November 4, 1998
Dear Industry Representatives:
The European Unions comprehensive privacy legislation, the Directive on Data Protection, which became effective on October 25, 1998, prohibits the transfer of personally identifiable data to third countries that do not provide an "adequate" level of privacy protection. Because the United States relies largely on a sectoral and self-regulatory, rather than legislative, approach to effective privacy protection, many U.S. organizations are uncertain about the impact of the "adequacy" standard on personal data transfers from the European Community to the United States.
In an effort to find ways to bridge differences in our approaches to privacy, the U.S. Department of Commerce, on behalf of the U.S. Government, and Directorate General XV of the European Commission have been engaged in a dialogue on privacy for the past several months. We have discovered that, despite our differences in approach, there is a great deal of overlap between U.S. and EU views on privacy. Given that and to minimize the uncertainty that has arisen about the Directives effect on transborder data transfers from the European Community to the United States, the Department of Commerce and the European Commission have discussed creating a safe harbor for U.S. companies that choose voluntarily to adhere to certain privacy principles.
Organizations within the safe harbor would have a presumption of adequacy and data transfers from the European Community to them would continue. Organizations could come within the safe harbor by self certifying that they adhere to these privacy principles. The status quo ante would exist for firms that choose not to take advantage of the safe harbor.
Safe Harbor Principles. Identifying the appropriate privacy principles is clearly central to this approach. Such principles must provide "adequate" privacy protection for European citizens. They must also reflect U.S. views on privacy, allow for relevant U.S. legislation, regulation, and other public interest requirements, and provide a predictable and cost effective framework for the private sector. Accordingly, we have drafted the attached principles, based on the Departments discussion paper, "The Elements for Effective Privacy Protection," the 1980 OECD Privacy Guidelines, private sector self-regulatory, online privacy programs, and discussions with industry and the European Commission.
Please note that these principles are designed to facilitate a bilateral understanding between the U.S. and European Community and thus to enhance commerce between the U.S. and the European Community. They are not intended to govern or affect U.S. privacy regimes, which are being addressed by other government and private sector efforts. Adoption of the principles is voluntary and their use is intended solely by U.S. organizations receiving personal data from the European Union for the purpose of qualifying for the safe harbor. We welcome comments from your organization by November 19, 1998, particularly if you transfer or receive personal information from organizations located in the European Community.
Benefits of the Safe Harbor. While the specific terms of the safe harbor arrangement are still under discussion with the European Commission, it is our position that organizations that decide to take advantage of the safe harbor would also benefit in the following ways:
Exceptions. It is important to bear in mind that the exceptions listed in Article 26 of the EU Directive are still applicable to all data transfers from the European Union to the United States. Those include transfers to third countries where 1) an individual has given unambiguous consent; 2) the transfer is necessary to complete a contract between the individual and the organization or a contract is concluded in the interest of the individual between the organization and a third party; 3) the transfer is necessary or legally required on important public interest grounds or for legal actions; 4) the transfer is necessary to protect the vital interests of the individual; or 5) the data comes directly from public records. We have also tried to capture all the relevant exceptions created by U.S. law and regulation in the preamble to the principles.
Please note that these principles are necessarily broad in order to encompass the widest possible range of industries and organizations. We recognize, as a result, that there may be implementation and industry specific questions that the principles do not address. We, therefore, also plan to issue additional guidance on their implementation in the form of commonly asked questions and answers, and we welcome your proposals for these as well.
Organizations should also be aware that these draft principles may undergo additional revisions as the negotiations proceed. We will continue to consult closely with the private sector representatives.
Your comments will give the Department valuable guidance as it proceeds in negotiations with the European Commission. Information on how to provide your comments is provided below.
David L. Aaron
A: How to Submit Comments
B: Draft International Safe Harbor Principles
Please send your comments by November 19, 1998, to Eric Fredell, Task Force on Electronic Commerce, International Trade Administration, Department of Commerce, 14th and Constitution Avenue, N.W., Washington, DC 20230 (tel: 202-482-0343/fax: 202-501-2548 or email: email@example.com.).
The European Unions comprehensive privacy legislation, the Directive on Data Protection, became effective on October 25, 1998. It prohibits the transfer of personally identifiable data to non-EU countries that do not provide an "adequate" level of privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a very different approach to privacy than that taken by the European Community. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. Given those differences, many U.S. organizations have expressed uncertainty about the impact of the "adequacy" standard on personal data transfers from the European Community to the United States.
To ameliorate this uncertainty and provide a more predictable framework for such data transfers, the Department of Commerce is issuing these principles under its statutory authority to foster, promote, and develop international commerce. The principles were developed in consultation with the private sector to facilitate trade and commerce between the United States and European Union. They are intended for use solely by U.S. organizations transferring personal data from the European Union to the United States for purpose of qualifying for the safe harbor and the presumption of "adequacy" it creates. Adherence to these principles by such organizations is entirely voluntary.
Please note that an organization qualifies for the safe harbor if it is subject to a statutory, regulatory, administrative, or other body of law that effectively protects personal information privacy. An organization may also qualify for the safe harbor through membership in private sector developed privacy programs that adhere to these principles. In addition, adherence to these principles is subject to national security, risk management, information security, public interest, regulatory compliance and supervision, and law enforcement requirements as well as to other legal and regulatory obligations, authorizations, and exceptions. Finally, these principles do not apply to proprietary or manually processed information.
1. NOTICE: An organization must inform individuals about what types of personal information it collects about them, how it collects that information, the purposes for which it collects such information, the types of organizations to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language that is readily understood and made available when individuals are first asked to provide personal information to the organization.
2. CHOICE: An organization must give individuals the opportunity to choose (opt out choice) whether and how personal information they provide is used (where such use is unrelated to the use(s) for which they originally disclosed it). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. For certain kinds of sensitive information, such as medical information, they must be given affirmative or explicit (opt in) choice.
3. ONWARD TRANSFER: Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal information they provide (when such use is unrelated to the use(s) for which the individual originally disclosed it). When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual. For certain kinds of sensitive information, such as medical information, individuals must be given opt in choice.
4. SECURITY: Organizations creating, maintaining, using or disseminating records of personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, alteration, or destruction.
5. DATA INTEGRITY: An organization must keep personal data relevant for the purposes for which it has been gathered only, consistent with the principles of notice and choice. To the extent necessary for those purposes, the data should be accurate, complete, and current.
6. ACCESS: Individuals must have reasonable access to information about them derived from non public records that an organization holds and be able to correct or amend that information where it is inaccurate. Reasonableness of access depends on the nature and sensitivity of the information collected and its intended uses. For instance, access must be provided to an individual where the information in question is sensitive or used for substantive decision-making purposes that affect that individual.
7. ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals, and consequences for the organization when the principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which individuals complaints and disputes can be resolved; (b) systems for verifying that the attestations and assertions businesses make about their privacy practices are true and privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of and consequences for organizations announcing adoption of these principles and failing to comply with the principles. Sanctions must be sufficient to ensure compliance by organizations and must provide individuals the means for enforcement.
Note: Organizations may satisfy the requirements set forth in Principle 7: (a) through compliance with private sector developed privacy programs that include effective enforcement mechanisms of the type described in Principle 7; or (b) through compliance with legal or regulatory supervisory authorities; or (c) by committing to cooperate with data protection authorities located in the European Community.