European Privacy and the Safe Harbor

OPEN ANY NEWSPAPER or magazine and you will find that 'privacy' is the latest media buzzword. In the new information age, tales of information selling, hijacked credit card numbers or stolen identities are more fact than urban legend.

The relative ease of access to personal information has given rise to numerous occurrences of privacy violations. Individuals have become hyper-vigilant about the manner in which personal information is collected, used and transferred.

Recognizing the need for privacy regulation, the European Union implemented privacy legislation known as the European Union Information Protection Directive (Directive) which specifically addresses protection of personal information.

Background

The European Union implemented a strict regime, effective October 1998, for the protection of personal information originating in the European Union and which is collected, used or transferred, manually, off-line or online. Under this regime?the Directive?EU citizens are afforded a bundle of rights related to the collection, use and transfer of personal information. Such rights include: notice of how personal information is collected and used; access to review personal information; the opportunity to correct inaccurate information; and the option of disclosing personal information to third parties.¹ Most importantly, the Directive grants EU citizens the right to challenge privacy violations.

The controversial aspect of the Directive is the prohibition on transfers of personal information from EU member countries to non-EU countries which do not ensure 'adequate protection' of personal information. In essence, the personal information of an EU citizen cannot be transferred to an organization located in a country that does not embrace the strict EU standards of privacy protection. This restriction on cross-border flows of information can have a chilling affect on business relationships between the European Union and non-EU countries.

Safe Harbor Framework

Traditionally, the protection of personal information in the United States, unlike the EU, has been spearheaded by private sector initiatives. Moreover, there has been no standardized framework for protection of personal information in the U.S. Accordingly, privacy protection in this country had been deemed inadequate by the European Union. Thus could the ideological disparities on issues of privacy protection have lead to a breakdown in trade relations between the EU and the United States.

To forestall a potential trade embargo, the U.S. Department of Commerce and the EU reached agreement on information protection issues in the spring of 2000, with the establishment of the Safe Harbor Framework.² This sets forth principles for U.S. organizations to follow to ensure that they are in compliance with the EU data protection standards.³ Moreover, entering the Safe Harbor allows U.S. organizations to avoid dealing directly with EU data authorities. By voluntarily certifying adherence to the Safe Harbor principles regarding collection and use of personal information, an organization is deemed compliant with EU privacy standards and may freely engage in the transfer of personal information from EU member states.

Structuring Compliance

In order to comply with the Safe Harbor principles, an organization has an obligation to adopt, implement and adhere to privacy policies that protect personal information. To qualify as a Safe Harbor organization, privacy policies should follow the basic Safe Harbor principles:⁴

Notice. An organization's privacy policy must be easily accessible, clear and concise. The policy should: 1) inform customers of the purposes for which personal information is collected and used; 2) disclose which third parties have access to personal information; and 3) inform customers of options for limiting use or disclosure of their personal information.

Choice. Customers should be given the opportunity to determine whether and how personal information is used, collected and transferred. An organization should offer customers opportunity to 1) choose (opt out) whether personal information can be disclosed to a third party or used for a purpose other than what the organization disclosed and 2) give affirmative consent (opt in) to allow sensitive information such as race, religion, sexual preference or health condition to be transferred to third parties.

Onward Transfer. Organizations should ensure that business partners or third parties which obtain customer information, comply with the Safe Harbor principles.

Security. Organizations should take reasonable precautions to protect against the loss, disclosure, alteration, misuse or unauthorized access of personal information.

Data Integrity. Organizations should take steps to ensure that customer information is accurate, complete and relevant for the purposes for which such information is to be used.

Access. Organizations should provide reasonable customer access to correct, amend or delete inaccurate information. Such access mechanisms should be user-friendly and confirm that inaccuracies have been corrected.

Enforcement. Organizations should develop a mechanism for assuring compliance with the Safe Harbor principles. Such a mechanism should include: 1) investigative and dispute resolution procedures; 2) verification of compliance with Safe Harbor principles; 3) assurance that privacy practices have been implemented as presented; 4) distribution of damage awards when appropriate; and 5) the establishment of remedies for violations of the Safe Harbor principles.

When joining the Safe Harbor, organizations must specify to which types of information the Safe Harbor principles will apply, i.e., manually processed information, information processed off-line or information processed on-line.

Some Common Questions

The new Safe Harbor principles raise many questions for U.S. organizations concerned about receiving personal information from the European Union. Unfortunately all the Issues that may arise under the Safe Harbor Framework cannot be addressed at this time, since this mechanism has not, to date, been tested. In an attempt to address some of the issues that may arise, the Department of Commerce has listed some Frequently Asked Questions (FAQs) on the Safe Harbor site.⁵ Some of the issues addressed by the FAQs are as follows.

