Ensuring Compliance with the European Union’s Data Protection Directive
A conference hosted by the U.S. Department of Commerce and cosponsored by the European Commission and the Article 29 Working Party on Data Protection examined the implementation of the U.S.–European Union Safe Harbor Framework.
by Damon C. Greer
U.S. companies rely on data transfers to reap economic efficiencies in business process operations, to garner cost savings by consolidating data centers into one easily secured location, and to qualitatively improve services to global clients. On October 15 and 16, 2007, as part of an effort to facilitate the continued flow of data between the member states of the European Union (EU) and the United States, representatives from the Department of Commerce and the European Commission met in Washington, D.C., to continue a series of bilateral discussions on data transfers.
Underscoring the purpose of the gathering, Michelle O’Neill, deputy under secretary for international trade, noted in remarks to the attendees that the “evolution of information technologies has led to new business models and the increased need to exchange information among businesses and consumers, but has also presented some policy challenges … It is the tension between the legitimate uses of information and the need for appropriate privacy for individuals that motivate us all here to be here today.”
The meetings allowed the two government entities, along with representatives of the U.S. business community and non-governmental organizations, to have a conversation about the European Commission’s implementation of its directive on data privacy (EU Directive 95/46/EC), the options for complying with the EU’s regulatory framework, and the performance of the Department of Commerce’s Safe Harbor program.
Commitments under the Safe Harbor Framework
The conference was a product of a bilateral commitment made by the European Commission and the United States in 2000 about the regulation of transfers of personal data from the EU to the United States. That commitment is called the U.S.–EU Safe Harbor Framework. (See sidebar “About the U.S.–EU Safe Harbor Framework”) Under that framework, both parties agreed to hold annual consultations and information exchanges to facilitate understanding, to improve oversight, and to discuss related data protection issues and opportunities. The last exchange occurred on October 23–24, 2006, at the European Commission’s headquarters in Brussels, Belgium.
Mix of Government and Industry Privacy Officials
The October 2007 conference in Washington, D.C., was the largest meeting ever organized by the Department of Commerce as part of its commitment to implement the Safe Harbor program. The conference featured five panels, 300 attendees, and 27 expert panelists from government, industry, and civil society. For the first time, Canada and Mexico participated on the panels, with representatives speaking on data protection and privacy in a regional context.
The conference featured panelists from the data protection authorities of Belgium, Germany, Ireland, Italy, and Spain. In addition, global privacy officials from leading companies, including General Electric, IBM, Intel, PricewaterhouseCoopers, Procter & Gamble, Schering-Plough, TransUnion, and TRUSTe, described their experiences under the EU directive, the role they play in dispute resolution, and the paths they have chosen to follow the law.
The conference’s five panels had these themes:
- Implementing the U.S.–E.U. Safe Harbor Framework
- Looking at global sourcing and data flows—compliance and security in the global economy
- Examining EU’s data protection framework—12 years later
- Implementing and enforcing corporate privacy rules
- Exploring binding corporate rules and contractual clauses
Protection Is Global
The conference’s keynote speaker, Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University, noted that while “privacy is local,” protection is global. He portrayed the global canvas of networks as a maze of conflicting rules and regulatory regimes, with simultaneous global access to personal data from workstations and with mobile applications whose data storage capabilities humble the earliest personal computers’ capacities. Cate’s message on the complexities and uncertainties surrounding global data protection set the stage for a vigorous discussion on possible solutions for protecting data in a global digital setting.
2008 Conference, Certification Mark
In July 2008, the European Commission will host the next conference, which will have an expanded theme that recognizes the global nature of data protection and compliance. In addition, the Department of Commerce and the European Commission have agreed to establish ongoing exchanges on issues pertinent to privacy, data protection, and compliance. An informal group will work to foster regular communications between the EU and the United States.
The Commerce Department also plans to introduce a certification mark for companies that certify to Safe Harbor. The mark will validate companies’ compliance with the privacy principles and will show their adherence to the enforcement framework established under Safe Harbor. Its use will be valid for one year, with an annual renewal when a company recertifies.
The dialogue on the U.S.–EU Safe Harbor Framework will continue in the coming months and years. As Cate noted at the October conference, “Safe Harbor is an adolescent now at a very difficult age.” It is widely accepted that this “teenager” will reach maturity. Efforts to streamline other choices for complying with the EU directive will continue. In a world where more than 70 countries have either enacted or are planning to enact data protection regimes, challenges to U.S. companies’ requirements will only grow. The U.S.–EU Safe Harbor Framework is but one possible solution.
Damon C. Greer is an associate director in the Manufacturing and Services unit of the International Trade Administration and manages the U.S.–EU Safe Harbor Framework Program.
About the U.S.–EU Safe Harbor Framework
In 1998, the European Commission implemented EU Directive 95/46/EC, which is more commonly known as the “data protection directive.” The directive would have had a dramatic influence on cross-border flows of personally identifiable information (PII) to countries whose data protection framework did not match the directive’s provisions. It would have effectively allowed any of the EU member states’ 27 data protection authorities to halt the transfer of PII.
To prevent stoppages of business data, the Department of Commerce, the Federal Trade Commission, and the business community engaged with the European Commission to design a mechanism to permit transatlantic data flows to continue. As of 2006, more than $635 billion in transatlantic trade was at stake.
In 2000, the negotiations resulted in the issuance of an “adequacy” determination by the European Commission, which is known as the U.S.–EU Safe Harbor Framework. Safe Harbor is a voluntary, self-certification program that exempts companies from the liability they would otherwise risk, while simultaneously providing savings that would accrue from streamlining operations. U.S. organizations obtain this exemption by self-certifying that they adhere to the Safe Harbor privacy principles and will abide by the requirements for dispute resolution by a third party.
Federal oversight of the Safe Harbor process is provided under section 5 of the Federal Trade Act of 1934. Under this authority, the Federal Trade Commission (FTC) investigates allegations of deceptive and unfair trade practices. Although self-certification is voluntary, failure to adhere to the principles may be viewed by the FTC as a misleading trade practice. To date, 1,300 U.S. companies have certified to Safe Harbor.
For more information about the U.S.–EU Safe Harbor Framework, visit the program’s Web site.