The U.S. Commerce Department has issued proposed voluntary guidelines to help U.S. companies comply with the European Union's new Directive on Data Protection, or "Privacy Directive."
The E.U. Privacy Directive, which took effect late last year, prohibits transfers of personally identifiable information to non-E.U. countries unless "adequate" privacy standards are observed. The Directive applies to personal data collected over the Internet by U.S. companies. As a result, the Directive potentially applies to every e-commerce company or web site operator in the United States.
The Directive raised fears that U.S. companies would be denied access to E.U. data because the U.S. does not have laws setting minimum privacy standards for personal data. In order to prevent U.S. companies from losing access to data from E.U. countries, the U.S. and the E.U. are negotiating a set of "safe harbor" principles which meet the E.U.'s privacy requirements. While these negotiations continue, the E.U. has agreed not to enforce the Privacy Directive against U.S. companies.
The Commerce Department has posted the draft guidelines online. That web site also includes letters from Ambassador David Aaron, the U.S. Under Secretary for International Trade; Frequently Asked Questions; and proposed Complaint Procedures.
The proposed safe harbor guidelines include seven privacy principles, as summarized below:
(1) Notice: Companies which collect personally identifiable information must state why the information is collected, provide a contact point for questions or complaints, disclose the types of third parties which will have access to the information, and state whether and how such access may be limited.
(2) Choice: Individuals must be allowed to choose whether their information will be used (by the original collector of the information or by third parties) for purposes other than the purpose for which it was originally collected. For "sensitive" information relating to health, race, ethnicity, religion, political opinions, union membership, and sex, individuals must explicitly authorize ("opt in") such uses. For other personal data, an "opt out" procedure is sufficient. This choice is not required for uses which are "compatible" with the original purpose for collecting the information.
(3) Onward Transfer: So long as personal information is used for its original purpose, it may be transferred to a third party, provided the third party recipient also follows these safe harbor principles.
(4) Security: Personal data must be reasonably protected to ensure that it is reliable for its intended use and reasonably protected against loss; misuse; and unauthorized access, disclosure, alteration, and destruction. It is still unclear what measures will be considered "reasonable." For example, encryption of electronic data is not mandated, but a failure to encrypt some sensitive data could be deemed "unreasonable."
(5) Data Integrity: When personal data are processed, users must take "reasonable" steps to ensure that the data are "accurate, complete, and current." This principle may mean that databases must be updated when it is feasible; this could impose significant costs on companies which collect or use personal data.
(6) Access: Individuals must be allowed to access data about themselves in order to ensure its accuracy. This right, however, will not be absolute, and the obligation to provide access depends upon whether the information will be used for sensitive decisions affecting the person, as well as the costs of providing access. Fees (not "excessive") may be charged for access, and the number of requests may be limited.
(7) Enforcement: Individuals must be given an opportunity to pursue complaints and disputes involving the use or disclosure of their personal information. These procedures may be provided through voluntary private-sector privacy programs, government agencies, or E.U. authorities, provided there is an effective dispute resolution procedure backed up by a credible threat of sanctions to promote compliance.
Please note that the guidelines are still in draft form and are subject to change as negotiations continue.