Department of Commerce Releases New Proposal for Data Privacy ProtectionThe U.S. Department of Commerce late yesterday released new documents developed to provide clear guidance to U.S. organizations seeking to comply with the European Union's Directive on Data Protection in electronic commerce.
The new documents are based on the results of a series of meetings that took place with David L. Aaron, UnderSecretary of Commerce for International Trade, and John Mogg, his EU counterpart.
The discussions were prompted by the EU's directive, issued last year, which requires EU member countries to enact laws prohibiting the transfer of personal data to non-member states that fail to ensure what the EU deems to be an "adequate" level of privacy protection. The United States has favored industry-led, market driven privacy protection principles to ensure consumer trust in electronic commerce.
The newly released documents include the revised safe harbor principles, as well as "frequently asked questions and answers" on access and a draft of the European Union's document on complaint procedures. Within a week, the Department will issue additional FAQs addressing certain sectoral concerns, other procedural issues, and several clarifications requested by interested U.S. organizations.
The Commerce Department's new draft proposal will provide the basis for the next round of discussions between the two sides on the privacy issue. The public is invited to comment on both sets of documents, which will also be provided to the EU Member States for review. The deadline for comments is May 10, 1999.
"We have achieved a substantial level of consensus on both the content of the privacy principles themselves, and on the practices and procedures that will govern transatlantic data transfers," said Aaron, in a statement.
An earlier version of the safe harbor principles was published in November 1998, and since then last fall, when the European Union's Directive on Data Protection became effective, the Commerce Department has been working to develop clear and predictable guidance for U.S. organizations that would enable them to comply with the directive and avoid data flow disruptions.
"Since then, we have received extensive comments and held lengthy discussions with interested parties," Aaron said. "Access to and onward transfer of data have been particular concerns. We have also received many questions about how the broad safe harbor principles would be applied in specific cases. These latest documents address many of these concerns."
The Department and the Commission have also agreed on the key benefits for safe harbor participants. They include:
*All 15 Member States (MS) will bound by US/EC understanding;
*The understanding will create the presumption that companies within the safe harbor provide adequate data protection (rather than the opposite) and data flows to those companies will continue;
* Claims against U.S. organizations will for the most part be limited to claims of non-compliance with the principles. European consumers will be expected to exhaust their recourse with the U.S. organization first, and due process will be assured for U.S. organizations that are subject to complaints;
* Generally, only the European Commission, acting with a committee of Member State representatives (the Article 31 Committee) will be able to interrupt personal data flows from an EU country to a U.S organization;
* U.S. companies will have a grace period to implement safe harbor policies.
In the next few weeks, Under Secretary Aaron will continue to meet wit interested parties and will conduct another round of talks with Mogg late this month. The Department hopes to finalize the texts in May and reach a final conclusion on the safe harbor by the U.S.-EU Summit, scheduled for June 21.