Interesting People mailing list archives
IP: EU/US Privacy Safe Harbor Negotiations
From: Dave Farber <farber () cis upenn edu>
Date: Thu, 19 Nov 1998 16:15:17 -0500
From: "Joel R. Reidenberg" <reidenberg () sprynet com> About two weeks ago, the US Department of Commerce began soliciting comment from industry on its position for a proposed 'safe harbor' of privacy principles as a partial solution to the impending restrictions on data flows from Europe under Directive 95/46/EC. Although the DOC did not explicitly ask for public comment, the proposal was, nonetheless, put up on the web at a non-indexed or linked DOC web site <http://www.ita.doc.gov/ecom/menu.htm>. A group of academic book authors on US/EU privacy issues (Fred Cate, Bob Litan, myself, Paul Schwartz and Peter Swire) filed the comment letter reproduced below. While the five of us have often disagreed strongly regarding US data privacy protection, we were in complete agreement that this 'safe harbor' proposal is unworkable. We understand that the Member States of the European Union are meeting again on November 19th to discuss adequacy issues for transborder data flows. JRR ************************************************** Joel R. Reidenberg Professor of Law Director, Graduate Program Academic Affairs Fordham University School of Law 140 W. 62nd Street New York, NY 10023 (USA) Tel: 212-636-6843 Fax: 212-636-6899 Email: <reidenberg () sprynet com> Web: <http://home.sprynet.com/sprynet/reidenberg> ************************************************** November 18, 1998 Ambassador David L. Aaron Undersecretary for International Trade U.S. Department of Commerce 14th Street and Constitution Avenue, N.W. Washington, DC 20230 Comments re: International Safe Harbor Privacy Principles Dear Ambassador Aaron: We are the authors of four recent books and monographs¯Data Privacy Law: A Study of United States Data Protection (Michie 1996), Privacy in the Information Age (Brookings 1997), None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings 1998), and Data Protection Law and On-line Services: Regulatory Responses in Belgium, France, Germany and United Kingdom (European Commission, forth*coming 1999)¯examining the European Union¢s data protection directive (Directive 95/46/EC), the *adequacy* of United States privacy protection under Articles 25 and 26 of that directive, and substantive data protection law in several European Union Member States. Four of us are law professors who teach and research extensively in the areas of privacy and information law; the fifth is director of economic studies at The Brookings Institution and a former deputy assistant attorney general in the Antitrust Division of the Justice Department and former associate director in the Office of Management and Budget. The views we express below are ours alone; they do not necessarily represent the views of the institutions with which we are affiliated nor have we received any financial or other compensation for preparing these comments. In our respective writings and public statements concerning privacy, we have disagreed frequently and, on occasion, sharply about the desirable level of substantive privacy protection for personal information and about the constitutionality, effectiveness, and the advisability of various means of achieving privacy protection. We submit these comments jointly today to highlight the fact that, despite our divergent views on other privacy issues, on these critical points we are in complete agreement. In addition to these joint comments, Professor Swire is also submitting a set of technical observations. We appreciate the opportunity to submit comments on the November 4, 1998, draft of International Safe Harbor Privacy Principles, and we applaud the Department of Commerce, you, and your colleagues for pursuing discussions with the European Union to create a set of international principles that would be recognized globally as meeting the requirements of Article 25 and 26 of Directive 95/46/EC. Agreement on such principles would diminish the threat that enforcement of the data protection directive might interrupt trade with the European Union and reduce the transaction costs associated with complying with the Directive. The key to creating effective principles and achieving the benefits that such principles promise, however, is in their specificity and comprehensiveness. Specific, comprehensive principles make it comparatively easy for consumers, businesses, and regulators alike to know what is expected, what level of privacy is provided, and whether there is compliance. Such principles also diminish the room for conflicting interpretations by information collectors and users and by national data protection regulators, thereby increasing the certainty that the principles will, in fact, constitute *adequate* data protection and therefore a safe-harbor under Directive 95/46/EC. We believe that the proposed International Safe Harbor Privacy Principles are too vague and incomplete to serve their intended purpose. Specifically, we believe the following examples reflect substantial difficulties for international data transfers that this proposed draft does not resolve: 1. The applicability of the *Safe Harbor* is ambiguous We find the scope of application of the *safe harbor* perplexing. The preamble seems to merge sectoral regulation that may provide a statutory basis for *adequacy* with collective, industry self-regulatory schemes and isolated independent mechanisms. Yet many issues for compliance and the sufficiency of each of these means to satisfy *adequacy* are different. In addition, the *safe harbor* does not delineate how to treat a company that subscribes to the principles in connection with one set of activities, such as on-line services, but engages in many others such as employee data transfers. Furthermore, the draft exempts *proprietary information* from the principles without any definition. We do not understand what this term means in relation to the generally accepted definition of *personal information* as information relating to an identified or identifiable person. 2. Transparency is not yet accomplished The *safe harbor* leaves a number of critical issues for transparency unresolved. For example, the notice requirement does not include any disclosure of the identity of the organization collecting personal information. We also believe the provision on access leaves significant ambiguity in the ability of individuals to see the information relating to them. *Reasonable access* is only vaguely defined in the clause and likely to be interpreted quite differently by the various stakeholders. At the same time, the blanket exclusion of public record information from the access right raises serious questions about whether the resulting data protection is *adequate* under Directive 95/46/EC. In addition, the *safe harbor* is silent on the transparency of those companies subscribing to the principles; there is no provision for the public disclosure of companies promising to adhere to the *safe harbor.