NAVIGATING INTERNATIONAL PRIVACY WATERS:  THE INTERNET, PERSONAL DATA & SAFE HARBORS 
(2001)

Few computer law issues have attracted as much attention as the Internet and its impact on individual privacy rights.  Applying privacy concerns to an increasingly global market that embraces the Internet presents formidable hurdles to any business.
While some wondered how businesses could comply with foreign privacy laws when we lacked any consensus on privacy issues at home, the United States Commerce Department and the European Commission acted to create a “safe harbor” for U.S. businesses receiving personal data from European Union (EU) member states.  These safe harbor protections represent a major step to facilitate international commerce.  While the Commerce Department’s safe harbor measures benefit businesses of all sizes, the relatively easy and inexpensive requirements for compliance make the safe harbor provisions particularly attractive to mid- and small-sized enterprises.  This firm has monitored the development of these laws and advised clients regarding compliance requirements.  We welcome this opportunity to raise awareness regarding the protections and business opportunities that result from the safe harbor provisions. Both the U.S. and the EU strive to protect personal privacy; however, each takes a different approach.  For instance, the U.S. relies on a combination of legislation, government regulation, and self-regulation, including litigation, to ensure that personal privacy is protected.  The EU, on the other hand, has assumed a strictly regulatory approach by enacting government data protection agencies that oversee data transfers, require the registration of databases, and must sometimes grant approval before personal data transfers may begin.  The differing approaches of the U.S. and the EU have lead to inconsistencies that threatened to interrupt the flow of data from EU member states to the U.S.  This threat to U.S. businesses was further underscored in October of 1998 when the European Commission’s Directive on Data Privacy (“Directive”) went into effect.

The Directive prohibits the transfer of personal data to companies in non-European Union countries unless "adequate" privacy standards are observed to protect personal data.  For EU member states to transfer data to a non-member nation, prior approval was required.  To assist U.S. businesses, the Commerce Department sought to create an efficacious means to comply with the Directive.  Consequently, the Commerce Department consulted with the European Commission to develop “Principles” to govern data transfers from EU member states to the U.S.  Last year the European Commission decided that the proposed safe harbor arrangement with the Commerce Department provides adequate protection for personal data transferred fromthe EU.  As a result, a company complying with the Principles is considered to meet the Directive’s adequacy requirement.

The adopted Principles are: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.  The Principles are designed to ensure that individuals are advised about how information collected about them will be used, and are informed of the names of the third parties to whom such information will be disclosed so that individuals may choose (i.e., opt out) whether to disclose their personal information.  The Principles are further intended to ensure that reasonable precautions are taken to protect information from loss, misuse and unauthorized access.  And under the Principles individuals must have access to personal information pertaining to them so that they may correct, amend or delete inaccurate information.  Pursuant to the Principles, the Commerce Department provides mechanisms to ensure compliance, recourse for individuals affected by non-compliance, and consequences for organizations when the Principles are not followed. 

Organizations that receive personal data transfers from the EU and comply with the Principles receive automatic approval from the appropriate EU member countries, and all 15 EU member states are bound by the European’s Commission’s finding of adequacy.  This in turn results in a safe harbor for U.S. businesses and may insulate such companies from prosecution by European authorities for privacy law violations. 

Participation in the Principles is entirely voluntary, and the safe harbor provisions are intended for use solely by U.S. organizations receiving personal data from the EU.  Companies that wish to take advantage of the safe harbor provisions may qualify in various ways including self-certification, or by joining a self-regulatory privacy program that adheres to the Principles.

© 1999-2008 Donahue Gallagher Woods LLP.  All rights reserved.