telecoms

search

attitudes

harvests

landmarks

     safe harbours

This page looks at 'Safe Harbors' - bilateral or multilateral government agreements concerned with personal data protection.

It covers -

• stormy seas
• studies
• beyond the harbour

     stormy seas

As noted throughout this guide, perceptions about privacy and the shape of national privacy legislation vary widely.

Although the OECD guidelines offer an invaluable statement of principle, there is no overarching global agreement about data collection and handling. For example, there is no equivalent to the Berne Convention, TRIPS Agreement and WIPO treaties discussed in our Intellectual Property guide.

A US government statement accordingly notes

The European Commission's Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result of these different privacy approaches, the Directive could have significantly hampered the ability of US companies to engage in many trans-Atlantic transactions.

Safe Harbor agreements - notably that between the US and EU - provide one mechanism for reconciling differing national practice.

In essence, the US-EU agreement that was concluded in 2000 provides privacy practice certification for US businesses to avoid interruptions in dealings with the EU or prosecution by European authorities under European privacy laws.

Certification is meant to assure that individual businesses (irrespective of US legislative requirements) provide adequate privacy protection in terms of the EU Data Protection Directive.

     studies

An introduction is provided by

the US Commerce Department's Safe Harbor site

the February 2002 European Commission staff paper (PDF) about implementation of the agreement and the detailed October 2004 Safe Harbor Decision Implementation Study for the European Commission by Jan Dhont, María Verónica Pérez Asinari, Yves Poullet, Joel Reidenberg & Lee Bygrave (PDF)

the Commission's 2000 Decision (PDF) on the Agreement and Opinion on the level of protection provided by the 'Safe Harbor Principles'

None of Your Business: World Data Flows, Electronic Commerce & the European Privacy Directive (Washington: Brookings 98) by Peter Swire & Robert Litan

proceedings (PDF) from the 1998 Protecting Privacy: The Transatlantic Debate Over Data Protection conference

Swire's 1998 paper Of Elephants, Mice, and Privacy: International Choice of Law & the Internet

Joel Reidenberg's 2000 Resolving Conflicting International Data Privacy Rules in Cyberspace (PDF), 2001 Ecommerce and Trans-Atlantic Privacy (PDF) and 2004 States & Internet Enforcement paper

The European Commission's 2004 Staff Working Document (PDF) - reporting on implementation of the EU-US Safe Harbor Agreement - notes "significant levels of non-compliance with the Safe Harbor by self-certified companies.

     and beyond the harbour

Some advocates have called for a broader framework, based on the OECD guidelines.

The US Commerce Department for example proposed the following International Safe Harbor Privacy Principles in 1999.

1. Notice
An organization must inform individuals about the purposes for which it collects information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or discloses it to a third party.

2. Choice
An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. For sensitive information, such as medical and health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of the individual they must be given affirmative or explicit (opt in) choice.

3. Onward Transfer
An organization may only disclose personal information to third parties consistent with the principles of notice and choice. Where an organization has not provided choice because a use is compatible with the purpose for which the data was originally collected or which was disclosed in a notice and the organization wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the safe harbor principles or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant safe harbor principles.

4. Security
Organizations creating, maintaining, using or disseminating personal information must take reasonable measures to assure its reliability for its intended use and reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. Data Integrity
Consistent with these principles, an organization may only process personal information relevant to the purposes for which it has been gathered. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is accurate, complete, and current.

6. Access
Individuals must have [reasonable] access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate.

The reasonableness of access depends on the nature and sensitivity of the information collected, its intended use and the expense/difficulty of providing the individual with access to the information.

7. Enforcement
Effective privacy protection must include mechanisms for assuring compliance with the safe harbor principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed. At a minimum, such mechanisms must include

a) readily available and affordable independent recourse mechanisms by which an individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide;

b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and

c) obligations to remedy problems arising out of failure to comply with these principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

    next page (privacy statements and seals)