Presentation on theme: "Damon Greer Safe Harbor Program October 15, 2007"— Presentation transcript:
1Damon Greer Safe Harbor Program October 15, 2007 The U.S.-E.U. Safe Harbor Framework Cross Border Data Flows, Data Protection, and PrivacyGood Afternoon!. I’m pleased to be here today at the Conference to talk about the Safe Harbor Program.First, I thought it would be useful to spend a little time to provide some context to the evolution of the legal framework for privacy in the European Union. We study privacy, data protection, and collection from the 20-21st century perspective but these issues have been around for a long time.For example:Livy wrote in his History of Rome from its Foundation that the five year census dating back to 518 B.C. included similar data elements and EPIC’s Privacy and Human Rights survey released last week at the National Press Club notes that privacy is mentioned in the Bible, the Torah, and the Koran. So, in one form or another, data protection and privacy have been around for millennia. So what’s the impetus for creating an overarching framework in the EU?in the 30’s and 40’s, personal data was used to identify classes of individuals by ethnicity, religious belief, medical status, and political views.After the devastating consequences of WWII, it became apparent in Europe that there must be some way to protect individuals’ right to privacy. Three important steps: Article 8 of the European Convention of Human Rights; Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS Article 108), and the EU Charter of Fundamental Rights Article 8.Then, in 1980, the Organization for Economic Cooperation and Development (OECD) released its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.In 1995, the Directive 95/46/EC of the European Parliament and of the Council was approved went into effect in Member states had 3 years to implement the law by enacting implementation or national laws that incorporated the directive as a foundation of what we have today.Damon GreerSafe Harbor ProgramOctober 15, 2007
2Different Approaches to Data Privacy Why it matters European Union’s Data Protection Directive creates a barrier for those countries, including the U.S., that do not meet the EU’s “adequacy” requirements for data protection.U.S. Department of Commerce and European Commission negotiated the SAFE HARBOR to provide U.S. companies with a simple, streamlined means of complying with the adequacy requirement.Trans-Atlantic Trade in 2006 reached $630 billionThe European system of privacy protection is based on overarching legislation. The Directive prohibits the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection. The Directive covers all industry sectors and virtually all personally identifiable information: any commercial transaction (B2B or B2C); broad jurisdiction.The U.S. – EU Safe Harbor was negotiated over a two-year period and in July 2000, the U.S. received an adequacy finding from the European Commission. The SH became effective in November The adequacy finding is limited to those organizations that certify to Safe Harbor.What’s at stake: more than $630 billion in trade could be affected by restrictions to data transfers without Safe Harbor not to mention the cost efficiencies reaped by consolidating data center operations in one, efficiently secured location.(Note: only adequate findings: SH, Canada, Switzerland, Argentina, Guernsey & Isle of Man.)
3Adequacy via the Safe Harbor Safe Harbor registration is a voluntary representation to European business partners and European citizens that U.S. companies will comply with the Safe Harbor framework.Administered by the DOC, enforced in the United Statesby the FTC and DOTCurrently nearly 1,300 U.S. organizations, including multinationals and SMEs.The FTC Act permits the EU & U.S. to maintain their positions re: personal information protection…U.S. companies make voluntary commitments, yet the EU is satisfied because the FTC Act makes those commitments legally binding.SH benefits for U.S. firms include:Predictability & continuity: all 27 EU member states, plus European Economic Area countries (Lichtenstein, Norway, Iceland) are BOUND by the adequacy finding;Companies participating in the SH will be deemed adequate and data flows to those companies will continue;Eliminates the need for prior approval to begin data transfersFlexible privacy regime congenial to U.S. approachPositive public/privacy image; andClaims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.
47 Safe Harbor Principles (SHFIPPs) NOTICECHOICESECURITYONWARD TRANSFERDATA INTEGRITYACCESSENFORCEMENTThe SH framework includes the seven principles listed here:Notice: purpose; how to contact organization; info. transferred to any 3rd partiesChoice: option to opt-out of 3rd party disclosures or purposes other than those originally collected; opt-in for other sensitive information.Onward Transfers: to disclose info. to a 3rd party, organizations must apply NOTICE & CHOICE principles, unless its an agent & that agent either 1) complies with the SH principles or 2) is subject to the Directive or other adequacy finding or 3) enters into a written agreement with the organization. Review APEC’s consent or accountability principles.Security: reasonable precautions must be taken, but SH does not specify how.Data Integrity: has to do w/the relevance of the purpose of use.Access: individuals must have access except when expense of providing access is disproportionate to the individual’s risk.Enforcement: Basically the organization must have 1) verification, 2) dispute resolution & 3) remedies mechanism in place BEFORE certifying to the SH.
