Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Laws and Business International Report |
THE LATEST VERSION of the International Safe Harbor Privacy Principles was published on April 19th aiming to offer guidance to US organisations seeking to comply with the adequacy requirement of the EU Data Protection Directive (PL&B Feb '99 p.15-17).
Ambassador David Aaron explained in a covering letter that, "organizations within the safe harbor would have a presumption of adequacy and data transfers from the European Community to them would continue. Organizations could come into the safe harbor by self-certifying that they adhere to these privacy principles."
The Article 29 Working Party, responded on May 3rd, saying that "the patchwork of narrowly focused sectoral laws and self-regulatory rules presently existent in the United States cannot be relied upon to provide adequate protection in all cases for personal data transferred from the European Union."
The Working Party makes a number of observations on the practical implications of the safe harbor proposals for the work of the National Data Protection Authorities which include:
1. It is very important that US based companies adhering to the "Safe Harbour" Principles be unequivocally identified. This notification should be as complete as possible, publicly available and, in particular, contain an indication of the contact person within the company that is able to deal with requests from the individual, and the monitoring body responsible for enforcing the Principles.
2. To qualify for the safe harbor scheme, US organisations may "join a private sector developed privacy program." The Working Party seeks further clarification as to the identity of the privacy programs, their operational criteria, and their exact content.
3. The safe harbor principles only relate to the lawfulness of the international aspect of transfers of data, flowing from Articles 25 and 26 of the directive. Data exporters based in Europe are subject to the application of the other provisions of the directive, e.g. notifications of processing to National Supervisory Authorities.
4. The Working Party has been informed that a document is in preparation, which would give a comprehensive description of the powers of the various US regulatory bodies.
5. National Supervisory Authorities do not have jurisdiction in third countries and lack any enforcement powers which would allow them to oversee effectively implementation of the Principles by US organisations.
The Working Party noted progress on the principles, in particular:
1. The definition of personal data refers now to an identified or identifiable individual.
2. The exceptions to the principles appear more coherent and in part reflect those envisaged in the directive.
3. In 'Notice' the individual is to be informed of a change of purpose;
4. Sensitive information is now fully defined in Principle 2: 'Choice';
5. 'Onward transfers' now differentiates between transfers amongst organisations adhering to the principles and transfers to third parties outside the safe harbor scheme.
The Working Party then gave its detailed concerns on several issues, including exemptions, manual data, the principles of notice, choice, onward transfer, access and enforcement.
ENFORCEMENT
"It is not sufficiently clear from the text of the principle itself of the standard required from companies. ...In an entirely voluntary scheme such as this, compliance with the rules must be at least guaranteed by an independent investigation mechanism for complaints and sanctions which must be dissuasive and give individuals compensation, where appropriate."
"... Principle 7 does not establish the rules to be followed for the verification of compliance nor does it indicate which authorities can enforce the principles. Similarly, it should be indicated what type of sanctions are envisaged, who determines them and according to which procedure."
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/18.html