* For example, a statement in corporate disclosure documents such as Form 10K or 10Q filed with the Securities and Exchange Commission would make adherence public and indicate that a particular company thought compliance was material to its business practices. 3. The role of consent We are concerned that the *safe harbor* relies too heavily on consent as an absolute basis for any treatment of personal information. Especially in the case of sensitive information such as medical data, consent may not be recognized as an appropriate ground for certain uses of personal information. For example, it is doubtful whether consent should be considered valid where medical care is provided to a sick patient on condition of using personal medical information for marketing purposes. 4. Enforcement is ill-defined We are unconvinced that the draft *safe harbor* provision on enforcement adds a meaningful standard to the principles. The list of mechanisms by which compliance might be assured does not contribute to clear rules or practices for companies to follow or for individuals to pursue in the vindication of claims. The draft gives no guidance on the content for *systems for verifying that the attestations and assertions business make . . . are true* nor does the draft provide any indication as to how such measures might overcome the rejection of non-independent supervision by data protection authorities. Even with respect to remedies, the draft is too vague to provide any guidance. Enforcement in the American legal system typically includes causes of action and damages for violations of standards. The draft speaks of *recourse* and *consequences,* yet does not establish any useful criteria for dispute settlement nor address the question of damages for injuries caused to individuals by violations of the principles. In combination with the vagueness of the substantive principles, the enforcement provision offers unclear protection for individuals and uncertainty for U.S. business. Moreover, we are concerned by the confusion regarding the legal effect of the proposed International Safe Harbor Privacy Principles. Typically, American law uses the term *safe harbor* to mean a set of precisely defined practices recognized by a designated regulatory agency to satisfy an existing legal obligation in the United States. In the absence of U.S. statutory obligations, we understand this *safe harbor* is, instead, intended as a designation by the European Union that U.S. companies complying with the terms of these principles would qualify to transfer personal information to the United States under Article 25(6) or Article 26 of Directive 95/46/EC. Under Directive 95/46/EC, a determination of the sufficiency of these principles will made by the Commission subject to referral to the Committee, consisting of representatives from each of the Member States, established under Article 31 of the Directive, and, if necessary, to referral to the Council of Ministers for an overruling decision. In making the initial determination on the value of these principles as *adequate* data protection, the Commission consults with the Working Party, composed of representatives of the data protection supervisory agencies of the Member States, established under Article 29 of the Directive. Although the opinion of the Article 29 Working Party is only advisory, each of the group¢s members have enforcement responsibilities for interna*tional data transfers. Hence, even if these principles are accepted by the Commission and the Article 31 Committee or the Council of Ministers, European law and Directive 95/46/EC require the data protection agencies in each of the European member states to interpret whether there is compliance and accord a significant margin for interpretation to those agencies. The Working Party has addressed itself for the past two years to the question of what constitutes *adequate* data protection under Articles 25 and 26. Those views are collected in the Working Party¢s report this summer, Working Document on Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive. While our views on the substance of the Working Party¢s conclusions differ, we are agreed that the current draft of the International Safe Harbor Privacy Principles appear inconsistent with the Working Party¢s conclusions. In particular, the vagueness and omission in the draft International Safe Harbor Privacy Principles contradict the search for specific substantive standards enumerated in the Article 29 Working Party¢s opinions. We do not, therefore, believe that these principles will resolve the international data flow issues for U.S. companies at the member state level and urge you to explore the problems of interpretation that these principles will create. Thank you again for your efforts to create International Safe Harbor Privacy Principles. We appreciate this opportunity to comment and we stand ready, individually and collectively, to work with you to address the concerns and ambiguities that we have identified and to provide any other assistance you might require in completing your important task. Respectfully submitted, Fred H. Cate Professor of Law Indiana University School of Law¯Bloomington Author, Privacy in the Information Age 211 South Indiana Avenue Bloomington, IN 47401 Robert E. Litan Director, Economic Studies The Brookings Institution Co-Author, None of Your Business 1775 Massachusetts Avenue, N.W. Washington, DC 20036 Joel R. Reidenberg Professor of Law Fordham University School of Law Co-Author, Data Privacy Law and Data Protection Law and On-line Services 140 West 62nd Street New York, NY 10023 Paul M. Schwartz Professor of Law Brooklyn Law School Co-Author, Data Privacy Law and Data Protection Law and On-line Services 250 Joralemon Street Brooklyn, NY 11201 Peter P. Swire Professor of Law Ohio State University College of Law Co-Author, None of Your Business 55 West 12th Avenue Columbus, OH 43210 _____________________________________________________________________ David Farber The Alfred Fitler Moore Professor of Telecommunication Systems University of Pennsylvania Home Page: http://www.cis.upenn.edu/~farber
Current thread:
- IP: EU/US Privacy Safe Harbor Negotiations Dave Farber (Nov 19)