SAFE HARBOR PRIVACY FRAMEWORK

Regulations governing consumer privacy on the Internet have been much stronger in the European Union (EU) than in the United States. On October 28, 1998, the EU adopted the European Community Directive on Data Protection 95/46/EC, which established minimum standards for the protection of users' personal data and privacy on the Internet. The Directive requires all EU members to generate and enforce comprehensive legislation to comply with those standards.

Article 25 of the EU Directive prohibits any EU country from transferring personal data via the Internet to, or receiving data from, countries deemed to lack "adequate" Internet privacy protection. The U.S. is among those countries, since it has no national data-privacy laws that meet the EU standards. Instead of laws, the U.S. government permitted American companies to address privacy issues through self-regulation, which many EU officials regard as too lax to adequately safeguard individuals who use the Web.

To meet EU concerns, the U.S. Department of Commerce (DOC) drew up the Safe Harbor Privacy Principles in conjunction with the EU. The DOC designated a series of "safe harbor" principles intended to meet the standard of "adequate privacy protection" required by the EU Directive. In July 2000, the European Commission approved those principles and the Safe Harbor program went into effect in November of that year.

Participation in the Safe Harbor Program is voluntary, but the DOC asserts that it eliminates the necessity of prior approval in order for companies to conduct electronic data transfers. Participating organizations must publicly announce their Safe Harbor compliance in writing to the DOC each year. In addition, they must include a similar statement in their published privacy policy statements. The DOC makes the list of all self-certified organizations available to the public. In exchange for Safe Harbor certification, U.S. companies are shielded from prosecution under the EU data-protection laws.

The Safe Harbor program encompasses seven principles. All compliant organizations must agree to:

• Notify Internet users about the type of data collected at the Web site, the manner in which it is collected, for what purpose, and whether it will be disclosed to third parties. They must also inform users of options for limiting the use and disclosure of that information.
• Provide individuals with the chance to opt out of having their personal data collected or disseminated to third parties.
• Guarantee that data will be transferred only to other Safe-Harbor compliant parties.
• Facilitate individuals' access to their personal data and provide a means for them to correct inaccurate information.
• Undertake "reasonable precautions" to secure the data from loss, alteration, or unauthorized access or disclosure.
• Utilize the data only for purposes that have been disclosed to the individuals.
• Put in place enforcement mechanisms that will ensure compliance. These include providing accessible, affordable, and independent venues through which individuals can lodge complaints for breach of Safe Harbor principles and through which justifiable damages can be awarded, and a system to verify that the company has in fact implemented the Safe Harbor principles.

American companies can adopt a variety of strategies to participate in Safe Harbor. These include joining a self-regulatory program that meets Safe Harbor guidelines or implementing their own organizational, self-regulatory privacy policies that meet those same guidelines. Any organization that violates the Safe Harbor principles may be held in violation of state or federal unfair and deceptive trade practices law.

Another option may permit American companies to bypass the Safe Harbor program altogether by negotiating "model contracts" with either an EU-country's data-protection authority or with an individual whose personal data will be transferred electronically. These contracts would verify that company practices conform with the EU's data-protection laws. As of 2001, such contracts were under negotiation by EU data-protection authorities and the U.S. DOC. Members of the American business community, however, warned that the standards enshrined in such contract might prove more stringent than the Safe Harbor principles.

Safe Harbor has struggled to get off the ground and major U.S. corporations have been slow to embrace the program. In February 2001, only 21 U.S. companies had signed on, prominent among them Hewlett-Packard Co. In addition, financial-services companies, such as insurers and banks, argued that they need not participate in the Safe Harbor program, because the online privacy protections contained in the Gramm-Leach-Bliley Act of 1999 assure their compliance with the EU Directive.

FURTHER READING:

"EU Privacy Safe Harbor." Business Insurance, November 6, 2000.

Gillin, Donna. "Safe Harbor Principles for the European Privacy Directives are Finalized." Marketing Research, Winter 2000.

Goldstein, Heather, et. al. "Safe Harbor Privacy Pact Implemented Between Europe and the United States." Intellectual Property & Technology Law Journal, February 2001, 27.

Johnson, Mark. "As Seen from Europe: A Very Public War Over Privacy." Global Finance, January 2001, 30.

Thibodeau, Patrick. "Big Companies Shy Away from Safe Harbor Accord." Computerworld, February 19, 2001, 12.

SEE ALSO: European Commission's Directive on Data Privacy; Privacy: Issues, Policies, Statements