Source
Automatically imported from: http://commons.somewhere.com:80/rre/1998/RRE.EU.US.Privacy.safe.h.html
Content
This web service brought to you by Somewhere.Com, LLC.
[RRE]EU/US Privacy safe harbor
``` [The background of this letter is that the European Union recently put into effect its Data Protection Directive, which instructs EU member nations on how to harmonize their existing privacy laws, as well as establishing institutional mechanisms for the enforcement of those laws, most particularly through citizen complaints. The most celebrated feature of the Directive is its position that, with some exceptions, personal information cannot be transferred to non-EU countries whose privacy laws are not adequate by EU standards. The United States is almost certainly such a country, and feverish activity has been going on to permit American companies to do business in Europe. Companies have a legitimate interest in a regulatory environment that is clearly defined and predictable, and US companies have been searching for a "safe harbor" policy that defines actions that they can take to shield themselves from legal action. The US Department of Commerce recently issued a draft "safe harbor" proposal, and this letter was sent as part of that proposal's public comment process. The authors of this letter are legal experts who cover much of the spectrum of serious opinion on privacy policy. I have reformatted their letter to remove special characters, insert a second space after each sentence, and confine the text to 70 columns.]
---
This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html or send a message to requests@lists.gseis.ucla.edu with Subject: info rre
---
Date: Thu, 19 Nov 1998 10:54:32 -0500
From: "Joel R. Reidenberg"
[...]
---
Joel R. Reidenberg Professor of Law Director, Graduate Program Academic Affairs Fordham University School of Law 140 W. 62nd Street New York, NY 10023 (USA) Tel: 212-636-6843 Fax: 212-636-6899
Email:
---
November 18, 1998
Ambassador David L. Aaron Undersecretary for International Trade U.S. Department of Commerce 14th Street and Constitution Avenue, N.W. Washington, DC 20230
Comments re: International Safe Harbor Privacy Principles
Dear Ambassador Aaron:
We are the authors of four recent books and monographs -- Data Privacy Law: A Study of United States Data Protection (Michie 1996), Privacy in the Information Age (Brookings 1997), None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings 1998), and Data Protection Law and On-line Services: Regulatory Responses in Belgium, France, Germany and United Kingdom (European Commission, forthcoming 1999) -- examining the European Union's data protection directive (Directive 95/46/EC), the "adequacy" of United States privacy protection under Articles 25 and 26 of that directive, and substantive data protection law in several European Union Member States. Four of us are law professors who teach and research extensively in the areas of privacy and information law; the fifth is director of economic studies at The Brookings Institution and a former deputy assistant attorney general in the Antitrust Division of the Justice Department and former associate director in the Office of Management and Budget.
The views we express below are ours alone; they do not necessarily represent the views of the institutions with which we are affiliated nor have we received any financial or other compensation for preparing these comments.
In our respective writings and public statements concerning privacy, we have disagreed frequently and, on occasion, sharply about the desirable level of substantive privacy protection for personal information and about the constitutionality, effectiveness, and the advisability of various means of achieving privacy protection. We submit these comments jointly today to highlight the fact that, despite our divergent views on other privacy issues, on these critical points we are in complete agreement. In addition to these joint comments, Professor Swire is also submitting a set of technical observations.
We appreciate the opportunity to submit comments on the November 4, 1998, draft of International Safe Harbor Privacy Principles, and we applaud the Department of Commerce, you, and your colleagues for pursuing discussions with the European Union to create a set of international principles that would be recognized globally as meeting the requirements of Article 25 and 26 of Directive 95/46/EC. Agreement on such principles would diminish the threat that enforcement of the data protection directive might interrupt trade with the European Union and reduce the transaction costs associated with complying with the Directive.
The key to creating effective principles and achieving the benefits that such principles promise, however, is in their specificity and comprehensiveness. Specific, comprehensive principles make it comparatively easy for consumers, businesses, and regulators alike to know what is expected, what level of privacy is provided, and whether there is compliance. Such principles also diminish the room for conflicting interpretations by information collectors and users and by national data protection regulators, thereby increasing the certainty that the principles will, in fact, constitute "adequate" data protection and therefore a safe-harbor under Directive 95/46/EC.
We believe that the proposed International Safe Harbor Privacy Principles are too vague and incomplete to serve their intended purpose. Specifically, we believe the following examples reflect substantial difficulties for international data transfers that this proposed draft does not resolve:
1. The applicability of the "Safe Harbor" is ambiguous
We find the scope of application of the "safe harbor" perplexing. The preamble seems to merge sectoral regulation that may provide a statutory basis for "adequacy" with collective, industry self-regulatory schemes and isolated independent mechanisms. Yet many issues for compliance and the sufficiency of each of these means to satisfy "adequacy" are different. In addition, the "safe harbor" does not delineate how to treat a company that subscribes to the principles in connection with one set of activities, such as on-line services, but engages in many others such as employee data transfers. Furthermore, the draft exempts "proprietary information" from the principles without any definition. We do not understand what this term means in relation to the generally accepted definition of "personal information" as information relating to an identified or identifiable person.
