Cybertelecom Federal Internet Law & Policy An Educational Project

EU Privacy Directive

Different cultures' perspectives on human rights develop in environments of history and culture. US perspectives on rights continues to empower Americans against the ever present risk that King George might come pounding on our doors and force us to become Anglicans or quarter (house) the British Red Coats. European culture, which took the brunt of Nazi oppression against Jews and anyone else not apart of the Supreme Aryan race, is far more sensitive to privacy invasion.

This has led to a striking departure on approaches to privacy. Puritan American culture tells us that if you have something to hide, you have done something wrong. Post World War II European culture tells us that if those in power are prying, then they have gone too far, and what they might do with that information is not to be trusted.

This dramatically different approach to privacy was marked in October 1998 by the approval of the European Union Directive on Privacy. This created an affirmative uniform approach to privacy within the European Union. Data transactions with entities outside of the EU whose data handling practices were not "adequate" would not be permitted. The scope of this prohibition is broad and covers most all data transfers except as between two private individuals. As the United States does not possess equivalent federal privacy legislation, this created that risk that commerce between these two bodies, valued at $350 billion in 1999, could be interrupted.

The importance both of the privacy concerns and the risk of interruption of commerce had been elevated by ecommerce. Prior to the dot com era, there was little risk that the corner maple syrup store might offend European privacy sensibilities. However, as corners stores became global commercial enterprises (in other words, as they sent up online websites on which to take orders), US commerce and European concerns collided.

In order to divert a privacy train-wreck, the US Department of Commerce, the European Union, industry and non-governmental organizations met and negotiated a voluntary Safe Harbor to the European Directive. No US company is obligated to comply with the safe harbor. They can opt not to participate and Europeans do not have to do business with them. Or perhaps they can opt to comply with the European Directive in a different manner. But if they opt to voluntarily participate in the safe harbor, they will receive the benefit of recognition by the EU that their privacy practices are adequate and transactions will be permitted (An additional benefit is that claims by Europeans against US companies for violation of policies will be heard within the United States).

Safe Harbor Program

This information is out of date

Eligible entities:

Only US organization that fall under the jurisdiction of either the Federal Trade Commission or the Department of Transportation are eligible (this currently excludes financial services, telecommunications services, and non-profits, but check the Department of Commerce website to see if this has been revised).

Be Careful! Eligibility in the Safe Harbor program is NOT the same as who falls under the EU Privacy Directive. Simply because you do not qualify for the Safe Harbor program does not mean you do not nevertheless fall under the EU Directive. Non-profits, for example, do not qualify under the Safe Harbor program but they do fall under the obligations of the EU Directive. Also, not qualifying for the Safe Harbor does not mean you cannot do business in the EU. It merely means that you will have to find another means of complying.

In order to participate in the Safe Harbor, US entities must take the following steps:

• Create a Privacy Policy
• Post the Privacy Policy
• Annually certify to the Department Commerce that you are participating in the program
• Adhere to the Privacy Policy

The Privacy Policy:

In order to be "adequate," privacy policies must reflect the following privacy principles: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement. The Department of Commerce describes these elements as follows:

Derived From: Safe Harbor Workbook, Section II: Overview of the Safe Harbor Framework

Safe Harbor Principles

Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

Choice: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. [See Department of Commerce Safeguards FAQ 12 for an elaboration of the Choice Principle.]

Safe Harbor Sensitive Information Principle: For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive. [Safeguards FAQ 1]

Onward Transfer: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. [Safeguards FAQ 8]

Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. [Safeguards FAQ 11]

Posting of Policy: Participants must publicly declare their participation, which means posting their privacy policy on their website.

Certification: Participants must certify annually to the Department of Commerce that they are participating in the program. Certification can be done by having a corporate office send a letter to the Department of Commerce or file out the online form.

US Department of Commerce
International Trade Administration
Office of Electronic Commerce
14th & Constitution Avenues, NW
Washington, DC 20230

Certification should include the following information:

1. name of organization, mailing address, email address, telephone and fax numbers;

2. description of the activities of the organization with respect to personal information received from the EU; and

3. description of the organization's privacy policy for such personal information, including:

a. where the privacy policy is available for viewing by the public,

b. its effective date of implementation,

c. a contact office for the handling of complaints, access requests, and any other issues arising under the safe harbor,

d. the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the annex to the Principles),

e. name of any privacy programs in which the organization is a member,

f. method of verification (e.g. in-house, third party)*, and

g. the independent recourse mechanism that is available to investigate unresolved complaints.

[Safeguards FAQ 6] Certifications will be reviewed only for completeness. [ITAA]

The Department of Commerce keeps a publicly available list on its website of participating organizations.

