Department of Commerce Requests Comment on Data Privacy Principles

Washington, DC, April 27, 1999 - The U.S. and the European Union have been engaged in ongoing negotiations over the terms of a safe harbor that would protect U.S. businesses from enforcement actions under the EU Data Protection Directive. The Directive, which went into effect on October 25, 1998, governs the processing of personal data in the EU and the transfer of that data to countries outside the EU. By its terms, the Directive prohibits the transfer of data to countries outside the EU that lack adequate privacy protections. The safe harbor would create a presumption that, for purposes of the Directive, companies complying with the safe harbor terms adequately protect privacy. This presumption would substantially reduce the possibility of disruptions to data flows to and from European sources.

On April 19, 1999, the Department of Commerce issued for comment the first set of draft documents that will comprise the safe harbor-draft privacy principles, draft EU procedures, and draft frequently asked questions-as well as a letter from Ambassador David L. Aaron. The European Commission is concurrently seeking comments on the materials from EU member states. Comments on the proposed safe harbor are due to the Department of Commerce by May 10, 1999.

The draft would allow companies access to the safe harbor in two ways. Where an organization is subject to U.S. statutory, regulatory, administrative, or other law that effectively protects personal data privacy, it qualifies for the safe harbor to the extent that its activities are governed by those laws or rules. In the absence of laws or rules protecting privacy, a company would need to satisfy seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.