After more than two years of negotiation, the European Commission approved a set of "Safe Harbor" principles proposed by the U.S. Department of Commerce on July 27, 2000. Stringent data protection legislation in Europe prohibits transfer of personal information concerning its citizens to countries, such as the United States, that do not meet the privacy standards applied within the European Union. This would have been an economic disaster for American airlines, hotel chains, human resource agencies, credit card companies or other businesses that rely on transborder flow of personal data from Europe for their day-to-day practices. The agreement may avert this economic disaster, by allowing U.S. companies wanting to transfer data across the Atlantic to comply with European standards by voluntarily signing on to the Safe Harbor principles.
Transatlantic discussion began shortly before October 1998, the effective date for the EU Directive 95/46/ED on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Some countries have yet to incorporate aspects of the Directive in their national law. The Directive was designed to harmonize the differences in existing privacy laws between the EU member countries, and to create a smooth transborder flow of information within the common market.
In Europe, privacy is considered a human right. It is mentioned in the European Convention for the Protection of Human Rights and Fundamental Freedoms. This Directive reflects this profound concern for privacy.
The Directive is very broad in scope, and requires each of the member states to enact laws governing the processing of personal data: "information relating to an identified natural person ('data subject')." Processing of data is defined expansively as "any operation or set of operations which is performed upon personal data, whether or not by automatic means such as collection, recording, organization, storage, adaptations or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction." However, the Directive does provide a qualified exemption for data collected for journalistic purposes.
The Directive applies to public agencies as well as to private entities. It states that data collectors can use personal data only for the purpose for which they were originally collected, and may be kept no longer than necessary for that purpose. The data have to be kept up to date, accurate and must be accessible to the data subject. Furthermore, data can only be "processed" with the consent of the data subject. The processing of sensitive information such as race, ethnicity, political opinions or sexual orientation is subject to even more restrictions. The Directive sets a very high standard for data protection, and forbids the transfer of personal data to countries that do not provide an adequate level of protection.
The United States, with its "patchwork quilt" of data protection legislation consisting of federal and state statutes that primarily regulate government use of personal data, does not meet this standard of "adequate" protection. But more than two years of transatlantic negotiating has led to an agreement that allows individual American companies to engage in data transfer activities as long as they join the voluntary, self-regulatory Safe Harbor regime. The Safe Harbor mechanism is a compromise between the strict rules of the EU and the self-regulatory approach favored by the United States. Organizations that want to invoke the Safe Harbor must follow seven principles:
- NOTICE: An organization must notify a data subject of the intended use of his data, and must provide him with information on how the organization can be contacted, what types of third parties the data will be shared with, and how the data subject can gain access to his data.
- CHOICE: An individual must be given the opportunity to "opt out" from having her information disclosed to a third party or from having the organization use her information for a different purpose that it was collected for originally (secondary use). In order to disclose or use sensitive information for a secondary purpose, an organization must obtain the explicit consent from the data subject by providing her with a "opt in" form.
- ONWARD TRANSFER: An organization that wishes to share personal information transferred from the EU with third parties must abide by the notice and choice principles, and may do so only if this third party organization also subscribes to the Safe Harbor principles.
- SECURITY/DATA INTEGRITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- ACCESS: Individuals must have access to personal information about them, and be able to correct, amend or delete information where it is inaccurate.
The enforcement principle has been the primary source of disagreement between the EU and the United States. The EU did not have confidence that privacy seal programs and privacy policies would carry enough weight to ensure that businesses would abide by the data protection principles. The United States, however, was reluctant to monitor private businesses, continuing to favor the self-regulatory approach. Ultimately, an agreement was reached in which the Federal Trade Commission has stepped up as the privacy enforcer in the United States.
The solution that was reached is a mixture of the American and European approach: self-regulation with teeth. This approach tries to bridge the huge gap between the American system of self-regulation and the European legal privacy framework.
Organizations voluntarily sign up for the Safe Harbor. A list of all organizations which have joined will be maintained by the Department of Commerce. Enforcement will primarily be through alternative dispute resolution mechanisms such as TRUSTe or BBBOnline. If "harborites" fail to comply with the rulings of these bodies, the FTC will be notified. The commission can then take further steps against them under section 5 of the Federal Trade Commission Act. This act declares "unfair or deceptive acts or practices in or affecting commerce" to be illegal. In a number of letters to the EU, FTC chairman Robert Pitofsky convinced the EU that the agency had jurisdiction in this matter.
From the EU perspective, this agreement has been welcomed by Internal Market Commissioner Frits Bolkenstein as a package that "will facilitate trans-Atlantic information flows by providing legal certainty for operators and the safeguards consumers demand to protect their privacy." On this side of the Atlantic, however, the national Business Coalition on E-commerce and Privacy, a consortium of companies and associations representing diverse economic sectors, has expressed its concern that American businesses are forced to adopt costly European data protection principles, though no such laws exist in the United States.
Others have pointed out that the EU system is simply not a good model to follow because it was drafted in a time when centralized mainframe computers ruled, and data collection was time consuming and expensive. Whether this legal framework will be workable in the information age, where personal data can be collected much more easily and surreptitiously is unclear.
Privacy advocates, on the other hand, have seen in the Safe Harbor agreement a powerful rhetorical device to push for more legislation in the United States. Junkbuster's president, Dr. Jason Catlett, asked the National Governors' Association in the summer of 2000 why the United States government is "supporting privacy rights for foreigners and opposing those same privacy rights for its own people?"
The Safe Harbor became effective on November 1. It remains to be seen how this mixture of self-regulation and enforcement will work in reality. For American business, however, the immediate threat of having data transfer from Europe curtailed is suspended, at least for the time being. The EU has declared it will not "freeze" any data transfer at least until the middle of 2001. By Bastiaan Vanacker