Update: U.S., EU Reach Safe Harbor Agreement
The text of the agreement was agreed upon March 14 but will be officially finalized and placed on the Commerce Department's Web site, www.ita.doc.gov/ecom, today or tomorrow, after lawyers have approved it, said a spokeswoman for Secretary of Commerce William E. Daley. The agreement is expected to say that U.S. organizations gathering personal information from Europeans will voluntarily comply with EU privacy concerns when dealing with data from the 15 countries in the EU.
While safe harbor supposedly means that U.S. companies cannot gather or use personal information about European consumers without their express consent, the exact principles are still in question.
"The safe-harbor principles are presumably an evolution of the documents that we have seen before," said Robert Gellman, a Washington-based privacy and information policy consultant, "but there is a tremendous amount of uncertainty surrounding the principles and what companies are supposed to do right now."
An original set of safe-harbor principles was issued in 1998 by the Commerce Department allowing the continued flow of personal information about Europeans to U.S. companies since new privacy rules prohibiting the activity had been developed. These privacy rules - the EU's Directive on Data Protection - prohibit the transmission of names, addresses and other personal data about European citizens to any country with regulations that fail to provide adequate data protection on personal information, including the United States. The United States relies mainly on a self-regulating system.
The original safe-harbor principles urge U.S. companies to:
• Tell European consumers what information is being collected and how it will be used.
• Give individuals the right to decide if the information is to be given and how it should be used.
• Provide individuals with reasonable access to the information and let them correct inaccuracies.
• Provide access to independent entities to resolve disputes with companies facing unspecified consequences for violating the guidelines.
According to insiders, the safe-harbor principles that have been approved are based on these guidelines but are now more acceptable to the EU.
"The arrangement demonstrates that both the EU and the U.S. recognize that a carefully constructed and well-implemented system of self-regulation, as advocated by the president and the vice president, can protect privacy rights," Daley said in a statement. "I believe it also has important implications for developing self-regulatory models that could be useful in other areas."
David Aaron, U.S. undersecretary of commerce for international trade, told reporters at a Brussels, Belgium, news conference that it's a good solution.
"Safe harbors now look set to become a reality," said John Mogg, Aaron's EU counterpart. "Companies are free to join as soon as this goes into effect, around July or August."
Before the agreement can be implemented, it must be approved by the union's 15 member states, the EU's executive commission and the European Parliament. The document will be put to the union's member states for preliminary approval at a meeting of member states on March 30-31. The other groups will review it after this.
The Commerce Department is expecting the groups to approve it at a U.S.-EU summit in early June. Their approval is necessary to finalize the arrangement.
Once implemented, U.S. firms will have several options for obtaining safe harbor from litigation or prosecution in Europe: They can agree to formally subject themselves to oversight by EU regulators; they can sign up with an accepted self-regulatory organization subject to oversight by the Federal Trade Commission; or they can demonstrate that U.S. laws are comparable to those of Europe in the area in which they operate.
A company that chooses not to join a safe harbor still could receive data from Europe but could face problems if complaints arise over its level of data protection.
The two sides did not include financial services in the accord because new U.S. legislation on data privacy in that sector does not take effect until mid-May.
"We're reserving judgment on financial services until the legislation is sorted out," Mogg said.