The U.S.-E.U. Safe Harbor Framework Cross Border Data Flows, Data Protection, and Privacy Damon...

The U.S.-E.U. Safe The U.S.-E.U. Safe

Harbor Harbor Framework Framework

Cross Border Data Flows, Data Cross Border Data Flows, Data

Protection, and PrivacyProtection, and Privacy

Damon GreerSafe Harbor ProgramOctober 15, 2007

2

Different Approaches to Data Privacy Different Approaches to Data Privacy Why it Why it mattersmatters

• European Union’s Data Protection Directive creates a barrier for those countries, including the U.S., that do not meet the EU’s “adequacy” requirements for data protection.

• U.S. Department of Commerce and European Commission negotiated the SAFE HARBOR to provide U.S. companies with a simple, streamlined means of complying with the adequacy requirement.

• Trans-Atlantic Trade in 2006 reached $630 billion

3

Adequacy via the Safe HarborAdequacy via the Safe Harbor

• Safe Harbor registration is a voluntary representation to European business partners and European citizens that U.S. companies will comply with the Safe Harbor framework. Administered by the DOC, enforced in the United States

by the FTC and DOT

• Currently nearly 1,300 U.S. organizations, including multinationals and SMEs.

4

7 Safe Harbor Principles (SHFIPPs)7 Safe Harbor Principles (SHFIPPs)

• NOTICENOTICE

• CHOICECHOICE

• SECURITYSECURITY

• ONWARD TRANSFERONWARD TRANSFER

• DATA INTEGRITYDATA INTEGRITY

• ACCESSACCESS

• ENFORCEMENTENFORCEMENT

5

Where to Find Safe Harbor InformationWhere to Find Safe Harbor Information

• http://export.gov/safeharbor/ website includes:

Safe Harbor List Safe Harbor Workbook Compliance Checklist/Helpful Hints Safe Harbor Documents (including

principles, FAQ’s, correspondence, etc.) Historical documents (including public

comments)

6

ComplianceCompliance & Enforcement& Enforcement

• U.S. culture of customer service is highly effective in addressing customer complaints/concerns, perhaps more than comprehensive legislation.

• Independent recourse mechanisms are required to notify DoC of a company’s failure to comply with the Safe Harbor principles, and FTC has authority to take action.

• Results: No referrals and no complaints filed with the EU DPAs. TRUSTe, BBB, DMA, and others report internal complaints

resolved!

7

Other Options for Meeting the EU Directive’s Other Options for Meeting the EU Directive’s RequirementsRequirements

• Joining Safe Harbor is not the only means of meeting the EU Directive’s requirements

• Other alternatives include:

“Unambiguous” consent Necessary to perform contract Codes of Conduct Model Contract Clauses Direct compliance/registration with EU Authorities

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

8

Since 2000, we’ve built credibility and Since 2000, we’ve built credibility and confidence in Safe Harbor in the E.U.confidence in Safe Harbor in the E.U.

• In November 2000, there were 6 Safe Harbor companies;

• Today, we are approaching 1,300 organizations spanning industries from consumer goods to aviation;

• Average 35 new members per month;

• EU view SH as a “Best Practice” and Gold Standard for data protection.

9

Moving Forward Moving Forward — The Challenge Continues— The Challenge Continues

• Expanded dialogue with the European Commission; Conference on International Transfers of Personal Data, Brussels, October 2006

• More needs to be done by EU to harmonize Data Directive; educate data subjects; we raised this specific issue in Brussels in bilateral negotiations last fall

• Increased Emphasis by Industry on Harmonizing Approval Process for Binding Corporate Rules

10

Safe Harbor Program MembershipSafe Harbor Program Membership2000 – Oct. 20072000 – Oct. 2007

6

109

154143

204211

244

223

0

50

100

150

200

250

300

2000 2001 2002 2003 2004 2005 2006 2007

HR

Non-HR

Total

11

Safe Harbor Program – Top 20 IndustriesSafe Harbor Program – Top 20 Industries

19

19

22

24

26

28

30

41

50

50

57

58

62

65

71

87

125

209

218

279

0 50 100 150 200 250 300

General Science & Technology - (GST)

Insurance Services - (INS)

General Consumer Goods - (GCG)

Electronic Components - (ELC)

Biotechnology - (BTC)

Medical Equipment - (MED)

Computer & Peripherals - (CPT)

Health Care Services - (HCS)

Financial Services - (FNS)

Travel & Tourism Services - (TRA)

Telecommunications Services - (TES)

Drugs & Pharmaceuticals - (DRG)

Advertising Services - (ADV)

Education & Training - (EDS)

Employment Services - (EMP)

Management Consulting Services - (MCS)

General Services - (GSV)

Computer Software - (CSF)

Computer Services - (CSV)

Information Services - (INF)

12

For additional information or questionsFor additional information or questions

Contact me at:

Damon C. GreerU.S. Department of CommerceHCHB 20031401 Constitution Avenue, N.W.Washington, D. C. 20230Telephone: (202) 482-5023; Fax: (202) 482-5522Email: damon.greer@mail.doc.gov