U.S. and EU Data Privacy: ‘2 Worlds Work in Different Ways’
Since the EU’s approval of the Safe Harbor framework in 2000, virtually no complaints have arisen about the degree to which U.S. companies’ privacy protection measures are in compliance with European authorities’ data security laws, Commerce Dept. (DoC), EU and private industry players heard Wed. from German Federal Data Protection Comr. Peter Schaar. But govt. officials speaking at a workshop on bridging U.S. and EU policy differences said determining how well the system is working requires more dialog on both sides of the Atlantic.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The “extraordinary” lack of grievances stems either from a complete absence of data flow or 100% company compliance under the Safe Harbor regime, Schaar joked, noting the reality that “nobody complies completely with the regulations.” The most probable scenario is that Safe Harbor is working but it hasn’t generated enough public attention, so no feedback is being produced in the U.S. or in EU countries, Schaar said: “We have to promote the Safe Harbor approach as well as other basic data protection principles.”
The FTC hasn’t brought any cases under the directive, but Consumer Protection Bureau Dir. Lydia Parnes wasn’t sure if that indicated system success or failure. “I don’t know, I really don’t,” she admitted when asked whether the silence is golden or grim: “Even though there may be issues about raising awareness of Safe Harbor with consumers I think it’s a good thing that we haven’t had a referral. That means that people can’t be that upset about what’s happening as they're dealing with U.S. companies.”
TRUSTe said Safe Harbor complaints have arisen but they haven’t warranted regulatory action. The instances have been handled effectively by individual companies involved or by 3rd-party arbitrators, said Intel Privacy Dir. David Hoffman, who’s on TRUSTe’s board. TRUSTe received 102 complaints in 2005 from citizens in EU member states, but most pertained to minor, easily fixable squabbles. The BBBOnline hasn’t fielded any complaints from the EU, Privacy Dir. Gary Laden reported.
More than 830 organizations, including multinationals, small- and medium-sized firms, are on DoC’s Safe Harbor list. A participating company must provide notice of data collection and its intended use, an opt-out choice for 3rd-party disclosure and “onward transfer,” or application of notice and choice principles when a 3rd party is involved. Protocols also require specific security, data integrity and enforcement procedures. Safe Harbor benefits businesses by ensuring predictability and continuity from all 25 EU nations, an agency spokeswoman said. Adherence to the framework eliminates the need for prior approval to begin data transfer and engenders a simpler and more efficient means of compliance. A company’s noncompliance could result in govt. enforcement action and removal from the Safe Harbor list.
From a European govt. standpoint, progress has been made in recent years, but problems still exist with international data flow, said Rosa Barcelo, an official with the European Commission’s (EC) data protection unit. The FTC’s stance on data breaches is a significant sticking point for her group. “We come from a different perspective,” Barcelo said: “Proactive enforcement is what all the authorities in Europe had in mind when we talk about enforcement.” She said the EC is committed to exploring “how the 2 worlds work in different ways.”
A forthcoming EC report will propose that a few contractual principles for information transfer need some tweaking, Barcelo indicated. The paper, due out in the coming weeks, will call for an assessment of the applicability of the “onward transfer” clause and further examination in the arena of binding corporate rules, where there have already been “very positive developments,” she said.
Regardless of individual countries’ information security and privacy models, international cooperation is an underlying component for success, Schaar said. Globally sensitive issues like spam, IT development and international data transfer depend on it, he said. In the long term, the U.S. and Europe “have to come to a common general privacy information standard,” Schaar argued.
Overall, Safe Harbor implementation is fine but some guidelines for ensuring adequate protection could be improved, Barcelo said. In reviewing the system, the EC felt that some U.S. companies’ privacy policies weren’t as visible as they could have been. The Commission has asked Commerce to continue to review and provide updates on participating organizations’ compliance, she said. Still, Barcelo’s bottom line is: “The EC is happy with the Safe Harbor and hopes Safe Harbor is here to stay.”
Homeland Security Dept. Acting Privacy Chief Maureen Cooney offered a rosy view of the state of Safe Harbor provisions and other data transfer protocols. “We're at the middle of the story, not at the end,” she told the group: “The ending is yet to be written and it looks as though we have the writers right here in this room.”