The U.S. Department of Commerce released new documents this week designed to provide clear guidance to U.S. organizations seeking to comply with the European Union's Directive on Data Protection in electronic commerce.
The documents, which are in draft form, include a series of revised safe harbor principles based on notice, choice, onward transfer, security, data integrity, access and enforcement. Organizations must tell consumers what it will use the information for, who it will give it to and how a consumer can limit its use and disclosure.
The Department hopes to finalize the texts in May and reach a final conclusion on the safe harbor before the U.S.-EU Summit, scheduled for June 21. An earlier version of the safe harbor principles was published in November 1998.
The new documents also include frequently asked questions and answers on access and a draft of the European Union's document on complaint procedures. This week, the department will issue additional information that address other sectoral concerns, procedural issues and several clarifications requested by interested U.S. organizations.
The documents are based on the results of a series of meetings that have taken place since last year between David L. Aaron, Under Secretary of Commerce for International Trade, and John Mogg, director general of international market and financial services for the European Commission.
The meetings were prompted by the EU's directive, which requires EU member countries to enact laws prohibiting the transfer of personal data to nonmember states.
“Access to and onward transfer of data have been particular concerns,” Aaron said. “We have also received many questions about how the broad safe harbor principles would be applied in specific cases. These latest documents address many of these concerns.”
While the EU and the Commerce Department have worked together closely on the new principles, a spokesperson for the EU said “we are not fully endorsing the [safe harbor principles] just yet.”
The Department and the Commission have agreed on the key benefits for safe harbor participants. They include:
* All 15 Member States will be bound by U.S./EC understanding;
* The understanding will create the presumption that companies within the safe harbor provide adequate data protection and data flows to those companies will continue;
* Claims against U.S. organizations will be limited to claims of noncompliance. European consumers will be expected to exhaust their recourse with the U.S. organization first, and due process will be assured for U.S. organizations that are subject to complaints;
* Generally, only the European Commission, acting with a committee of Member State representatives, will be able to interrupt personal data flows from an EU country to a U.S. organization;
* U.S. companies will have a grace period to implement safe harbor policies.
The Commerce Department's new draft proposal will provide the basis for the next round of discussions between the two sides on the privacy issue. The public also is invited to comment on both sets of documents, which also will be provided to the EU Member States for review. The deadline for comments is May 10, 1999.
In the next few weeks, Aaron will meet with interested parties and conduct another round of talks with Mogg later this month.