How Does an Organization Join the Safe Harbor? U.S. organizations have the option of: (i) joining a self-regulatory privacy organization that adheres to Safe Harbor principles; (ii) developing their own self-regulatory privacy programs which comply with Safe Harbor principles; or (iii) certifying annually with the Department of Commerce by outlining measures taken by the organization to comply with Safe Harbor principles. Note that once an organization certifies that it adheres to the Safe Harbor principles, the organization is subject to the supervision of the Federal Trade Commission (FTC) or the Department of Commerce.

U.S. organizations may certify for the Safe Harbor by letter or by registering at that Department of Commerce Web site located at . It is important to note that the Safe Harbor only currently applies to U.S. organizations that fall under the jurisdiction of the Department of Commerce or the FTC.

How Are the Safe Harbor Principles Enforced? Issues regarding the enforcement of the Safe Harbor principles will theoretically be adjudicated and subject to the laws of the United States. Therefore, under the Safe Harbor, claims of privacy violations brought by EU citizens may be resolved in the U.S. There is some doubt, however, that there will be sufficient legal recourse for European victims of privacy violations under the existing U.S. tort laws, since laws related to information privacy remain relatively untested in the U.S. courts.⁶ Thus, enforcement is largely dependent on private sector activity, privacy organizations and U.S. regulatory agencies.⁷ However, if such enforcement practices do not pass muster with the EU, it is possible that the Safe Harbor Framework may break down.

What Are the Sanctions for Safe Harbor Violations? The sanctions for non-compliance with the Safe Harbor principles range from suspension from the Safe Harbor to the award of damages to individuals for privacy violations. Other sanctions include public notice of non-compliance and injunctions. Persistent non-compliance with Safe Harbor principles may result in the loss of its benefit. It is unclear at this time how the sanctions will be enforced and how swiftly regulatory agencies will act to punish non-compliant organizations.

Conclusion

It is difficult to predict whether the Safe Harbor Framework will ultimately succeed. Success will be wholly dependent on the European Union's satisfaction with protection and enforcement activities in the United States. As the Department of Commerce spends the next few months promoting the benefits of Safe Harbor, U.S. organizations still question the feasibility of complying with the strict EU data protection standards. Thus, the novelty of the Safe Harbor has prompted many U.S. organizations to adopt a wait and see attitude. In fact, only 30 have entered the Safe Harbor as of April 2001.

The issue now is what an organization should do to shield itself from European Union sanctions. Of course, the safest solution [for the moment] is to enter the Safe Harbor. More importantly, organizations that receive personal information from the EU should begin to develop a data protection infrastructure that complies with the Directive's privacy standards. Such an Infrastructure must include:

1) a well-developed privacy policy which incorporates the principles similar to those under the Safe Harbor Framework but that is tailored to the organization's business needs;

2) a mechanism for enforcement of the privacy policy;

3) data security systems; and

4) person(s) in-house who will be responsible for overseeing issues related to privacy.

Finally, U.S. organizations dealing with EU data transfers should pay special attention to any changes under the Safe Harbor Framework as well as data protection activities Iin the European Union, and adapt privacy policies accordingly.

Footnotes

¹ Directive 95/46/EC of the European Parliament and the Council of 24 Oct. 1995 on the protection of Individuals with regard to the processing of personal data and the movement of such data, available at .

² Jason Spingarn-Koff, 'European Union Oks 'Safe Harbor',' Wired News, May 31, 2000, available at http:/www.wired.com/news/politics/o,1283,36671,00.html>.

³ United States Dept. of Commerce, Int'l Trade Adm, Notice: Issuance of Safe Harbor Principles and Transmission to European Commission, 65 Fed. Reg. 45665-45686 (July 24, 2000).

⁴ Id.

⁵ Dept. of Commerce, Export Portal-Safe Harbor, Documents, Frequently Asked Questions available at .

⁶ Testimony of Joel R. Reldenberg before the Subcommittee on Commerce, Trade and Consumer Protection, Committee on Energy and Commerce, United States House of Representatives, Hearing on the EU Data Protection Directive: Implications for the U.S. Privacy Debate (March 8, 2001).

⁷ The Federal Trade Commission has made a commitment to review complaints of privacy violations from the European Union.

This article appeared in the New York Law Journal, 'E-Commerce' section, 
on April 30, 2001.

Midge M. Hyman is a partner at Cowan, Liebowitz & Latman PC,