Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

EU and USA trying to reach agreement on Safe Harbour [2000] PLBIRp 16; (2000) 53 Privacy Laws and Business International Report 14

EU and USA trying to reach agreement on Safe Harbour

A SOLUTION TO THE PROBLEM of safeguarding privacy when transferring data from the EU to the USA seemed to be close in March. Both sides made a provisional agreement on the use of the Safe Harbour selfregulatory principles. However, now the EU's Article 31 Committee has failed to accept the proposal.

Officials from the European Union and the United States announced, on 15th March, that they had reached a provisional agreement on the Safe Harbour approach.

Safe Harbour, a set of self-regulatory measures for US based organisations to protect personal data transferred from the EU to the USA, has been on the agenda now for the last two years (PL&B Dec '98 p.6, Feb '99 p. 15, and Feb 2000 p.2). For a while, it looked probable that later this year, the EU would formally recognise that the Safe Harbour approach will provide "adequate" protection for personal data.

A Safe Harbour agreement would provide legal certainty for EU-based data controllers that they are complying with the EU Data Protection Directive when transferring personal data to organisations which voluntarily agree to adhere to the Safe Harbour principles.

WORK CONTINUES

The reason why a provisional agreement was reached seemed to be mainly due to time pressures on the US side. The latest developments will delay the approval, however. The Article 31 Committee, an EU body consisting of the Member States' representatives, did not approve the package in its meeting on 30-31st March. The Committee may now decide to list all the areas where it thinks the proposal still needs to be improved.

MANY PROBLEMS HAVE BEEN RESOLVED

The EU Data Protection Working Party had previously severely criticised the principles, for example, for lacking an enforcement function and a mechanism to identify which organisations promise to comply with the principles. These issues have been resolved, but the principles may still not provide such a solid framework as the European data protection laws do. For example, will companies be willing to spare resources to comply with voluntary principles?

Some practical problems remain as well. It is suggested that US companies may agree to co-operate with European Data Protection Authorities (DPAs). This would entitle the DPA's to investigate complaints, and companies would have to comply with any advice they receive. This suggestion is still being considered by the DPA's, as the numbers of such cases might be impossible for the European Authorities to cope with. Another problem area is redress for European data subjects concerning the processing of their personal data in the US.

The Safe Harbour principles include many basic data protection building blocks, such as transparency about collecting information, a possibility to opt-out from disclosure to third parties, and reasonable access to personal data. It was proposed that companies wishing to participate would be able to sign up with the Department of Commerce. A list of companies adhering to the Safe Harbour would then be made public for consumers to see. It had been provisionally agreed that the principles would be enforced by the US Federal Trade Commission and other US public bodies. Adherence to the Safe Harbour would be reviewed in the middle of 2001.

HOW ORGANISATIONS COULD JOIN IN

The US Department of Commerce published the revised principles on 15th March on its website (www.ita.doc.gov/td/ecom). The principles state that organisations may qualify for the Safe Harbour in different ways. For example, if an organisation were to join a self-regulatory privacy programme that adheres to the principles, it would qualify for the Safe Harbour.

Organisations would also qualify by developing their own self-regulatory privacy policies provided that they conform to the principles. To qualify for the Safe Harbour, organisations would not be obliged to apply the principles to personal information in manual files. Organisations wishing to benefit from the Safe Harbour for receiving such information from the EU would have to apply the principles to any such information transferred after they enter the Safe Harbour.

Practical detail on the implementation of the principles is included in the Frequently Asked Questions, (FAQ) which supplement the principles. The FAQ address issues such as processing sensitive data, self-certification, access to personal data, human resources, dispute resolution and contracts, and opt-outs.

WHAT'S NEXT

The Article 31 Committee of the European Commission may reach agreement on the Safe Harbour approach in its meeting on 30-31st May. In the USA, approval is being sought from the National Economic Council and other bodies. Provided that all parties approve the draft package, the Safe Harbour arrangement could be formalised in late summer.

John Mogg, Director General of the EU's Internal Market Directorate, said at the CEN/ISSS seminar in Brussels (see p. 18-19) at the end of March that the provisional agreement does not include financial services. However, the US president has already indicated that there may be separate measures for this sector. John Mogg also indicated that Safe Harbour could perhaps be used more generally, and not just in the US context.

For more information, please see the website of the Internal Market Directorate of the European Commission at http://europa.eu.int/comm/ internal_market/en/index.htm (Media, Information Society & Data Protection - What's new). The current version of the Safe Harbour principles, published on 15th March, is available at http://www.ita.doc.gov/td/ecom

Draft Safe Harbour Privacy Principles Issued by the US Department of Commerce on 15th March 2000

NOTICE:

An organisation must inform individuals about the purposes for which it collects and uses information about them, how to contact the organisation with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organisation offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organisation or as soon thereafter as is practicable, but in any event before the organisation uses such information for a purpose other than that for which it was originally collected or processed by the transferring organisation or discloses it for the first time to a third party.^[1]

CHOICE:

An organisation must offer individuals the opportunity to choose (opt out) whether and how personal information is (a) to be disclosed to third parties, where disclosure is for a purpose other than the purpose for which it was originally collected or subsequently authorised by the individual, or (b) to be used where such use is for a purpose that is incompatible with the purpose(s) for which it was originally collected, or subsequently authorised by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

For sensitive information, (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual) they must be given affirmative or explicit (opt-in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorised by the individual through the exercise of opt-in choice. In any case, an organisation should treat as sensitive any information received from a third party where the third party identifies it as sensitive.

ONWARD TRANSFER:

An organisation may only disclose personal information to third parties consistent with the principles of notice and choice. Where an organisation has not provided choice and the organisation wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. If the organisation complies with these requirements, it shall not be held responsible (unless the organisation agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organ- isation knew or should have known the third party would process it in such a contrary way and the organisation has not taken reasonable steps to prevent or stop such processing.

SECURITY:

Organisations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorised access, disclosure, alteration and destruction.

DATA INTEGRITY:

Consistent with the principles, personal information must be relevant for the purposes for which it is to be used. An organisation may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by the individual. To the extent necessary for those purposes, an organisation should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

ACCESS:

Individuals must have access to personal information about them that an organisation holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

ENFORCEMENT:

Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organisation when the principles are not followed. At a minimum, such mechanisms must include:

a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the principles and damages awarded where the applicable law or private sector initiatives so provide;

b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and

c) obligations to remedy problems arising out of failure to comply with the principles by organisations announcing their adherence to them and consequences for such organisations. Sanctions must be sufficiently rigorous to ensure compliance by organisations.

Footnote:

^[1]. It is not necessary to provide notice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organisation. The onward transfer principle, on the other hand, does apply to such disclosures.