IP: EU/US Privacy Safe Harbor Negotiations

[Dave Farber <farber () cis upenn edu>]

From: "Joel R. Reidenberg" <reidenberg () sprynet com>


About two weeks ago, the US Department of Commerce began soliciting comment
from industry on its position for a proposed 'safe harbor' of privacy
principles as a partial solution to the impending restrictions on data flows
from Europe under Directive 95/46/EC.  Although the DOC did not explicitly
ask for public comment, the proposal was, nonetheless, put up on the web at
a non-indexed or linked DOC web site <http://www.ita.doc.gov/ecom/menu.htm>.

A group of academic book authors on US/EU privacy issues (Fred Cate, Bob
Litan, myself, Paul Schwartz and Peter Swire) filed the comment letter
reproduced below.  While the five of us have often disagreed strongly
regarding US data privacy protection, we were in complete agreement that
this 'safe harbor' proposal is unworkable.  We understand that the Member
States of the European Union are meeting again on November 19th to discuss
adequacy issues for transborder data flows.

JRR


**************************************************

Joel R. Reidenberg
Professor of Law
Director, Graduate Program Academic Affairs
Fordham University School of Law
140 W. 62nd Street
New York, NY 10023 (USA)
Tel: 212-636-6843
Fax: 212-636-6899

Email: <reidenberg () sprynet com>
Web: <http://home.sprynet.com/sprynet/reidenberg>

**************************************************

November 18, 1998


Ambassador David L. Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

Comments re: International Safe Harbor Privacy Principles

Dear Ambassador Aaron:

        We are the authors of four recent books and monographs¯Data Privacy Law: A
Study of United States Data Protection (Michie 1996), Privacy in the
Information Age (Brookings 1997), None of Your Business: World Data Flows,
Electronic Commerce, and the European Privacy Directive (Brookings 1998),
and Data Protection Law and On-line Services: Regulatory Responses in
Belgium, France, Germany and United Kingdom (European Commission,
forth*coming 1999)¯examining the European Union¢s data protection directive
(Directive 95/46/EC), the *adequacy* of United States privacy protection
under Articles 25 and 26 of that directive, and substantive data protection
law in several European Union Member States. Four of us are law professors
who teach and research extensively in the areas of privacy and information
law; the fifth is director of economic studies at The Brookings Institution
and a former deputy assistant attorney general in the Antitrust Division of
the Justice Department and former associate director in the Office of
Management and Budget.

        The views we express below are ours alone; they do not necessarily
represent the views of the institutions with which we are affiliated nor
have we received any financial or other compensation for preparing these
comments.

        In our respective writings and public statements concerning privacy, we
have disagreed frequently and, on occasion, sharply about the desirable
level of substantive privacy protection for personal information and about
the constitutionality, effectiveness, and the advisability of various means
of achieving privacy protection. We submit these comments jointly today to
highlight the fact that, despite our divergent views on other privacy
issues, on these critical points we are in complete agreement. In addition
to these joint comments, Professor Swire is also submitting a set of
technical observations.

        We appreciate the opportunity to submit comments on the November 4, 1998,
draft of International Safe Harbor Privacy Principles, and we applaud the
Department of Commerce, you, and your colleagues for pursuing discussions
with the European Union to create a set of international principles that
would be recognized globally as meeting the requirements of Article 25 and
26 of Directive 95/46/EC. Agreement on such principles would diminish the
threat that enforcement of the data protection directive might interrupt
trade with the European Union and reduce the transaction costs associated
with complying with the Directive.

        The key to creating effective principles and achieving the benefits that
such principles promise, however, is in their specificity and
comprehensiveness. Specific, comprehensive principles make it comparatively
easy for consumers, businesses, and regulators alike to know what is
expected, what level of privacy is provided, and whether there is
compliance. Such principles also diminish the room for conflicting
interpretations by information collectors and users and by national data
protection regulators, thereby increasing the certainty that the principles
will, in fact, constitute *adequate* data protection and therefore a
safe-harbor under Directive 95/46/EC.

        We believe that the proposed International Safe Harbor Privacy Principles
are too vague and incomplete to serve their intended purpose. Specifically,
we believe the following examples reflect substantial difficulties for
international data transfers that this proposed draft does not resolve:

        1. The applicability of the *Safe Harbor* is ambiguous

        We find the scope of application of the *safe harbor* perplexing. The
preamble seems to merge sectoral regulation that may provide a statutory
basis for *adequacy* with collective, industry self-regulatory schemes and
isolated independent mechanisms. Yet many issues for compliance and the
sufficiency of each of these means to satisfy *adequacy* are different. In
addition, the *safe harbor* does not delineate how to treat a company that
subscribes to the principles in connection with one set of activities, such
as on-line services, but engages in many others such as employee data
transfers. Furthermore, the draft exempts *proprietary information* from the
principles without any definition. We do not understand what this term means
in relation to the generally accepted definition of *personal information*
as information relating to an identified or identifiable person.

        2. Transparency is not yet accomplished

        The *safe harbor* leaves a number of critical issues for transparency
unresolved. For example, the notice requirement does not include any
disclosure of the identity of the organization collecting personal
information. We also believe the provision on access leaves significant
ambiguity in the ability of individuals to see the information relating to
them. *Reasonable access* is only vaguely defined in the clause and likely
to be interpreted quite differently by the various stakeholders. At the same
time, the blanket exclusion of public record information from the access
right raises serious questions about whether the resulting data protection
is *adequate* under Directive 95/46/EC.

