I am national legislative director for the Association of Information Technology Professionals (AITP), formerly known as the Data Processing Management Association (DPMA). Although the BOD of our Association has not formerly approved these comments, I believe that they reflect the general view of our members.
It should be remembered the employees of the information industry in the United States are also consumers within the United States. The only difference is that we perhaps have a greater understanding of the specific ways in which our privacy is violated.
The basic premise of Safe Harbor is to support industry self regulation.
For this to be successful, American and European consumers must be convinced
that self regulation will protect our privacy. Self regulation is in place
now, without legislative oversight, and either succeeds or fails in protecting
the privacy of US consumers. Regrettably, self regulation as practiced
to date has failed to provide those protections. One needs only point to
the recent debacle where a TrustE certified organization was caught harvesting
real consumer data about music usage, yet was able to preserve their TrustE
certification even after this secret invasion of consumer privacy was discovered.
At the same time, TrustE was forced to make the admission that no certification
of theirs had ever been revoked no matter how egregious the violation.
This is the example of industry self regulation which consumers must look
to and judge it by, and which I as a consumer find to be a failure in protecting
my
interests. With that as a benchmark, consumers have no choice but to
hope that the EU's position wins out in this negotiation.
For industry self-regulation to be a convincing alternative to the EU's proposal, US industry must demonstrate a willingness and ability to come down hard on those who would violate the trust of our consumers with real sanctions for real violations - a position which industry to date appears unwilling to take.
At the same time, industry points of contention with Safe Harbor have merit. Safe Harbor was sloppily and hastily drawn up, with limited detail. How are violations prosecuted? What are the provisions for judicial review? What specifically constitutes a violation of safe harbor? Safe Harbor is a contract between a consumer and a business. Both parties should have some reliance on how that contract will be enforced. Both parties are currently left guessing by the terms of the agreement as written. The same lack of clarity which concerns European negotiators concerns both US businesses and US consumers.
And finally, we see one set of standards for European consumers and a second, weaker set of standards for US consumers. According to a March 1999 story in PC World, Undersecretary of Commerce David Aaron was quoted as saying:
"In no way does the U.S. government intend for these safe harbor principles to be seen as precedents for any future changes in the U.S. privacy regime," Aaron said, according to a speech transcript. "Indeed, some of these principles might not be appropriate in a strictly American context."
Why should we be second class citizens in our own country, with lesser protections of our privacy rights than European citizens have?
The US government, and US industry, currently fails to enjoy the confidence
of our own citizens when it comes to the protection of privacy rights.
We need to earn that confidence internally before we can look to Europe
and ask EU citizens and governments to give us that trust externally.
Charles Oriez