Presentation is loading. Please wait.

Presentation is loading. Please wait.

Damon Greer Safe Harbor Program October 15, 2007

Similar presentations

Presentation on theme: "Damon Greer Safe Harbor Program October 15, 2007"— Presentation transcript:

1 Damon Greer Safe Harbor Program October 15, 2007
The U.S.-E.U. Safe Harbor Framework Cross Border Data Flows, Data Protection, and Privacy Good Afternoon!. I’m pleased to be here today at the Conference to talk about the Safe Harbor Program. First, I thought it would be useful to spend a little time to provide some context to the evolution of the legal framework for privacy in the European Union. We study privacy, data protection, and collection from the 20-21st century perspective but these issues have been around for a long time. For example: Livy wrote in his History of Rome from its Foundation that the five year census dating back to 518 B.C. included similar data elements and EPIC’s Privacy and Human Rights survey released last week at the National Press Club notes that privacy is mentioned in the Bible, the Torah, and the Koran. So, in one form or another, data protection and privacy have been around for millennia. So what’s the impetus for creating an overarching framework in the EU? in the 30’s and 40’s, personal data was used to identify classes of individuals by ethnicity, religious belief, medical status, and political views. After the devastating consequences of WWII, it became apparent in Europe that there must be some way to protect individuals’ right to privacy. Three important steps: Article 8 of the European Convention of Human Rights; Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS Article 108), and the EU Charter of Fundamental Rights Article 8. Then, in 1980, the Organization for Economic Cooperation and Development (OECD) released its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In 1995, the Directive 95/46/EC of the European Parliament and of the Council was approved went into effect in Member states had 3 years to implement the law by enacting implementation or national laws that incorporated the directive as a foundation of what we have today. Damon Greer Safe Harbor Program October 15, 2007

2 Different Approaches to Data Privacy  Why it matters
European Union’s Data Protection Directive creates a barrier for those countries, including the U.S., that do not meet the EU’s “adequacy” requirements for data protection. U.S. Department of Commerce and European Commission negotiated the SAFE HARBOR to provide U.S. companies with a simple, streamlined means of complying with the adequacy requirement. Trans-Atlantic Trade in 2006 reached $630 billion The European system of privacy protection is based on overarching legislation. The Directive prohibits the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection. The Directive covers all industry sectors and virtually all personally identifiable information: any commercial transaction (B2B or B2C); broad jurisdiction. The U.S. – EU Safe Harbor was negotiated over a two-year period and in July 2000, the U.S. received an adequacy finding from the European Commission. The SH became effective in November The adequacy finding is limited to those organizations that certify to Safe Harbor. What’s at stake: more than $630 billion in trade could be affected by restrictions to data transfers without Safe Harbor not to mention the cost efficiencies reaped by consolidating data center operations in one, efficiently secured location. (Note: only adequate findings: SH, Canada, Switzerland, Argentina, Guernsey & Isle of Man.)

3 Adequacy via the Safe Harbor
Safe Harbor registration is a voluntary representation to European business partners and European citizens that U.S. companies will comply with the Safe Harbor framework. Administered by the DOC, enforced in the United States by the FTC and DOT Currently nearly 1,300 U.S. organizations, including multinationals and SMEs. The FTC Act permits the EU & U.S. to maintain their positions re: personal information protection…U.S. companies make voluntary commitments, yet the EU is satisfied because the FTC Act makes those commitments legally binding. SH benefits for U.S. firms include: Predictability & continuity: all 27 EU member states, plus European Economic Area countries (Lichtenstein, Norway, Iceland) are BOUND by the adequacy finding; Companies participating in the SH will be deemed adequate and data flows to those companies will continue; Eliminates the need for prior approval to begin data transfers Flexible privacy regime congenial to U.S. approach Positive public/privacy image; and Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.

4 7 Safe Harbor Principles (SHFIPPs)
NOTICE CHOICE SECURITY ONWARD TRANSFER DATA INTEGRITY ACCESS ENFORCEMENT The SH framework includes the seven principles listed here: Notice: purpose; how to contact organization; info. transferred to any 3rd parties Choice: option to opt-out of 3rd party disclosures or purposes other than those originally collected; opt-in for other sensitive information. Onward Transfers: to disclose info. to a 3rd party, organizations must apply NOTICE & CHOICE principles, unless its an agent & that agent either 1) complies with the SH principles or 2) is subject to the Directive or other adequacy finding or 3) enters into a written agreement with the organization. Review APEC’s consent or accountability principles. Security: reasonable precautions must be taken, but SH does not specify how. Data Integrity: has to do w/the relevance of the purpose of use. Access: individuals must have access except when expense of providing access is disproportionate to the individual’s risk. Enforcement: Basically the organization must have 1) verification, 2) dispute resolution & 3) remedies mechanism in place BEFORE certifying to the SH.

5 Where to Find Safe Harbor Information
website includes: Safe Harbor List Safe Harbor Workbook Compliance Checklist/Helpful Hints Safe Harbor Documents (including principles, FAQ’s, correspondence, etc.) Historical documents (including public comments) Should familiarize yourself w/the info. on our website. The SH list is a public record of all those companies adhering to the SH principles. You’ll see a number of large multinationals, including Eli Lilly, J&J, Merck, Pfizer, P&G, but interestingly about 55% are SMEs. The FAQ’s are an important resource to provide greater insight and clarification into things like sensitive data, human resources, and for this audience, secondary liability, Pharmaceutical & Medical Products (FAQ 14). When this body of information doesn’t answer a question, we consult with our legal counsel, the FTC, and with the European Union on specific interpretations of the Directive.