        In addition, the *safe harbor* is silent on the transparency of those
companies subscribing to the principles; there is no provision for the
public disclosure of companies promising to adhere to the *safe harbor.* For
example, a statement in corporate disclosure documents such as Form 10K or
10Q filed with the Securities and Exchange Commission would make adherence
public and indicate that a particular company thought compliance was
material to its business practices.

        3. The role of consent

        We are concerned that the *safe harbor* relies too heavily on consent as an
absolute basis for any treatment of personal information. Especially in the
case of sensitive information such as medical data, consent may not be
recognized as an appropriate ground for certain uses of personal
information. For example, it is doubtful whether consent should be
considered valid where medical care is provided to a sick patient on
condition of using personal medical information for marketing purposes.

        4. Enforcement is ill-defined

        We are unconvinced that the draft *safe harbor* provision on enforcement
adds a meaningful standard to the principles. The list of mechanisms by
which compliance might be assured does not contribute to clear rules or
practices for companies to follow or for individuals to pursue in the
vindication of claims. The draft gives no guidance on the content for
*systems for verifying that the attestations and assertions business make .
. . are true* nor does the draft provide any indication as to how such
measures might overcome the rejection of non-independent supervision by data
protection authorities. Even with respect to remedies, the draft is too
vague to provide any guidance. Enforcement in the American legal system
typically includes causes of action and damages for violations of standards.
The draft speaks of *recourse* and *consequences,* yet does not establish
any useful criteria for dispute settlement nor address the question of
damages for injuries caused to individuals by violations of the principles.
In combination with the vagueness of the substantive principles, the
enforcement provision offers unclear protection for individuals and
uncertainty for U.S. business.

        Moreover, we are concerned by the confusion regarding the legal effect of
the proposed International Safe Harbor Privacy Principles. Typically,
American law uses the term *safe harbor* to mean a set of precisely defined
practices recognized by a designated regulatory agency to satisfy an
existing legal obligation in the United States. In the absence of U.S.
statutory obligations, we understand this *safe harbor* is, instead,
intended as a designation by the European Union that U.S. companies
complying with the terms of these principles would qualify to transfer
personal information to the United States under Article 25(6) or Article 26
of Directive 95/46/EC. Under Directive 95/46/EC, a determination of the
sufficiency of these principles will made by the Commission subject to
referral to the Committee, consisting of representatives from each of the
Member States, established under Article 31 of the Directive, and, if
necessary, to referral to the Council of Ministers for an overruling
decision. In making the initial determination on the value of these
principles as *adequate* data protection, the Commission consults with the
Working Party, composed of representatives of the data protection
supervisory agencies of the Member States, established under Article 29 of
the Directive. Although the opinion of the Article 29 Working Party is only
advisory, each of the group¢s members have enforcement responsibilities for
interna*tional data transfers. Hence, even if these principles are accepted
by the Commission and the Article 31 Committee or the Council of Ministers,
European law and Directive 95/46/EC require the data protection agencies in
each of the European member states to interpret whether there is compliance
and accord a significant margin for interpretation to those agencies.

        The Working Party has addressed itself for the past two years to the
question of what constitutes *adequate* data protection under Articles 25
and 26. Those views are collected in the Working Party¢s report this summer,
Working Document on Transfers of Personal Data to Third Countries: Applying
Articles 25 and 26 of the EU Data Protection Directive. While our views on
the substance of the Working Party¢s conclusions differ, we are agreed that
the current draft of the International Safe Harbor Privacy Principles appear
inconsistent with the Working Party¢s conclusions. In particular, the
vagueness and omission in the draft International Safe Harbor Privacy
Principles contradict the search for specific substantive standards
enumerated in the Article 29 Working Party¢s opinions. We do not, therefore,
believe that these principles will resolve the international data flow
issues for U.S. companies at the member state level and urge you to explore
the problems of interpretation that these principles will create.

        Thank you again for your efforts to create International Safe Harbor
Privacy Principles. We appreciate this opportunity to comment and we stand
ready, individually and collectively, to work with you to address the
concerns and ambiguities that we have identified and to provide any other
assistance you might require in completing your important task.

Respectfully submitted,

Fred H. Cate
Professor of Law
Indiana University School of Law¯Bloomington
Author, Privacy in the Information Age
211 South Indiana Avenue
Bloomington, IN 47401

Robert E. Litan
Director, Economic Studies
The Brookings Institution
Co-Author, None of Your Business
1775 Massachusetts Avenue, N.W.
Washington, DC 20036

Joel R. Reidenberg
Professor of Law
Fordham University School of Law
Co-Author, Data Privacy Law and
Data Protection Law and On-line Services
140 West 62nd Street
New York, NY 10023

Paul M. Schwartz
Professor of Law
Brooklyn Law School
Co-Author, Data Privacy Law and
Data Protection Law and On-line Services
250 Joralemon Street
Brooklyn, NY 11201

Peter P. Swire
Professor of Law
Ohio State University College of Law
Co-Author, None of Your Business
55 West 12th Avenue
Columbus, OH 43210

_____________________________________________________________________
David Farber         
The Alfred Fitler Moore Professor of Telecommunication Systems
University of Pennsylvania 
Home Page: http://www.cis.upenn.edu/~farber