5Where to Find Safe Harbor Information website includes:Safe Harbor ListSafe Harbor WorkbookCompliance Checklist/Helpful HintsSafe Harbor Documents (including principles, FAQ’s, correspondence, etc.)Historical documents (including public comments)Should familiarize yourself w/the info. on our website.The SH list is a public record of all those companies adhering to the SH principles. You’ll see a number of large multinationals, including Eli Lilly, J&J, Merck, Pfizer, P&G, but interestingly about 55% are SMEs.The FAQ’s are an important resource to provide greater insight and clarification into things like sensitive data, human resources, and for this audience, secondary liability, Pharmaceutical & Medical Products (FAQ 14). When this body of information doesn’t answer a question, we consult with our legal counsel, the FTC, and with the European Union on specific interpretations of the Directive.
6Compliance & Enforcement U.S. culture of customer service is highly effective in addressing customer complaints/concerns, perhaps more than comprehensive legislation.Independent recourse mechanisms are required to notify DoC of a company’s failure to comply with the Safe Harbor principles, and FTC has authority to take action.Results:No referrals and no complaints filed with the EU DPAs.TRUSTe, BBB, DMA, and others report internal complaints resolved!In general, enforcement will take place in the U.S., in accordance with U.S. law, & will rely, to a great extent, on private sector enforcement, which includes verification (your annual affirmation that your org. continues to comply w/the SH principles), dispute resolution (by 3rd party or EU DPAs), & remedies.In general, enforcement will take place in the U.S., in accordance with U.S. law, & will rely, to a great extent, on private sector enforcement, which includes verification (your annual affirmation that your organization continues to comply with the SH principles), dispute resolution (by 3rd party or EU DPAS), & remedies.On reason why has to do w/the corporate culture in the U.S. & the other is the 3rd party enforcement. Martha Landesberg of Truste who is on our panel will explain how third party dispute resolution works under the Safe Harbor Framework.With regard to transferring HR data, everyone should understand: you are required to use the EU DPA for your recourse mechanism as well as comply with member state law re: the Use of info. as well as any restrictions under national law for the transfer of such data (so you basically need to be aware of the national laws for Use…the SH is not enough).
7Other Options for Meeting the EU Directive’s Requirements Joining Safe Harbor is not the only means of meeting the EU Directive’s requirementsOther alternatives include:“Unambiguous” consentNecessary to perform contractCodes of ConductModel Contract ClausesDirect compliance/registration with EU AuthoritiesNow, I’d like to mention some OTHER options for meeting the EU Directive’s requirements. You’ll here more about these options during tomorrow’s sessions. These are the Article 26 derogations:Unambiguous consent: the Directive contains a derogation/exception that allows for the use of “unambiguous consent” from a data subject to effectuate a data transfer. Some question whether HR data allows for the freedom to provide or decline consent, which is one reason the EU DPA is the dispute mechanism required.Codes of Conduct or BCRs: this is a tempting option, but has yet to emerge as a powerful tool for compliance; there is no streamlined review process and, thus far, only the application has been standardized for use in all 27 member states. You’ll hear more about BCRs during tomorrow’s sessions.Model Contract Clauses: again, an option to achieve adequacy but may be overly burdensome & no consistent interpretation among the Member States. Also enforced in the EU.
9Moving Forward — The Challenge Continues Expanded dialogue with the European Commission; Conference on International Transfers of Personal Data, Brussels, October 2006More needs to be done by EU to harmonize Data Directive; educate data subjects; we raised this specific issue in Brussels in bilateral negotiations last fallIncreased Emphasis by Industry on Harmonizing Approval Process for Binding Corporate RulesLast October, the Department of Commerce co-sponsored the conference on international transfers of personal data in Brussels at the Commission’s conference center. Although we were somewhat skeptical about how we would be received, the outcome was somewhat unexpected in that the Commission and the Article 29 Working Party on Data Protection publicly announced that Safe Harbor was a success story for international cooperation on protecting and securing personal information for commercial purposes.In Brussels, we dispelled the belief that Safe Harbor was a rubber stamp for certification and in later E.U. data protection meetings, we were cited as being “tough” on approving applications to Safe Harbor. We were determined to underscore our determination to fulfill our obligations under the agreement.Today, more than 70 nations have some form of data protection/privacy framework and more plan to enact data protection or privacy legislation. ChinaDaily recently reported that the country has completed a draft data protection law and may consider its implementation next year; Korea has at last reporting three versions of law on data protection, and Mexico’s efforts to pass a law perhaps modeled on Spain’s legislation will present challenges and opportunities for all in the privacy sphere.
12For additional information or questions Contact me at:Damon C. GreerU.S. Department of CommerceHCHB 20031401 Constitution Avenue, N.W.Washington, D. CTelephone: (202) ; Fax: (202)Thank you and enjoy the conference!