Note that entities must also provide notice to the Department of Commerce if their representations are no longer valid or if they withdraw from the program (withdrawing from the program merely terminates participation, it does not alter ones obligations with regard to the data already collected).

Enforcement: While there is no U.S. law that requires U.S. companies to participate in the Safe Harbor program, once they participate, they are making a representation and disclosure to the public. Thus, like so many other ecommerce issues, Safe Harbor representations fall under the jurisdiction of the the Federal Trade Commission which has authority over unfair and deceptive representations and practices. The FTC has the authority to seek administrative orders and injunctive relief to rectify non compliance, and civil penalties of up to $12,000 per day.

Entities no longer eligible to participate in the Safe Harbor program must promptly inform the Department of Commerce. Failure to do so is actionable under the False Claims Act. [18 U.S.C. § 1001] The Department of Commerce will indicate on its list those entities that are no longer eligible for the benefits of the safe harbor program, indicating any persistent failure to comply.

Exceptions:

Some exceptions are

Journalistic Exception: "Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Safe Harbor Principles." [Safeguards FAQ 2]

Internet networks and carriers: "To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable." [Safeguards FAQ 3]

Non-EU Data: Remember that the Safe Harbor principles apply only to information from the EU. The Safe Harbor program is not relevant to non EU Data.

[See also Safeguards FAQ 13 (travel info), 14 (medical info), 15 (public records)]

References

Law

• Directive 97/66/EC of the European Parliament and the Council of December 15, 1997 Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector, O.J. 1 (L 24) (Jan 30, 1998) .
• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
• European Commission's Data Protection Documents

Government Activity

• US Safe Harbor Negotiations with the EU
• "The European Commission's Directive on Data Protection went into effect in October,1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions. 

  "In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The safe harbor - approved by the EU in July of 2000 - is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive."  - US Dept of Commerce Safe Harbor Website

• ITA Electronic Commerce Task Force
• US Dept of Commerce Safe Harbor Website
• Overview
• Documents
• Workbook

• BBB Online
• ESRB Privacy Online EU Safe Harbor Program 
• TRUSTe
• PrivacyLaw.net

Govt Papers

• Department of Commerce, Safe Harbor Workbook
• Department of Commerce, Safe Harbor Frequently Asked Questions
• White House Fact Sheet Data Privacy Accord with EU (Safe Harbor) May 31, 2000
• European Data Protection Authorities Panel
• OECD's Privacy Policy Statement Generator
• November 1, 2000 -- The Commerce Department today took an important step towards ensuring the continued growth of e-commerce trade with Europe. U.S. organizations can now sign up to the U.S.-EU safe harbor privacy framework which enables them to comply with EU privacy rules. The new website is www.export.gov/safeharbor.
• Press Release May 2000 Commerce Secretary William M. Daley Hails EU Approval of Safe Harbor Privacy Arrangement
• Patricia M. Sefcik and Jeff Rohlmeier, U.S. Department of Commerce The Safe Harbor Framework, before ITAA Feb 2001

Links

• Department of Commerce List of participating organizations

Papers

• Shaw Pitman United States Adopts Safe Harbor for Compliance with European Union
• Arent Fox US-EU Safe Harbor Agreement
• EU Report Reveals Holes in US Safe Harbor Agreement Privacy Exchange
• The Safe Harbor Framework, ITAA Webcast Feb 16, 2001 Presented by Patricia M Sefcik and Jeff Rohlmeier, US DOC (powerpoint slides).

News

• Workshop: The European Union - United States Safe Harbor Framework: Bridging differences in approaches to Data Protection, ITA 11/8/2005
• DoubleClick Joins US-EU Safe Harbor Program, Washtech 8/22/01
• U.S. Cos. Don't Make 'Safe Harbor' Privacy Grade - Study, Washtech 8/17/01
• Intel on Board With EU-U.S. Privacy Accord, Washtech 7/2/01
• EC: U.S. Privacy Rules Concerns Baseless, InfoWorld 3/29/01
• Bush Team Opposes Proposed Euro Privacy Rules, Reuters 3/29/01
• Safe Harbor Is A Lonely Harbor Jan 5, 2001 wired
• US Businesses Slow To Adopt EU Safe Harbor Agreement Jan 5, 2001 washtech
• Compromise Keeps U.S. Websites Legal In Europe Nov 3, 2000 internetwk
• EU Parliament Nixes Data Privacy Deal July 5, 2000 newsbytes
• EU Nixes Net Privacy Deal July 5, 2000 ecommercetimes
• U.S. , E.U. Approach Safe Harbor Wired May 2000
• U.S., EU hammer out Net privacy plan ZDNet 3/16

 

© Cybertelecom ::