WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 1999 >> [1999] PLBIRp 10

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

Update on developments in the USA [1999] PLBIRp 10; (1999) 47 Privacy Laws and Business International Report 16

The United States hopes to find safe harbor

US AND EUROPEAN negotiators are working hard to find a solution to the problem of adequacy required by European data protection laws. The Safe Harbor Principles are being hailed by some US companies as a self-regulatory breakthrough, making the provisions of the European Directive more readily acceptable, but others prefer contractual solutions.

The Privacy & American Business (P&AB) 5th Annual Conference, organised in Washington on 30th November - 2nd December 1998, attracted more than 150 policymakers and representatives of US companies. Under the title of "Managing the Privacy Revolution '98" the 54 speakers addressed a range of topics which included Internet privacy, data warehousing and regulatory trends in financial services.

As in previous years, Professor Alan Westin who heads P&AB, opened with an overview. He said that US companies had three imperatives:

1. As companies must have privacy policies, they should look at all their new products and services to see whether they are consistent with these policies.

2. Online companies, in particular, should adopt strong privacy policies, as e-commerce becomes more widely used.

3. Increased globalisation means that there is an increase in the number of transfers of information to countries which have national data protection laws. Companies must be made much more aware of this fact.

Most speakers considered that the EU Data Protection Directive made it imperative for their companies to be proactive in the privacy field, otherwise the Government may regulate. Several companies, such as McGraw- Hill (PL&B Feb '98 p.23) saw privacy as another competitive issue which they use to differentiate themselves from rivals to their own advantage. Most were in agreement that the goal was self-regulation to make use of the flexibility this gives them, enabling them to react quickly and appropriately for their own sector. Technological and contractual solutions were seen as helpful byproducts of a management decision to tackle privacy as a priority.

"SAFE HARBOR" DEVELOPMENTS

Undoubtedly, the major focus of the conference was the recent publication of the International Safe Harbor Privacy Principles by the US Commerce Department, (p.15) which were designed to help US companies comply with the EU directive's requirement for adequacy in transborder data flows to non- EU countries (PL&B Dec'98 p.6). Developed after months of discussion with European Union officials, the principles seek to provide the "presumption of adequacy" needed to enable data transfers between the EU and the US to continue lawfully.

Scott Blackmer, of Washington law firm Wilmer, Cutler and Pickering, pointed out that anyway, most business transactions would still need contracts even if the company subscribes to the safe harbour principles, because the data security provision of the EU directive (Article 17) would apply. Article 17(3) states that the data processor must be bound contractually to fulfil the security obligations specified by the member state in which the processor is located. Article 17(4), dealing with third party processing, states unequivocally that personal data may be processed only according to instructions from a controller which must be kept "in writing or in another equivalent form."

DETAILED REQUIREMENTS VARY Data transfer procedures are in the hands of the EU member states which are currently transposing the terms of the directive into national legislation. In some countries, transferring data will require registration (notification). In others, prior checking may be a prerequisite in certain cases.

The final principle of the Safe Harbor Principles, and the one on which most speakers foresee difficulties, is enforcement. This principle states that one enforcement option is to refer to European regulatory bodies for transfers from EU countries to the US. The Safe Harbor Principles aim to accommodate with the EU directive, making contracts more readily acceptable.

MODEL CONTRACTS

The model contract prepared by the International Chamber of Commerce (ICC) is designed to be fairly general, whereas the P&AB model contract has been developed to be more sectoral in approach. The ICC version has now been submitted to the Article 29 Committee for approval. From the perspective of European Data Protection Authorities, any transborder data flow contract cannot merely restate principles, but procedures and operating requirements must be detailed. The Citibank contract with Deutsche Bahn was cited as an example of good practice (PL&B Oct '97 p.9).

EU-US DIALOGUE ONGOING

Mr John Mogg, Director of DGXV of the European Commission, in his talk entitled "Where does US/EU accommodation lie?" spoke about the two current myths in circulation: one, that the EU is obsessed with stopping data piracy and setting up "privacy cops", and two, that the EU opposes technical solutions to protecting privacy. Both of these views are quite misleading. In his meetings with Barbara Wellbery, Chief Counsel and Ambassador David Aaron of the Department of Commerce, chief US negotiators with the EU, it was clear that each side was trying to avoid trading difficulties, while safeguarding what Vice President Al Gore has called "the basic human value of privacy." The difficulties at the moment are on the subjects of access and enforcement. Barbara Wellbery said that there were "no substantive differences between the EU and the US." Both sides aim to protect both privacy and the free flow of data. She was confident a solution would be found.

Peter Swire, Professor of Law at the Ohio State University School of Law tackled the issue of how the US can become "adequate" which could be a component of a contractual solution. The advantages of the Safe Harbor Principles are that they relate to Article 25 of the directive, stating that an adequate country does not need prior checking for transfers of data to be made. This would enable Internet companies to continue transferring data. The same would not apply to human resources data however, which, in his view, would still require unambiguous consent or a clear contract.

Peter Swire has been recently appointed to visit European countries on behalf of the US Department of Commerce in order to find a way to make the safe harbour principles acceptable to both sides.

RESPECTING CALLERS' AND CUSTOMERS' PRIVACY RIGHTS

Public concern and government focus on privacy is growing. Tom Reiman of Ameritech gave details of a recent survey which showed that 90% of consumers are concerned about privacy, and 80% consider telemarketing to be intrusive.

In response to public concern, his company has marketed an award-winning product called Privacy Manager. Quite simply, the device will intercept, and where necessary, block an unwanted sales call, basing its decision on a customer's own preference. Telemarketing companies have given their support to this technology, on the basis that they can focus more easily on their target groups. In some cases, cold sales calls went from four a night to four a month, with the benefit that customers felt that they had regained control over their telephone.

Reiman's particular message to companies was to stop being seduced by the amount of data available to collect, and begin listening to the genuine concerns of consumers about ways in which companies use their personal data. His forecast for the future is that customers will choose to do business with companies that expressly respect their privacy. In the US, he said, public policy springs from the same source as private needs.

Privacy & American Business reports (Dec '98) that the New York state legislature is currently considering telemarketing bills that would require New York companies to maintain their own "do not call" lists and would require all telemarketers to provide notification of who is calling and for what purpose. This stands a good chance of getting passed, said Shelley Harms, Bell Atlantic's Executive Director of Public Policy.

The conference was told that the Federal Trade Commission had conducted a survey showing that a mere 2% of websites have comprehensive policies on privacy. But as a consequence of the US' enthusiasm for litigation, some lawyers have been advising clients not to have policies so that they cannot be held liable for not following them!

The Privacy and American Business Conference Papers are available from Privacy &American Business, Two University Plaza, Suite 414, Hackensack, NJ USA 07601 Tel: +1 201 996 1154, Fax: +1 201 996 1883 E-mail :ctrslr@aol.com The Safe Harbor Principles are available on the Internet at http://www.ita.doc.gov/ecom/menu.htm, or from the US Department of Commerce, Tel: +1 202 482 0343, Fax: +1 202 501 2548.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/10.html