Commerce and International Privacy Activities: The US-EU Safe Harbor Agreement

Report home | Read the report (PDF) | Previous section | Next section

With the adoption of the European Union’s Data Protection Directive [21] in 1995 and its implementation in 1998, much of the concern about transborder data flows of personal information centered on the export restriction policies of the Directive. Article 25 generally provides that exports of personal data from EU Member States to third countries are only allowed if the third country ensures an adequate level of protection. While some countries have been found to provide an adequate level of protection according to EU standards, the United States has never been evaluated for adequacy or determined to be adequate.

The Directive contains several provisions other than the adequacy standard that allow transfer of personal information to third countries under specified conditions (e.g., unambiguous consent). [22] While these provisions solve many problems that might otherwise arise, restrictions on exports of personal data still created some significant problems and uncertainties for both US and EU businesses, including online businesses. The Commerce Department was pressured by the American business community to resolve the threats to data exports presented by the Data Protection Directive, and the Commission did not want to cause a disruption in international data flows while the Directive was being implemented in Europe. [23]

In 1998, the Commerce Department (acting through NTIA) and the European Commission entered into negotiations to create a “safe harbor” agreement that would allow for the export from Europe of personal information and for its processing by US businesses that voluntary and publicly endorse a code of conduct that the EU would accept as meeting the adequacy standard of the Directive. The negotiations, which one scholar described as lengthy and troubled, [24] lasted for two years.

The Safe Harbor framework [25] that emerged from the negotiations allows US organizations to publicly declare that they will comply with the requirements. An organization must self-certify annually to the Department of Commerce in writing that it agrees to adhere to the Safe Harbor’s requirements. There are seven areas of privacy standards covering notice, choice, onward transfer (transfers to third parties), access, security, data integrity, and enforcement. Safe Harbor documentation describes the requirements and provides an interpretation of the obligations. [26] To qualify for the Safe Harbor, an organization can (1) join a self-regulatory privacy program that adheres to the Safe Harbor’s requirements; or (2) develop its own self-regulatory privacy policy that conforms to the Safe Harbor.

The Safe Harbor framework is now operated by the International Trade Administration of the Department of Commerce. The Commerce Department website maintains a list of organizations that filed self-certification letters. Only organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are eligible to participate. This limitation means that many companies and organizations that transfer personal information internationally cannot qualify for participation.

The content of the Safe Harbor Framework has been criticized on several grounds. It is not the purpose of this document to comment on the substance of the Safe Harbor agreement between the United States and the European Commission. A substantive discussion can be found elsewhere, including in documents issued by the Article 29 Data Protection Working Party (an organization of EU data protection officials established under the Data Protection Directive) [27] and by others. [28]

The question considered here is how the Department of Commerce carries out its obligations under the Safe Harbor Framework and whether the Department’s activities enhance or detract from the credibility of Safe Harbor.

____________________________

Endnotes

[21] Council Directive 95/46, art. 28, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, 1995 O.J. (L 281/47), available at <http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML>.

[22] Article 26.

[23] Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 Houston Law Review 717, 739-40 (2001), available at <http://reidenberg.home.sprynet.com/Transatlantic_Privacy.pdf>.

[24] Id. at 738.

[25] <http://www.export.gov/safeharbor/eu/eg_main_018476.asp>.

[26] <http://www.export.gov/safeharbor/eu/eg_main_018493.asp>.

[27] See <http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/index_en.htm#safe_harbour>.

[28] See, e.g., Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 Houston Law Review 717, 739-40 (2001), available at <http://reidenberg.home.sprynet.com/Transatlantic_Privacy.pdf>; Tracey DiLascio, How Safe Is The Safe Harbor? U.S. and E.U. Data Privacy Law and the Enforcement of the FTC’s Safe Harbor Program, 22 B.U.I.L.J. 399 (2004); Kyle Thomas Sammin, Any Port in a Storm: The Safe Harbor, the Gramm-Leach-Bliley Act, and the Problem of Privacy in Financial Services, 36 Geo. Wash. Int’l L. Rev. 653 (2004), available at <http://www.allbusiness.com/technology/962049-1.html>;

Roadmap: The US Department of Commerce and International Privacy Activities – Indifference and Neglect: The US-EU Safe Harbor Agreement

Report home | Read the report (PDF) | Previous section | Next section

Posted November 22, 2010 in Asia Pacific Economic Cooperation Group (APEC), Safe Harbor (EU), U.S. Department of Commerce, Uncategorized

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.