Dear Colleagues:
The Department of Commerce has been working very closely over the past year with the European Commission to develop clear and predictable guidance to U.S. organizations that would enable them to comply with the requirements of the European Union's Directive on Data Protection regarding personal data transfers to third countries. The Directive, which went into effect late last year, allows the transfer of personally identifiable data to third countries only if they provide an "adequate" level of privacy protection. Because the United States relies largely on a sectoral and self-regulatory, rather than legislative, approach to effective privacy protection, many U.S. organizations have been uncertain about the impact of the "adequacy" standard on personal data transfers from European Community countries to the United States.
Last Fall, the Department proposed a safe harbor for U.S. companies that choose to adhere to certain privacy principles. As we explained then, the principles are designed to serve as guidance to U.S. organizations seeking to comply with the "adequacy" requirement of the European Union Directive. At that time, we envisioned that the arrangement would provide organizations within the safe harbor with a presumption of adequacy and data transfers from the European Community to them could continue. Organizations would come into the safe harbor by self certifying that they adhere to these privacy principles. The decision to enter the safe harbor would be entirely voluntary. As a result of the safe harbor proposal, the European Union announced last Fall its intention to avoid disrupting data flows to the US by using the flexibility provided for in the Directive so long as the US is engaged in good faith negotiations with the European Commission. That "standstill" continues in effect.
Last November and then again in April of this year, the Department issued for review and comment by interested organizations the draft principles and a set of frequently asked questions (FAQs) that would form the basis of the safe harbor arrangement. We received numerous written comments in response to these documents and countless additional comments and suggestions in the subsequent months through extensive discussions with interested parties. Generally, the comments we received supported the safe harbor concept, although they did raise questions about certain aspects of the principles and the FAQs. The comments we received have been extremely valuable, both in helping us understand how data is protected in practice and in working with the European Commission to find appropriate solutions to issues raised in our discussions.
New Documents for Review and Comment
The United States Department of Commerce and the European Commission's Services believe there is sufficient common ground about the structure and benefits of the "safe harbor," the privacy principles that must be observed by participants in the "safe harbor," and the enforcement process to now initiate their respective governmental and public reviews to determine whether or not the "safe harbor" arrangement can be finalized more or less on this basis. As a result, we are now posting the latest versions of the discussion documents which, when finalized, will provide the elements necessary to set up the "safe harbor."
In some cases, the two teams involved in the dialogue regard the texts as representing a shared view. In others, the content of the texts is not fully shared, but the discussion is nevertheless regarded as closed, because one or the other side is subject to legal constraints. This category includes, for example, several instances in which the Commission's proposed changes could possibly raise First Amendment issues (e.g. the FAQs on journalistic exceptions, public records and publicly available information). A third category involves documents which, while including much shared text, also contain some wording which may be subject to further change before both sides are ready to finalize the arrangements. The main outstanding issues are indicated in footnotes in this third category of documents.
One of the significant changes to the proposed safe harbor arrangement since last April is in the area of enforcement. Over the summer, the EC proposed that all enforcement be carried out in the United States, subject to very limited exceptions. The safe harbor now would create not just a presumption of adequacy for companies in the safe harbor, but a finding of adequacy, for the safe harbor as such. The new approach is attractive because it gives deference to the self-regulatory process in the United States. In addition, since fewer complaints will actually be handled in Europe, national treatment and MFN should be less of an issue.
As you review these documents, you should note that we have not posted a revised version of the FAQ on Risk Management. Given the enactment of the Gramm-Leach-Bliley Act of 1999, we believe the risk management FAQ is no longer necessary at least for the entities covered by that Act. We seek comment on whether there are entities not covered by the Act who would need a FAQ on risk management along the lines of the relevant provisions of the Act. Additionally, you should note that US requests that the Commission provide adequacy determinations on the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act are still pending.
The deadline for comments on these documents is December 3, 1999. We hope you will take time to review the entire safe harbor package and share your views on the material. We welcome your comments on all aspects of the safe harbor and are particularly interested in your views on whether we should proceed to finalize the safe harbor along the lines represented here. To submit your comments, please refer to the instructions in Attachment A.
Sincerely,
Ambassador David L. Aaron
Attachments:
A: How to Submit Comments (see guidance below)
B: Draft International Safe Harbor Principles - November 15, 1999
C: Draft Frequently Asked Questions - November 15, 1999
4. Investment banking, audits, and headhunters
5. The Role of Data Protection Authorities
7. Verification
8. Access
11. Dispute Resolution and Enforcement
12. Choice - Timing of Opt-out
13. Airline Passenger Reservations
14. Pharmaceuticals
15. Public Record and Publicly Available Information
D. Summary of Article 25.6 Decision (Because the actual text of that draft decision is not ready to be posted at this time, we will be posting a summary of the proposed decision.)
E. Letter from David Aaron to John Mogg transmitting safe harbor principles and FAQs, etc.
F. Letter from
John Mogg to David Aaron transmitting the Article 25.6 decision, etc.
Please submit all comments on any of the draft documents to the Department of Commerce by December 3, 1999. We request that all comments be submitted electronically in an HTML format to the following email address: Ecommerce@ita.doc.gov. If your organization does not have the technical ability to provide comments in an HTML format, please forward them in the body of the email, or in a Word or WordPerfect format. We intend to post all comments on our web site and your efforts to comply with the format request will greatly facilitate this effort.
If necessary, hard copies of comments can be mailed to the Electronic Commerce Task Force, U.S. Department of Commerce, Room 2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxed to 202-501-2548.
Please direct any questions to Eric Fredell
at Eric_Fredell@ita.doc.gov or 202-482-0343.