The Department of Commerce is engaged in ongoing negotiations with the European Union about the EU's data protection directive. The key issue is how the directive will affect data exports to the United States.
The Department's latest gambit was the development of “safe harbor” principles. The idea was that companies agreeing to follow a designated set of fair information practice principles would have a presumption of adequacy, and data could be exported from Europe to those companies. On the surface, the idea has some merit.
The notion of a safe harbor has been under discussion with the EU for months. In November, the Departmentof Commerce finally decided to seek public comments on what it was doing. There has been some grumbling in recent months that the Department has not been consulting enough with the business community.
You may not have heard much about Commerce Undersecretary David Aaron's request for comments. The document appeared on a secret Department Web page and was invisible even to a search engine. Informing the public — or even all of the business community — was obviously not a concern. Only those in the know could find the request. Others could only surf the usual items on the Department's Web page, including pictures of Aaron available for downloading. The only way to find Aaron's letter seeking comments was to know the secret address. The comments can now be found at www.ita.doc.gov/ecom/com.
Not only was the request published secretly, but the comment period was short. The date on the request was Nov. 4, and the deadline for comments was Nov. 19. Even more telling was the salutation on the letter: “Dear Industry Representative.” The Department is obviously not shy about identifying its real constituency or about showing its lack of interest in the views of organizations representing consumers, privacy advocates, Internet users or others.
The substance of the proposal was a watered down and revised set of fair information practices contained in the EU directive.
In the end, it is not entirely clear that the comment process was sincere or worth the effort. Following receipt of the comments, Barbara Wellbery, special counsel for electronic commerce at the Department said “there doesn't seem to be any basic disagreement about the principles that are there.”
It appears Wellbery didn't bother to read the comments because plenty of questions were raised about the principles. Some thought the limited principles were too strong. Others thought they were too weak. Still others found the principles incomplete and missing major EU data protection requirements.
Trade associations and others showed cautious support for a safe harbor framework. But they raised numerous questions about the meaning of the safe harbor itself. The proposal did not make it clear how a company qualifies or what the benefits would be. People on all sides found the proposal tremendously unclear. Five law professors with divergent views about privacy jointly filed critical comments. The professors' letter reportedly circulated widely in Europe.
The shortcomings of the safe harbor proposal would not be as troubling if the Department had shown any long-term competence in dealing with privacy. The truth is that the Department has never had a strategy for addressing privacy, and it lurches from one approach to the next. The Department first argued the United States had adequate privacy policies. Then it said we didn't but the industry would solve the problem on its own. Then it decided effective self-regulation was necessary and proposed standards for self-regulation. Now it is pushing a different set of standards nobody understands.
It was predictable that the specifics of the safe harbor proposal would not be well received in Europe. A few days after the comment period closed, a news story datelined Brussels appeared with sharply negative reaction from an EU official. The proposal was effectively — although not formally — rejected before Commerce presented it in negotiations. The ship sank before leaving the dock.
The Commerce Department is engaged in an exercise that is the equivalent of rewriting the EU directive or drafting an omnibus privacy statute. The safe harbor proposal is that sweeping in scope. The Department has opposed a one-size-fits-all privacy law, but now it is trying to do the same thing with its proposal. It is ludicrous to think a one-page document could serve as a complete substitute for a complex set of rules the EU spent years to develop.
The United States needs to begin negotiations with a position that is more coherent and more specific. If we do not know what our proposal means, how can we expect the Europeans to understand it? The notion of a safe harbor is not, by itself, objectionable. It may well ultimately form a basis for reaching an agreement with the EU. However, asking the EU to completely abandon or substantially weaken basic data protection principles that are part of European Community law and the law of many of its member states shows a lack of respect and reality.
The Department needs to be more pragmatic in selecting a starting point for negotiations and in identifying its objectives. It also needs to do a better job of reaching out to a broader constituency.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives subcommittee on information, justice, transportation and agriculture. He can be reached at [email protected]