The European Union Directive on the Protection of Personal Data became effective October 1998. The Directive arose from EU efforts to harmonize its Member's laws with regard to the protection of personal data. Its goal was to facilitate information flows within the EU and, thus, to strengthen the EU's internal market and to foster the development of the information-based economy, generally, and e-commerce and the Internet, specifically.
The Directive applies to all organizations, public and private, operating in the EU. It covers the processing of all personal data, whether done automatically or manually. There is no exception for public records, such as telephone directory listings. Under the Directive data may be collected and used only for specified, explicit and legitimate purposes, and only those purposes. Security and accuracy must be guaranteed. Individuals have not only the right to access and the right to correct errors, but also to remedial measures and compensation, if necessary. The transfer of data to third parties may occur only under similarly strict requirements. More stringent rules apply to the processing of sensitive data, including data relating to race; ethnic origin; political, religious, or philosophical beliefs; and health or sex life.
Need for the agreement
The Directive prohibits the transfer of personal data to any nation outside the EU that does not meet the EU test of "adequacy" with regard to privacy protections. The European Commission expressed concern that some of the data protection practices of the United States (e.g., self-regulatory privacy initiatives) would not be deemed "adequate protection" under the Directive. The Directive potentially threatened to disrupt or, in some limited cases, even to prevent the transfer of data between the EU and the United States.
The reason for the dissimilarities in the two regulatory regimes appear to lie in fundamentally different approaches to the issue of privacy. The right to privacy is a fundamental human right recognized both in the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of European Community laws. Thus, the EU had implemented privacy protection by enacting comprehensive legislation. By contrast, the United States has focused on industry sectors, overseeing the collection and use of data through a mix of legislation, regulation, and industry self-regulation, such as federal rules applicable to medical records. Moreover, U.S. firms tend to view private data as a valuable commercial asset rather than as an individual asset. Practically, in the United States, this usually means the consumers must "opt out" of customer lists and sales promotions; in Europe, customers generally have to "opt in" to commercial marketing schemes.
U.S. and EU officials engaged in informal dialogue concerning implementation of the Directive. The dialogue focused on the goals of enhancing data protection for European citizens while maintaining the free flow of personal information between Europe and the United States.
On November 4, 1998, former U.S. Department of Commerce Undersecretary for International Trade David L. Aaron proposed a “safe harbor” for U.S. companies that choose to adhere to certain privacy principles. The safe harbor was created to permit U.S. companies that voluntarily adhere to the principles to continue transborder data transfers with EU Member States. The principles were designed to serve as guidance to U.S. organizations seeking to comply with the "adequacy" requirement of the directive, and would provide organizations within the safe harbor with a presumption of adequacy and data transfers from the European Community to them could continue.
Organizations would come into the safe harbor by self-certifying that they adhere to these privacy principles. In April 1999, the Department issued revised draft principles and a set of frequently asked questions (FAQs) providing guidance for the implementation of the principles as well as an enforcement overview that would form the basis of the safe harbor arrangement.
International Safe Harbor Privacy Principles
On November 15, 1999, the Department of Commerce posted on its website documents related to the U.S.-EU Safe Harbor Framework. The seven International Safe Harbor Privacy Principles promulgated by the Department of Commerce are: notice, choice, onward transfer, security, data integrity, access, and enforcement.
- The “notice” principle requires an organization to inform individuals about the personal information it collects about them.
- The “choice” principle requires organizations to give individuals the opportunity to choose whether and how their personal information is used.
- The “onward transfer” principle gives individuals the choice over whether and the manner in which their information is used by a third party.
- The “security” principle requires reasonable measures to be taken to assure information is used for its intended purpose and to protect it.
- The “data integrity” principle requires that data be accurate, complete, current, and relevant.
- The “access” principle provides individuals with reasonable access to their information and the opportunity to correct, amend, or delete inaccurate information except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the rights of another would be violated.
- The “enforcement” principle establishes mechanisms for ensuring compliance with the principles that include independent recourse mechanisms, systems to verify the privacy practices of businesses, and obligations to remedy implementation problems arising from the principles.
The principles were not intended to govern or affect U.S. privacy regimes.
History of the Safe Harbor Framework
On December 3, 1999, the Data Protection Working Party of the European Commission released its opinion on the Level of Data Protection provided by the "Safe Harbor" Principles and the Frequently Asked Questions issued on November 15 and 16, 1999 by the Department of Commerce. The Working Party concluded that the proposed "Safe Harbor" arrangements in the various documents remain unsatisfactory. The Working Party invited the Commission to urge the U.S. to make a number of improvements
On March 14, 2000, the European Commission and the United States finalized the Safe Harbor Agreement. The EU’s Article 31 Committee, which represents EU Member States, failed to approve the agreement at its March 30 meeting. It decided to delay a vote until its May meeting on the agreement. On May 31, the EU Member States voted unanimously to approve the U.S. proposed safe harbor principles at a U.S.-EU summit held in Lisbon, Portugal. The European Parliament rejected the Safe Harbor Agreement. The Safe Harbor Agreement went into effect on November 1, 2000.
Compliance with the Safe Harbor Agreement
|“||Safe harbor is a self-regulatory privacy protection system in the United States which was the subject of a positive adequacy decision by the European Commission on 26 July 2000 regarding data transfers from the European Union to the United States.||”|
Decisions to qualify for the privacy safe harbor are entirely voluntary, and organizations may qualify for the safe harbor in different ways. In order to obtain and retain recognition that they provide an adequate level of protection for the transfer of data from the EU to the United States, organizations must comply with the Principles and FAQs, and publicly disclose that they do so. For example, according to the principles, if an organization joins a self-regulatory privacy program that adheres to the principles, it qualifies for the safe harbor. They may also qualify for the safe harbor by developing their own self-regulatory privacy policies that adhere to the safe harbor principles.
Where an organization relies on self-regulation to comply with the principles, failure to comply with self regulation is actionable under Section 5 of the FTC Act prohibiting unfair or deceptive trade practices or another law or regulation prohibiting such acts.
In addition, organizations subject to a statutory, regulatory, administrative or other body of law (or of rules) that protects personal privacy may also qualify for safe harbor benefits. Sectors and/or data processing not subject to the jurisdiction of any of the government entities listed fall outside the scope of the agreement. The Department of Commerce maintains and makes available to the public a list of organizations self-certifying their adherence to the principles, and updates the list on an annual basis.
Safe harbor benefits are assured from the date on which an organization self-certifies to the Department of Commerce its adherence to the principles. It is up to either a U.S. government body (e.g., the Federal Trade Commission or the courts) or a U.S. self-regulatory body (e.g., BBBOnLine or TRUSTe) to enforce the terms of the safe harbor. U.S. companies had one year from [implementation]] of the Directive to apply the safe harbor principles.
- Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data, Eur. O.J. L281/31 (Nov. 23, 1995).
- European Commission, "First Orientations on Transfers of Data to Third Countries — Possible Ways Forward in Assessing Adequacy," 14 BNA Int'l Trade Rptr. 1338 (July 30, 1997).
- Report on Compliance with, and Enforcement of, Privacy Protection Online, at 12 n.5.
- See, e.g., "FTC Settles with Six Companies Claiming to Comply with International Privacy Framework" (Oct. 6, 2009) (full-text). See also In the Matter of Google Inc.