US, Europe Reach Tentative Agreement on EU Privacy Safe Harbor

Washington, DC, April 14, 2000 - Since the fall of 1998, the US Department of Commerce and the European Commission have engaged in negotiations over a safe harbor that would protect US companies from enforcement actions under the EU Data Protection Directive. The Directive, which went into effect in October 1998, prohibits the flow of personal information from European Union member states to any recipient outside the EU that lacks adequate privacy protections. Companies complying with the terms of the safe harbor would have a "presumption of adequacy" in this regard, significantly reducing the potential that data flows to those companies would be challenged under the Directive.

On March 22, the US Department of Commerce and the European Commission reached an agreement on the basic terms of the safe harbor. The agreement is subject to approval by the EU member states, which could occur prior to the June EU-US Summit. The US has asked the EC to determine separately that the regulation of privacy in the financial services industry is adequate based on the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. The two sides did not agree on the status of financial services, although they agreed to continue their discussion in that regard on a priority basis.

Determining the Terms for Safe Harbor
There are four sets of documents that will define the terms of the safe harbor:

The international safe harbor privacy principles. The safe harbor centers on the following seven privacy principles:

Notice. Each company in the safe harbor must provide individuals with a notice explaining the purposes for which it collects and uses information about them, how to contact it with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means that it offers individuals for limiting the use and disclosure of the information.
Choice. Each safe harbor company must give individuals the opportunity to choose whether and how the personal information they provide is used by or disclosed to third parties. No distinction is made between affiliated and non-affiliated third parties in this regard. Negative (opt out) consent generally is sufficient, although affirmative (opt in) consent is required if the information being used or disclosed is particularly sensitive. ("Sensitive information" as defined in the Directive includes, among other things, medical information or information that would disclose a person's race or religion, but does not include financial information.)
Onward Transfer. Each safe harbor company must require third parties who receive information to provide the same level of privacy protection for that information as the company itself provided.
Security. Each safe harbor company must protect information from loss, misuse, or unauthorized access, disclosure, alteration or destruction.
Data Integrity. Each safe harbor company must ensure that data is reliable for its intended use, accurate, complete and current.
Access. Each safe harbor company must give individuals the right to view, correct, amend or delete information about them held by the company.
Enforcement. Each safe harbor company must provide mechanisms for ensuring compliance with the other six privacy principles and the company's privacy policies.

Frequently asked questions (FAQs). There are fifteen sets of frequently asked questions that further explain the safe harbor principles.
Exchange of Letters. The concept of the safe harbor will be explained in a letter from Ambassador David Aaron of the Department of Commerce to John Mogg of the EC. That letter also will request that the EC make a determination that companies complying with the safe harbor have a presumption of adequacy under the directive. The reply letter from John Mogg will explain that the EC has made that finding and provide further administrative details about the safe harbor.
Article 25.6 Decision on Adequacy. Attached to Mr. Mogg's letter will be an Article 25.6 decision by the EC. Article 25.6 gives the EC the power to determine that the data protection provided by a particular non-EU country is adequate for purposes of the directive.
At various times, the Institute has submitted formal comments on the safe harbor, either in its own capacity or as part of coalitions of financial services firms or associations. The Institute believes that the substantial privacy protections afforded to consumers of financial services by the Gramm-Leach-Bliley Act are adequate and effective and that US financial services firms should be permitted to certify compliance with the safe harbor based on compliance with that Act.

Self-Certification
As explained in FAQ #6, companies will self-certify their compliance with the safe harbor principles via a letter, signed by a corporate officer, to the Department of Commerce. The FAQ sets forth the specific information that must be contained in the letter, which includes, among other things, descriptions of the company's activities and privacy policies with respect to personal information received from the EU. The Department of Commerce will maintain a list of companies that have self-certified their compliance with the safe harbor principles.

US companies may enter the safe harbor at any time, although the Department of Commerce and the EC actively encourage firms to self-certify as quickly as possible. The two sides have agreed to review adherence to the safe harbor in the middle of 2001. Until that time, the EC and the EU member states have agreed to exercise discretion regarding enforcement to avoid interruption of data flows to the US. This maintains the political standstill that has been in force since the Directive went into effect in October 1998.

Implementation
The two sides have agreed to review the self-certification process and adherence to the safe harbor by the middle of 2001. This will allow companies time to decide whether to enter the safe harbor and to implement any changes that compliance with the safe harbor may require.