CongressLine - The EU Privacy Protection Directive and the U.S. Safe HarborBy Carol M. Morrissey, Published on June 15, 2000
In October of 1998, the European Union Directive on Data Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data entered into force. In its simplest form, this Directive (otherwise known as Directive 95/46/EC or the Data Privacy Directive) does not allow the transfer of personal data to a country outside of the EU which lacks adequate personal data privacy safeguards. (The text of Directive 95/46/EC can be accessed at http://www.cdt.org/privacy/eudirective/EU_Directive_.html.) As the United States fell (and most would argue, still falls) into this category, the U.S. Department of Commerce embarked upon a series of "safe harbor" negotiations in order to protect the interest of U.S. businesses involved in the international transfer of personal data. Once a safe harbor agreement is reached, U.S. companies that abide by its principles will be able to operate in compliance with the Directive. (For background information, please see the October 1998 CongressLine article, EU Directive 95/46 - Privacy 101 at http://www.llrx.com/congress/101598.htm.)
The daunting task facing the negotiators was to somehow bridge the gap between the EU's legislative approach to privacy protection and the U.S. system, which is basically self-regulatory. Europeans have rights under the Directive which are clearly not enjoyed by consumers here in the United States. Consumers in the European Union have the right to identify a marketing organizations information source, to check and correct inaccurate data and most importantly, data concerning race, sexual orientation and religion (sensitive data) may not be shared unless permission is granted by the consumer (also known as "opt-in").
The first draft safe harbor agreement was announced and presented for public comment in November 1998. (For the text of the November 1998 agreement, please go to http://www.ita.doc.gov/td/ecom/aaron114.html#Safe). This was followed by further agreements in April and November of 1999. (The text of the April 1999 proposal is at http://www.ita.doc.gov/td/ecom/shprin.html and the November 1999 text can be found at http://www.ita.doc.gov/td/ecom/Principles1199.html.) The most recent and the U.S. hopes, final, agreement was announced on March 15, 2000, with all public comments to be filed by April 5, 2000. (The text of the current safe harbor principles can be accessed at http://www.ita.doc.gov/td/ecom/RedlinedPrinciples31600.htm and all comments received by the DOC are at http://www.ita.doc.gov/td/ecom/Comments400/publiccomments0400.html.)
The March 2000 safe harbor provides for adherence to seven broad principles; notice to individuals concerning the collection and uses of personal data; the opportunity for the consumer to choose to opt-out if the data is being used for a means incompatible with its collection (sensitive data is now subject to opt-in by the consumer); third party sharing must be consistent with the previous principles of notice and choice; those who collect data must have a security system in place and must also protect the integrity of the data; all organizations must allow consumers access to their collections of personal information and finally, enforcement procedures must ensure compliance to the principles of privacy and data protection. At this time, the financial services industry is not included in the safe harbor proposal.
The Department of Commerce will maintain a list of U.S. companies adhering to the safe harbor principles. The list will provide notice to EU businesses as to the companies who are providing "adequate data protection", thus preventing data blockages against U.S. companies which are in compliance with the safe harbor. The federal agency charged with enforcing the safe harbor agreement is the Federal Trade Commission (FTC) - an enforcement action will be brought by the FTC against any company which represents that it is in compliance with the safe harbor and then proceeds to misuse consumer information.
The European Union
On March 29, 2000 the European Commission announced that they had formally approved the March 2000 safe harbor principles. (Please see the news release entitled, Data Protection: Commission Endorses "Safe Harbor" Arrangement with U.S. at http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm.) However, only a few days later, the EU "committee" comprised of data protection commissioners refused to endorse the safe harbor principles and drew up additional questions for the European Commission highlighting their concerns. Approval must also be obtained from a qualified majority of EU Member States convened under Article 31 of the Directive. In addition, the agreement must also be submitted to the European Parliament before a final decision on the safe harbor principles can be attained. Once adopted, it will be binding on all EU Member States. The approval process is lengthy, but it is possible that the approval of the safe harbor principles will be finalized over the summer.
"Is this really all about junk mail?"- as the U.S. Department of Commerce negotiator was apparently overheard joking. Consumer groups do not think so and they are concerned that the current safe harbor principles do not provide EU consumers with the same level of protection as that of the Directive. A strong opponent of the safe harbor principles is the Transatlantic Consumer Dialogue (TACD), a coalition of European and American consumer groups. (Please see the TACD press release Consumer Groups Warn that Safe Harbor Privacy Proposal Will Undermine Consumers' Legal Rights, at http://www.tacd.org/press_releases/warn300300.html.)
The TACD has also released a strongly worded statement/comment on the safe harbor which concludes that the current principles would undermine the objectives of the Directive and that further input should be sought from consumer groups prior to the finalization of any agreement. (For the text of the TACD comments, please go to http://www.tacd.org/press_releases/state300300.html.)
On May 1, 2000, the White House announced a consumer privacy initiative, the Clinton-Gore Plan to Enhance Consumers' Privacy: Protecting Core Values in the Information Age. (The text of the initiative can be found at http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/5/1/2.text.1.) The initiative fills in the gaps with respect to the sharing of personal data left by the Gramm-Leach-Bliley (GLB) legislation on financial modernization (P.L. 106-102, signed by the President on November 12, 1999). A sticking point during negotiations with the EU was the fact that under GLB banks may still share confidential information with their affiliates, but not with third parties. The EU, the White House and consumers' advocates support a ban on affiliate sharing and the White House has included that provision in its initiative.
Shortly after the initiative was announced, Rep. LaFalce (D-NY) and Sen. Leahy (D-VT) each introduced the Consumer Financial Privacy Act on behalf of the Administration. (H.R. 4380 can be accessed at http://www.epic.org/privacy/financial/HR4380.html and a press release from Sen. Leahy announcing the introduction of S.2513 can be accessed at http://www.senate.gov/~leahy/releases/0004/0430_4148.html.)
Banking groups here in the United States claim that the privacy regulations promulgated under GLB will adequately protect consumers. The Privacy of Consumer Financial Information regulations were finalized May 10, 2000 and will become effective as of November 13, 2000, although the time period for full compliance has been extended to July 1, 2001. (For the text of the press release announcing the final rule, please go to http://www.bog.frb.fed.us/BoardDocs/press/boardacts/2000/20000510/default.htm and the regulations themselves can be accessed as Item 2 at the following site: http://www.bog.frb.fed.us/BoardDocs/Meetings/2000/20000510/OpenMemos.htm.)
Adding fuel to the consumer fire on the protection of personal data is the Final Report of the Advisory Committee on Online Access and Security (ACOAS), released May 11, 2000. The ACOAS was established in 1998 to provide recommendations to the FTC pertaining to the implementation of security and access principles by commercial websites. This May they came out fully in support of mandating that all websites have a personal data security program. (The text of the May and all previous ACOAS reports is accessible at http://www.ftc.gov/acoas/index.htm.)
Although the EU approval process for the safe harbor principles may be lengthy, most officials believe that it will eventually be approved. The EU clearly supports stronger data protection regulation of our financial institutions, but instead of being hammered out at the negotiating table, this issue will now be wrangled over by Congress, the federal banking agencies and advocacy groups here in the U.S. As Commerce officials recognized early on, there are fundamental philosophical differences between the European and the American approach to protecting personal data. To make this safe harbor really work, U.S. companies must show good faith in their adherence to the principles and not treat them as if they are just so many words on a page.