Date
 

DATA PROTECTION: DRAFT OF THE U.S. SIDE OF THE EXCHANGE OF LETTERS WITH THE EUROPEAN COMMISSION
 

I am pleased to provide you with several documents: 1) the "International Safe Harbor Privacy Principles," issued by the U.S. Department of Commerce on [date to be determined.]; 2) Frequently Asked Questions (FAQs) that supplement the Safe Harbor Principles; and 3) an overview and supporting memoranda on how organizations' safe harbor commitments will be enforced in the United States; 4) an overview and supporting memorandum on damages available to individuals; 5) the June --, 2000 letter from the Federal Trade Commission; and 6) the June -, 2000 letter from the U.S. Department of Transportation.
 

The Department has issuedis providing these documents under its authority to foster, promote, and develop international commerce. Both the principles and the FAQs ("the principles") are intended to serve as authoritative guidance to U.S. companies and other organizations receiving personal data from the European Union and wishing to establish a predictable basis for the continuation of such transfers. The enforcement overview and supporting memoranda are intended to explain how ourU.S. enforcement mechanisms, based either on law and regulation or self-regulation, will satisfy the requirements of the enforcement principle and ensure that an organization's commitment to adhere to the principles will be effectively enforced. The safe harbor documents of course need to be read against the U.S. legal system and its well known features, such as small claims courts, class actions and contingency fees, which allow consumers even with novel claims relatively ready and inexpensive access tothe courts and damages where justified.

Organizations can be assured of the benefits of the safe harbor by self certifying that they adhere to the principles. The Department of Commerce will arrange for a list to be maintained of all organizations that self certify their adherence to the principles. Both the list and the notifications submitted by organizations containing information with regard to their implementation of the principles will be made publicly available as will any proper and final adverse determination made by a US organizationU.S. enforcement body and notified to the Department of Commerce or its designee that a safe harbor organization has persistently failed to comply with the principles. Where in complying with the principles, an organization relies in whole or in part on self-regulation, its failure to comply with such self-regulation must also be actionable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts.

On the basis of these documents, our expectation is that the EU will determine that this safe harbor framework provides adequate protection for the purposes of Article 25.1 of the Data Protection Directive and data transfers from the European Union would continue to organizations that participate in the safe harbor. As a result, adherence to the principles on these terms will reduce the uncertainty about the impact of the "adequacy" standard on personal data transfers to them such organizations from European Union countries.

On the basis of our dialogue, we understand that the Commission and Member States will use the flexibility of Article 26 and any discretion regarding enforcement to avoid disrupting data flows to U.S. organizations during the implementation phase of the safe harbor and that the situation will be reviewed in mid 2001. This will give U.S. organizations an opportunity to decide whether to enter the safe harbor and (if necessary) to update their information practices. We will encourage U.S. organizations to enter the safe harbor as soon as possible to enhance privacy protection and because participation in the safe harbor provides greater certainty that data flows will continue without interruption.

During our dialogue, I raisedDuring the dialogue, you sought assurances that where the United States enacted privacy legislation providing greater privacy protection than the safe harbor, such protection should be applied to safe harbor data too, in cases where the law applied with respect to U.S. citizens only, but was silent on its applicability with respect to non-U.S. citizens. You noted that the EU Directive on Data Protection applies to all personal information processed in Europe, regardless of the individuals' citizenship or residency. I would like to confirm that we agree that privacy legislation should not apply differently on the basis of nationality and to assure you that if such legislation were proposed in Congress, we would work within the legislative process to avoid any such effects. We also undertake to continue our efforts to keep you informed of legislative and other developments in the US United States in the field of privacy protection of which we are aware, with particular attention to any such developments that may create allowable exceptions to the principles. Of course, you can raise any concerns about these issues under the review arrangements provided for.

Similarly, on a number of occasions I raised with you the concerns of U.S. industry about the possible effects of the "safe harbor" as regards jurisdiction and applicable law. I would like to confirm that it is the U.S. intention that participation in the safe harbor does not change the status quo ante for any organization with respect to jurisdiction, applicable law and liability in the European Union. Moreover, our discussions with respect to the safe harbor have not resolved nor prejudged the question of whether or when U.S. based websites may be subject to Member State or European Unionquestions of jurisdiction or applicable law issueswith respect to websites. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the safe harbor arrangement.

Finally, the Department of Commerce will notify the Commission in advance of any proposed FAQs or revisions to existing ones.