2. Transparency is not yet accomplished
The "safe harbor" leaves a number of critical issues for transparency unresolved. For example, the notice requirement does not include any disclosure of the identity of the organization collecting personal information. We also believe the provision on access leaves significant ambiguity in the ability of individuals to see the information relating to them. "Reasonable access" is only vaguely defined in the clause and likely to be interpreted quite differently by the various stakeholders. At the same time, the blanket exclusion of public record information from the access right raises serious questions about whether the resulting data protection is "adequate" under Directive 95/46/EC.
In addition, the "safe harbor" is silent on the transparency of those companies subscribing to the principles; there is no provision for the public disclosure of companies promising to adhere to the "safe harbor." For example, a statement in corporate disclosure documents such as Form 10K or 10Q filed with the Securities and Exchange Commission would make adherence public and indicate that a particular company thought compliance was material to its business practices.
3. The role of consent
We are concerned that the "safe harbor" relies too heavily on consent as an absolute basis for any treatment of personal information. Especially in the case of sensitive information such as medical data, consent may not be recognized as an appropriate ground for certain uses of personal information. For example, it is doubtful whether consent should be considered valid where medical care is provided to a sick patient on condition of using personal medical information for marketing purposes.
4. Enforcement is ill-defined
We are unconvinced that the draft "safe harbor" provision on enforcement adds a meaningful standard to the principles. The list of mechanisms by which compliance might be assured does not contribute to clear rules or practices for companies to follow or for individuals to pursue in the vindication of claims. The draft gives no guidance on the content for "systems for verifying that the attestations and assertions business make . . . are true" nor does the draft provide any indication as to how such measures might overcome the rejection of non-independent supervision by data protection authorities. Even with respect to remedies, the draft is too vague to provide any guidance. Enforcement in the American legal system typically includes causes of action and damages for violations of standards. The draft speaks of "recourse" and "consequences," yet does not establish any useful criteria for dispute settlement nor address the question of damages for injuries caused to individuals by violations of the principles. In combination with the vagueness of the substantive principles, the enforcement provision offers unclear protection for individuals and uncertainty for U.S. business.
Moreover, we are concerned by the confusion regarding the legal effect of the proposed International Safe Harbor Privacy Principles. Typically, American law uses the term "safe harbor" to mean a set of precisely defined practices recognized by a designated regulatory agency to satisfy an existing legal obligation in the United States. In the absence of U.S. statutory obligations, we understand this "safe harbor" is, instead, intended as a designation by the European Union that U.S. companies complying with the terms of these principles would qualify to transfer personal information to the United States under Article 25(6) or Article 26 of Directive 95/46/EC. Under Directive 95/46/EC, a determination of the sufficiency of these principles will made by the Commission subject to referral to the Committee, consisting of representatives from each of the Member States, established under Article 31 of the Directive, and, if necessary, to referral to the Council of Ministers for an overruling decision. In making the initial determination on the value of these principles as "adequate" data protection, the Commission consults with the Working Party, composed of representatives of the data protection supervisory agencies of the Member States, established under Article 29 of the Directive. Although the opinion of the Article 29 Working Party is only advisory, each of the group's members have enforcement responsibilities for international data transfers. Hence, even if these principles are accepted by the Commission and the Article 31 Committee or the Council of Ministers, European law and Directive 95/46/EC require the data protection agencies in each of the European member states to interpret whether there is compliance and accord a significant margin for interpretation to those agencies.
The Working Party has addressed itself for the past two years to the question of what constitutes "adequate" data protection under Articles 25 and 26. Those views are collected in the Working Party's report this summer, Working Document on Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive. While our views on the substance of the Working Party's conclusions differ, we are agreed that the current draft of the International Safe Harbor Privacy Principles appear inconsistent with the Working Party's conclusions. In particular, the vagueness and omission in the draft International Safe Harbor Privacy Principles contradict the search for specific substantive standards enumerated in the Article 29 Working Party's opinions. We do not, therefore, believe that these principles will resolve the international data flow issues for U.S. companies at the member state level and urge you to explore the problems of interpretation that these principles will create.
Thank you again for your efforts to create International Safe Harbor Privacy Principles. We appreciate this opportunity to comment and we stand ready, individually and collectively, to work with you to address the concerns and ambiguities that we have identified and to provide any other assistance you might require in completing your important task.
Respectfully submitted,
Fred H. Cate Professor of Law Indiana University School of Law -- Bloomington Author, Privacy in the Information Age 211 South Indiana Avenue Bloomington, IN 47401
Robert E. Litan Director, Economic Studies The Brookings Institution Co-Author, None of Your Business 1775 Massachusetts Avenue, N.W. Washington, DC 20036
Joel R. Reidenberg Professor of Law Fordham University School of Law Co-Author, Data Privacy Law and Data Protection Law and On-line Services 140 West 62nd Street New York, NY 10023
Paul M. Schwartz Professor of Law Brooklyn Law School Co-Author, Data Privacy Law and Data Protection Law and On-line Services 250 Joralemon Street Brooklyn, NY 11201
Peter P. Swire Professor of Law Ohio State University College of Law Co-Author, None of Your Business 55 West 12th Avenue Columbus, OH 43210 ```
This web service brought to you by Somewhere.Com, LLC.