Think Before Joining 'Safe Harbor'
His e-mail address is.
Should your company enter the "safe harbor"? The issue is exceedingly complex, and no simple answers will be found.
A complete discussion of all aspects of safe harbor might fill this entire newspaper. In addition, the usual rule applies. Ask two lawyers about the subject, and you will get at least two different answers to most questions. Whatever you do, don't enter the safe harbor quickly or casually.
Let's begin at the beginning. The European Union data protection directive prohibits the export of personal data from European Union member states to third countries (e.g., the United States) unless the third country provides an adequate level of protection. The adequacy of the protection is assessed in light of all circumstances surrounding a data transfer, and the conclusion can vary with respect to a country from sector to sector and, perhaps, from company to company.
No one can argue with a straight face that the United States generally meets the standard of adequacy. It is hard to convince knowledgeable Europeans - and EU officials are highly knowledgeable about American privacy law - that American records have legal protections comparable to those in EU countries. Don't expect these judgments to change any time soon. Most current legislative proposals - the ones that many in the business community think are too onerous - don't meet safe harbor standards.
The agreement between the United States and the EU establishes a way for personal data to be exported for processing, notwithstanding the lack of general adequacy in the United States. It took the Commerce Department and the EU about two years to strike a deal. Essentially, companies can opt in to safe harbor and be deemed to meet the adequacy standard until proved otherwise.
By the way, the term "processing" comes straight from the directive, and it is a very broad term. It includes virtually anything you might do with personal data, including collection, use, disclosure and just plain storage. If you receive EU data, you are almost certainly processing it.
An initial question for any company is whether safe harbor matters. Some companies know they are receiving consumer data from European affiliates. They can be sure it is worthwhile considering safe harbor. For multinational companies, human resource records may create a separate host of questions.
How about American companies that just operate Web sites accessible from Europe? Are they exporting personal data from Europe? In the Internet era, this is a tough question. Answering it for your Web site may require a complete analysis of what information you collect. Even casual visitors to a Web site who are not asked to register or disclose any personal information might disclose identifiable personal data when they surf your site. Arguably, even a casual collection of information that is not used in any substantive way could create data export concerns.
For companies using the Internet, safe harbor may not offer much assistance in addressing or avoiding EU data protection problems. The documents, at www.ita.doc.gov/td/ecom/menu.html, include a July 17, 2000, letter from the Commerce Department to John Mogg at the European Commission. This letter includes the following crucial language addressing jurisdictional issues:
"I would like to confirm that it is the U.S. intention that participation in the safe harbor does not change the status quo ante for any organization with respect to jurisdiction, applicable law and liability in the European Union. Moreover, our discussions with respect to the safe harbor have not resolved nor prejudged the questions of jurisdiction or applicable law with respect to Web sites. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the safe harbor arrangement."
What does this polite reservation mean? For the Internet, it means that it remains an open question whether a U.S. company operating a Web site accessible in Europe is directly subject to EU data protection laws. It is possible that EU member states will determine that a U.S. Web site operator doing business with Europeans is processing personal data within Europe and is therefore subject to EU data protection laws directly.
Consider two identical Web sites that collect personal data from visitors, one Web site in Paris and the other in Peoria, IL. I doubt that all EU member states will decide that their data protection laws only apply to the site in Europe. It may take years before anyone definitively resolves jurisdiction questions.
So a company that decides to enter safe harbor and comply with its weakened standards for data protection may discover that the full EU data protection rules still apply directly. The only result may be adding an additional level of enforcement to the oversight already provided by EU authorities. It is crucial to remember that safe harbor is not the only way for a U.S. company to justify personal data exports from Europe. Several alternatives exist, and they will be discussed in future columns.
I am out of space, and I haven't even gotten a toe over the threshold of safe harbor. I told you this was a complex subject. When I return to this subject, I will explain why the safe harbor agreement is like a roach motel.
• Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture.