Presented as a compromise between conflicting European and American theories of privacy regulation, the European Union Privacy Safe Harbor program has attracted only a few participants and has raised new questions about US-EU cooperation on data privacy protection.
In 1998, the European Union adopted its Privacy Directive, requiring the EU's 15 member countries to adopt laws to protect the privacy of personally-identifiable data about EU persons, including restrictions on the collection, use and transfer of this data. Among other things, the Privacy Directive generally prohibits transfers of personal data about EU persons to entities in non-EU countries which lack "adequate" privacy protection laws. Troubled by the patchwork of narrow "sectoral" privacy regulations and industry self-regulation in the US (see our May 2, 2000 Internet Alert), the EU found U.S. privacy protections to be "inadequate," raising the specter of large-scale disruptions in EU-to-US data flows.
Seeking to avoid such disruptions, the EU and US negotiated for nearly two years to devise a safe harbor framework, under which US entities could continue to collect and process personal data from the EU by promising to implement "adequate" privacy safeguards. These Safe Harbor principles address issues of notice to the data subject, choice regarding uses of data, conditions for transfers to third parties, access to stored data, data security and integrity, and enforcement. These principles were described in our April 18, 2000 Internet Alert.
Last fall, the Safe Harbor program was formally adopted, and US entities were invited to self-certify that they would comply with the Safe Harbor principles, subject to enforcement by the Federal Trade Commission. However, three months later, fewer than two dozen US entities have self-certified, and the ultimate success of the Safe Harbor concept is still uncertain. There appear to be several reasons for this slow response:
In 1998, the European Union adopted its Privacy Directive, requiring the EU's 15 member countries to adopt laws to protect the privacy of personally-identifiable data about EU persons, including restrictions on the collection, use and transfer of this data. Among other things, the Privacy Directive generally prohibits transfers of personal data about EU persons to entities in non-EU countries which lack "adequate" privacy protection laws. Troubled by the patchwork of narrow "sectoral" privacy regulations and industry self-regulation in the US (see our May 2, 2000 Internet Alert), the EU found U.S. privacy protections to be "inadequate," raising the specter of large-scale disruptions in EU-to-US data flows.
Seeking to avoid such disruptions, the EU and US negotiated for nearly two years to devise a safe harbor framework, under which US entities could continue to collect and process personal data from the EU by promising to implement "adequate" privacy safeguards. These Safe Harbor principles address issues of notice to the data subject, choice regarding uses of data, conditions for transfers to third parties, access to stored data, data security and integrity, and enforcement. These principles were described in our April 18, 2000 Internet Alert.
Last fall, the Safe Harbor program was formally adopted, and US entities were invited to self-certify that they would comply with the Safe Harbor principles, subject to enforcement by the Federal Trade Commission. However, three months later, fewer than two dozen US entities have self-certified, and the ultimate success of the Safe Harbor concept is still uncertain. There appear to be several reasons for this slow response:
- Exceptions allow many data transfers: The Privacy Directive includes an exception which allows EU persons to "consent unambiguously" to international data transfers which would otherwise be prohibited. Thus, US companies which can obtain prior consent directly from prospective EU data subjects - or indirectly through EU business partners - may collect and use EU-origin personal data without participating in the Safe Harbor program. Among other exceptions, the Privacy Directive also allows data transfers which are required to perform a contract with an EU person or to perform a contract with a third party which benefits the EU data subject.
- Perceived lack of immediacy: The EU and US have agreed to an enforcement "standstill" under which the Privacy Directive should not be invoked to block any EU-to-US data transfers until at least June 2001, when the implementation of the Safe Harbor program will be reviewed. Despite the standstill, however, both Sweden and France have acted to block some transfers of consumer and employee data on privacy grounds. Meanwhile, some other EU countries have not yet enacted the privacy protection laws required by the Privacy Directive. For example, Germany is not expected to enact its legislation until May 2001, at the earliest. Thus, the state of enforcement and adoption within the EU itself is still unclear.
- Benefits are not guaranteed: Some cautious EU data sources may still insist upon additional privacy safeguards such as - explicit prior consent by data subjects - notwithstanding a US entity's Safe Harbor self-certification, in order to avoid potential liability under local data privacy laws.
- Possible contractual alternatives: The Privacy Directive authorizes EU data controllers to protect privacy through commercial contracts. The EU is currently developing model contractual provisions under which US entities would be allowed to obtain personally identifiable EU data. Such contracts may enable US entities to address the Privacy Directive contractually, without subjecting themselves to FTC oversight under the Safe Harbor program. Since the EU model contracts have not yet been finalized, it remains unclear whether the contractual requirements will be more or less onerous than the Safe Harbor principles.
On the other hand, emerging international legal norms and public opinion may make the Safe Harbor program an increasingly attractive option for US companies:
- International legal developments: The EU's comprehensive regulatory approach to privacy protection not the - US self-regulatory approach - is emerging as the leading international model for laws in other countries around the world. For example, our Internet Alerts of December 11, 2000 and February 5, 2001, discussed the adoption of the EU approach in Latin America and Canada, respectively. Even the US may adopt more comprehensive data privacy regulations. As we reported in our May 26, 2000 Internet Alert, the FTC has backed away from its commitment to self-regulation in favor of federal Internet privacy legislation. Several privacy-related bills are currently pending in Congress.
- Public opinion: Privacy consistently ranks as one of the leading technology-related concerns among consumers and employees. These concerns may prompt US companies to adopt the Safe Harbor principles voluntarily as "best practices" governing their domestic and international data-handling activities.
Despite the slow start of the US-EU Safe Harbor program, US and other non-EU companies should not delay their development of worldwide data privacy compliance strategies. Depending on a particular company's specific business model and data requirements, that strategy may or may not ultimately include self-certification under the US-EU Safe Harbor. The lingering questions about the US-EU Safe Harbor illustrate how difficult it is to develop such a worldwide privacy compliance strategy under incompatible regulatory systems. Companies in international markets will thus need to remain vigilant as data privacy requirements continue to evolve.
