Dear Colleagues:
The U.S. Department of Commerce and the European Commission's Internal Market Directorate have now reached a tentative conclusion to the safe harbor dialogue and seek to conclude their dialogue by the end of March. The European Commission will use the intervening time to consult with the Member States and other European Union institutions. (The formal adoption of the full set of safe harbor documents will take more time and requires on the European side consultation with data protection authorities and the European Parliament and approval by the Member States and the Commission.) At the same time, the Department will consult with other U.S. government agencies and the public on the documents. With this posting, the Department is requesting public comment on the full set of safe harbor documents.
Because more time is needed to examine recent developments in U.S. laws governing privacy in the financial services sector and the Financial Modernization Act regulations are not yet complete, we will continue working with the European Commission with the goal of bringing the benefits of the safe harbor to the financial services sector. We do not anticipate interruptions in data flows while we continue our good faith efforts to resolve these issues.
With respect to the implementation phase, the two sides have agreed to review adherence to the safe harbor in the middle of 2001. In the meantime, we expect interruptions to data flows to continue uninterrupted.
Background
The Department of Commerce has been working very closely over the past two years with the European Commission to develop clear and predictable guidance to U.S. organizations that would enable them to comply with the requirements of the European Union's Directive on Data Protection regarding personal data transfers to third countries. The Directive, which went into effect in October, 1998, allows the transfer of personally identifiable data to third countries only if they provide an "adequate" level of privacy protection. Because the United States relies largely on a sectoral and self-regulatory, rather than legislative, approach to effective privacy protection, many U.S. organizations have been uncertain about the impact of the "adequacy" standard on personal data transfers from European Community countries to the United States.
In Fall 1998, the Department proposed a safe harbor for U.S. companies that choose to adhere to certain privacy principles. The safe harbor principles are designed to serve as guidance to U.S. organizations seeking to comply with the "adequacy" requirement of the European Union Directive. Organizations within the safe harbor would be viewed as providing adequate privacy protection, and data transfers from the European Community to them could continue. Organizations would come into the safe harbor by self certifying that they adhere to these privacy principles. The decision to enter the safe harbor would be entirely voluntary. As a result of the safe harbor proposal, the European Union announced its intention to avoid disrupting data flows to the US by using the flexibility provided for in the Directive so long as the US is engaged in good faith negotiations with the European Commission. Data flows have not been interrupted, and we expect this situation to continue while the safe harbor is finalized and companies implement its requirements.
On three separate occasions, most recently in November, 1999, the Department issued for review and comment by interested organizations the draft principles and frequently asked questions (FAQs) that would form the basis of the safe harbor arrangement. We received numerous written comments in response to these documents and countless additional comments and suggestions in the subsequent months through extensive discussions with interested parties. The comments we received have generally supported the safe harbor concept, while also raising questions about certain aspects of the principles and the FAQs. The comments we received have been extremely valuable, both in helping us understand how data is protected in practice and in working with the European Commission to find appropriate solutions to issues raised in our discussions.
Documents for Review and Comment
As noted above, the United States Department of Commerce and the European Commission's Internal Services Directorate have reached a tentative conclusion to the safe harbor dialogue, and we are now posting the latest versions of the documents which, when finalized, will provide the elements necessary to set up the safe harbor. The texts for FAQ 5 (Cooperation with Data Protection Authorities) and FAQ 9 (Human Resources) are footnoted to reflect that the final texts depend upon approval by the Article 29 Working Party. The present text of FAQ 5 has been discussed by the Article 29 Working Party, and a majority find it acceptable, but the Working Party prefers to take a final view on both FAQs in the context of an overall opinion on the safe harbor. The documents, with the exception of FAQ 5, are redlined against the documents that we published on November 15 and 16. FAQ 5 had too many changes for redlining to be effective. Documents with asterisks (*) will be posted early next week.
The deadline for comments on these documents is March 28, 2000. [Note that this deadline has been extended to April 5, 2000.] We hope you will take time to review the entire safe harbor package and share your views on the material. We welcome your comments on all aspects of the safe harbor and are particularly interested in your views on whether we should proceed to finalize the safe harbor along the lines represented here. To submit your comments, please refer to the instructions in Attachment A.
Sincerely,
Ambassador David L. Aaron
A: How to Submit Comments (see guidance below)
B: Draft International Safe Harbor Principles - March 17, 2000
C: Draft Frequently Asked Questions - March 17, 2000
4. Investment banking and audits
5. The Role of Data Protection Authorities
7. Verification
8. Access
11. Dispute Resolution and Enforcement
12. Choice - Timing of Opt-out
14. Pharmaceutical and Medical Products
15. Public
Record and Publicly Available Information
D. Text of Article 25.6 Decision*
E. Letter from David Aaron to John Mogg transmitting safe harbor principles and FAQs, etc.*
F. Letter from John Mogg to David Aaron transmitting the Article 25.6 decision, etc.*
* These documents will be posted early next week.
Please submit all comments on any of the
draft documents to the Department of Commerce by
March 28, 2000
April 5, 2000. We request that all comments be submitted electronically
in an HTML format to the following email address: Ecommerce@ita.doc.gov.
If your organization does not have the technical ability to provide comments
in an HTML format, please forward them in the body of the email, or in
a Word or WordPerfect format. We intend to post all comments on our web
site and your efforts to comply with the format request will greatly facilitate
this effort.
If necessary, hard copies of comments can be mailed to the Electronic Commerce Task Force, U.S. Department of Commerce, Room 2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxed to 202-501-2548.
Please direct any questions to Becky Richards at Rebecca _Richards@ita.doc.gov or 202-482-5227.