Privacy-The Europeans Require More

By Sieglinde Friedman

In 1998, the European Commission put into place a Directive on Data Protection, which differs significantly from United States law. For American companies that wish to engage in trans-Atlantic transactions, it’s very important that the Directive is wholly understood and fulfilled. The essential difference between U.S. and European Union (EU) regulations is that the European rules cover the entire marketplace, while the U.S. law covers sectoral segments such as financial institutions/transactions, children’s online privacy, etc. In short, the European directive requires more stringent and overarching compliance. In order to bridge these different privacy approaches and provide a streamlined means for U.S. companies to comply with the Directive, the U.S. Department of Commerce, in consultation with the European Commission, developed a “safe harbor” framework. The safe harbor-approved by the EU in 2000-is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor ensures that EU firms know that your company provides “adequate” privacy protection, as defined by the Directive.

According to the U.S. Department of Commerce, the safe harbor provides the following benefits to U.S. companies: (a) All 25 Member States of the European Union will be bound by the European Commission’s finding of adequacy; (b) Companies participating in the safe harbor will be deemed adequate and data flow to those companies will continue; (c) Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and (d) Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions. The safe harbor framework offers a simpler and cheaper means of complying with the adequacy requirements of the Directive, which should particularly benefit small and medium enterprises.

Any U.S. firm can enter the Safe Harbor Program by complying with the safe harbor requirements-and publically declaring that they do so. To be assured of safe harbor benefits, a company needs to self-certify annually to the Department of Commerce in writing that it agrees to adhere to the safe harbor’s requirements, which include elements such as notice, choice, access and enforcement.

It must also state in its published privacy policy statement that it adheres to the safe harbor. The Department of Commerce will maintain a list of all organizations that file self-certification letters and make both the list and the self-certification letters publicly available. To qualify for the safe harbor, an organization can (1) join a self-regulatory privacy program that adheres to the safe harbor’s requirements; or (2) develop its own self-regulatory privacy policy that conforms to the safe harbor.

The Safe Harbor Program’s principles include: (a) Notice: Organizations must notify individuals about the purposes for which they collect and use information about them; (b) Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual; (c) Onward transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles; (d) Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated; (e) Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction; (f) Data integrity: Personal information must be relevant for the purposes for which it is to be used; and (g) Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be granted.

In general, enforcement of the safe harbor will take place in the United States in accordance with U.S. law and will be carried out primarily by the private sector. Private sector self-regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organization’s safe harbor commitments the force of law vis a vis that organization.

The Better Business Bureau (BBB) offers further assistance by providing an independent and neutral authority which will assist pre-committed and self-certified firms doing business in the EU should a privacy dispute arise. Gary M. Laden, director, BBBOnLine Privacy Program, Council of Better Business Bureaus Inc., says, “the Europeans oversee and verify that their Directive is being adhered to and thus, any U.S. company that wants security in meeting the EU standards, must comply.”

He continues, “If a U.S. company finds itself in a privacy dispute with EU consumers, the BBB’s program of dispute resolution bridges the EU demand for an autonomous and impartial entity while offering the power of the BBB seal.”

Furthermore, if an American company wishes to do business in the European Union, it is vital that the EU Directive is followed via the Safe Harbor Program.

Sieglinde Friedman is ERA’s vice president of board and strategy. She can be reached at (703) 908-1021, or via e-mail at [email protected].