RedlinedUSLettertoEU

Draft

Date

DATA PROTECTION: DRAFT OF LETTER FROM THE U.S. DEPARTMENT OF COMMERCE TO THE EUROPEAN COMMISSION SERVICES

I am pleased to provide you with several documents: 1) the "International Safe Harbor Privacy Principles," issued by the U.S. Department of Commerce on [date to be determined.]; 2) Frequently Asked Questions (FAQs) that supplement the Safe Harbor Principles; and 3) an overview and supporting memoranda on how organizations' safe harbor commitments will be enforced in the United States.

The Department has issued these documents under its authority to foster, promote, and develop international commerce. Both the principles and the FAQs ("the principles") are intended to serve as authoritative guidance to U.S. companies and other organizations receiving personal data from the European Union and wishing to establish a predictable basis for the continuation of such transfers. The enforcement overview and supporting memoranda are intended to explain how our enforcement mechanisms, based either on law and regulation or self-regulation, will satisfy the requirements of the enforcement principle and ensure that an organization's commitment to adhere to the principles will be effectively enforced. The safe harbor documents of course need to be read against the US legal system and its well known features, such as small claims courts, class actions, and contingency fees, which allow consumers even with novel claims relatively ready and inexpensive access to court and damages where justifed.

Organizations can be assured of the benefits of the safe harbor by self certifying that they adhere to the principles. The Department of Commerce will arrange for a list to be maintained of all organizations that self certify their adherence to the principles. Both the list and the notifications submitted by organizations containing information with regard to their implementation of the principles will be made publicly available as will any proper and final adverse determination ~~pertaining to a safe harbor organization~~ made by a US organization and notified to the Department of Commerce or its ~~nominee~~designee that a safe harbor organization has persistently failed to comply with the principles. Where in complying with the principles, an organization relies in whole or in part on self-regulation, its failure to comply with such self-regulation must also be actionable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts.

On the basis of these documents, our expectation is that the EU will determine that this safe harbor framework provides adequate protection for the purposes of Article 25.1 of the Data Protection Directive and data transfers from the European Union would continue to organizations that participate in the safe harbor. As a result, adherence to the principles on these terms will reduce the uncertainty about the impact of the "adequacy" standard on personal data transfers to them from European Union countries.

On the basis of our dialogue, we understand that the Commission and Member States will use the flexibility of Article 26 and any discretion regarding enforcement to avoid disrupting data flows to U.S. organizations during the implementation phase of the safe harbor and that the situation will be reviewed in mid 2001. This will give U.S. organizations an opportunity to decide whether to enter the safe harbor, and (if necessary) to update their information practices. We will encourage U.S. organizations to enter the safe harbor as soon as possible to enhance privacy protection and because participation in the safe harbor provides greater certainty that data flows will continue without interruption.

During our dialogue, I raised the concerns of U.S. industry about the possible effects of the "safe harbor" as regards jurisdiction and applicable law. I would like to confirm that it is the U.S. intention that participation in the "safe harbor" does not change the status quo ante for any organization with respect to jurisdiction and liability in the European Union. Moreover, our discussions with respect to the safe harbor have not resolved nor prejudged the question of whether or when U.S. based websites may be subject to Member State or European Union jurisdiction or applicable law issues. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the safe harbor arrangement.

Finally, the Department of Commerce will notify the Commission in advance of any proposed FAQs or revisions to existing ones.