6 Compliance & Enforcement
U.S. culture of customer service is highly effective in addressing customer complaints/concerns, perhaps more than comprehensive legislation. Independent recourse mechanisms are required to notify DoC of a company’s failure to comply with the Safe Harbor principles, and FTC has authority to take action. Results: No referrals and no complaints filed with the EU DPAs. TRUSTe, BBB, DMA, and others report internal complaints resolved! In general, enforcement will take place in the U.S., in accordance with U.S. law, & will rely, to a great extent, on private sector enforcement, which includes verification (your annual affirmation that your org. continues to comply w/the SH principles), dispute resolution (by 3rd party or EU DPAs), & remedies. In general, enforcement will take place in the U.S., in accordance with U.S. law, & will rely, to a great extent, on private sector enforcement, which includes verification (your annual affirmation that your organization continues to comply with the SH principles), dispute resolution (by 3rd party or EU DPAS), & remedies. On reason why has to do w/the corporate culture in the U.S. & the other is the 3rd party enforcement. Martha Landesberg of Truste who is on our panel will explain how third party dispute resolution works under the Safe Harbor Framework. With regard to transferring HR data, everyone should understand: you are required to use the EU DPA for your recourse mechanism as well as comply with member state law re: the Use of info. as well as any restrictions under national law for the transfer of such data (so you basically need to be aware of the national laws for Use…the SH is not enough).

7 Other Options for Meeting the EU Directive’s Requirements
Joining Safe Harbor is not the only means of meeting the EU Directive’s requirements Other alternatives include: “Unambiguous” consent Necessary to perform contract Codes of Conduct Model Contract Clauses Direct compliance/registration with EU Authorities Now, I’d like to mention some OTHER options for meeting the EU Directive’s requirements. You’ll here more about these options during tomorrow’s sessions. These are the Article 26 derogations: Unambiguous consent: the Directive contains a derogation/exception that allows for the use of “unambiguous consent” from a data subject to effectuate a data transfer. Some question whether HR data allows for the freedom to provide or decline consent, which is one reason the EU DPA is the dispute mechanism required. Codes of Conduct or BCRs: this is a tempting option, but has yet to emerge as a powerful tool for compliance; there is no streamlined review process and, thus far, only the application has been standardized for use in all 27 member states. You’ll hear more about BCRs during tomorrow’s sessions. Model Contract Clauses: again, an option to achieve adequacy but may be overly burdensome & no consistent interpretation among the Member States. Also enforced in the EU.

8 In November 2000, there were 6 Safe Harbor companies;
Since 2000, we’ve built credibility and confidence in Safe Harbor in the E.U. In November 2000, there were 6 Safe Harbor companies; Today, we are approaching 1,300 organizations spanning industries from consumer goods to aviation; Average 35 new members per month; EU view SH as a “Best Practice” and Gold Standard for data protection. By “we” I mean both government and the business community…without the due diligence and compliance discipline that Safe Harbor members exercise, Safe Harbor would not be held up by EU data protection authorities as a “gold standard” by which other frameworks are measured. It is recognized as a best practice in compliance and risk management. Further, both the Department and the Federal Trade Commission are serious in executing their respective roles in administering the program. I’d like to cite a testimonial from a SH member to illustrate SH’s value from a business perspective: P&G was quoted as stating that “the SH works for us. SH supports a global business model and P&G has one global privacy policy.” With 140,000 employees in 80 countries and sales to 160 countries that’s significant. Businesses are also afforded some degree of positive branding b/c inclusion in the SH demonstrates publicly that they take their privacy policy seriously.

9 Moving Forward — The Challenge Continues
Expanded dialogue with the European Commission; Conference on International Transfers of Personal Data, Brussels, October 2006 More needs to be done by EU to harmonize Data Directive; educate data subjects; we raised this specific issue in Brussels in bilateral negotiations last fall Increased Emphasis by Industry on Harmonizing Approval Process for Binding Corporate Rules Last October, the Department of Commerce co-sponsored the conference on international transfers of personal data in Brussels at the Commission’s conference center. Although we were somewhat skeptical about how we would be received, the outcome was somewhat unexpected in that the Commission and the Article 29 Working Party on Data Protection publicly announced that Safe Harbor was a success story for international cooperation on protecting and securing personal information for commercial purposes. In Brussels, we dispelled the belief that Safe Harbor was a rubber stamp for certification and in later E.U. data protection meetings, we were cited as being “tough” on approving applications to Safe Harbor. We were determined to underscore our determination to fulfill our obligations under the agreement. Today, more than 70 nations have some form of data protection/privacy framework and more plan to enact data protection or privacy legislation. ChinaDaily recently reported that the country has completed a draft data protection law and may consider its implementation next year; Korea has at last reporting three versions of law on data protection, and Mexico’s efforts to pass a law perhaps modeled on Spain’s legislation will present challenges and opportunities for all in the privacy sphere.

10 Safe Harbor Program Membership 2000 – Oct. 2007

11 Safe Harbor Program – Top 20 Industries

12 For additional information or questions
Contact me at: Damon C. Greer U.S. Department of Commerce HCHB 2003 1401 Constitution Avenue, N.W. Washington, D. C Telephone: (202) ; Fax: (202) Thank you and enjoy the conference!

Download ppt "Damon Greer Safe Harbor Program October 15, 2007"

Similar presentations

Ads by Google