Home Office, who represents the UK Government on the Article 31 Committee, reminded us that the EU Commission can approve model contract clauses. There was no decision yet, but much work is being done examining the contracts proposed by Privacy and American Business, the ICC, the CBI and the Council of Europe.

A case study was given by Geofrey Master, EDS General Counsel for Europe, Middle East and Africa. He spoke about Electronic Data Systems' (EDS) approach to international transfers, and how the company has adopted a globally applicable set of standards based on the EU directive (PL&B Feb '99 pp. 7-8).

These presentations at the Privacy Laws & Business 12th Annual International Conference were reported by Professor Charles Raab, Department of Politics, University of Edinburgh, 31 Buccleuch Place, Edinburgh EH8 9JT Scotland. Tel: + 44 (0) 131 650 4243, Fax: + 44 (0) 131 650 6546, e-mail: c.d.raab@ed.ac.uk. A set of conference papers is available from Privacy Laws & Business, Tel: + 44 (0) 181 423 1300.