After more than two years of negotiations, the “safe harbor” data privacy protection agreement between the United States and Europe took effect yesterday, allowing U.S. companies to voluntarily join the program.
However, the question of whether U.S. businesses will embrace safe harbor remains to be answered.
According to the European Union's Data Privacy Directive, personal information may not be transferred to countries without “adequate” privacy protection. Since the United States does not have a privacy law, the EU saw the need to implement rules that must be followed by U.S. businesses to protect European data from misuse. As a result, seven principles were drafted to ensure the safety of personal information.
The principles — as negotiated by the European Commission and the U.S. Department of Commerce — are: notice of what information is collected and how it is used; choice to opt out of third-party data sharing; onward transfer of data only to third parties that give notice and choice; security precautions to safeguard data; data integrity processes for the collection of relevant data only; access to information and the ability to correct or delete it; and enforcement of privacy protection and consequences for lapses.
Organizations wishing to join safe harbor must submit a certification form to the International Trade Administration of the U.S. Department of Commerce. The form is available at www.export.gov/safeharbor and may be submitted online. Before being accepted into the program, companies must show proof that they are complying with the principles.
Critics contend that entry into safe harbor will set the standard for privacy practices within the United States that American businesses may not want. They also claim that it will not bode well with U.S. customers if businesses are offering better privacy protections to European customers.
Even those who support the agreement do not advocate jumping in without careful consideration.
“In the process of deciding how they are going to approach data coming from Europe, U.S. companies are going to have to decide whether to institute these policies across the board for all data,” said Charles Prescott, vice president of international business and government affairs at the Direct Marketing Association. “If companies are quick to join up, they have not looked cautiously and carefully at what they need to do internally to assure that they have properly implemented the privacy policies and procedures required by the safe harbor.”
To coincide with the launch of safe harbor, privacy seal provider TrustE announced its EU Safe Harbor Privacy Seal, which may be obtained by companies that join safe harbor.
Although the Federal Trade Commission will act as the policing agent for the safe harbor program, TrustE claims its program will offer additional avenues for dispute resolution.
The list of participating companies certified by the U.S. Department of Commerce can be found at www.export.gov/safeharbor. At press time, only two companies had enrolled in the safe harbor program.
U.S. and EU officials will review the safe harbor program one year from its inception.
