The U.S.-E.U. Safe Harbor The U.S.-E.U. Safe Harbor Framework Framework

New Developments in Data Flows, Standards, & Compliance

Damon Greer

U.S. Department of Commerce

August 19, 2008

2

Safe Harbor Review Safe Harbor Review How We Got Here How We Got Here

European Union’s Data Protection Directive (95/46/EC) in force 1998; Member States implement national data protection laws;

U.S. does not meet EU’s adequacy requirement; U.S. Dept. of Commerce and European Commission negotiate compromise: U.S.-EU Safe Harbor Framework; in force November 1, 2000;

Nearly 1,600 U.S. organizations certified to Safe Harbor; 240 in first six months 2008 (45 in July)

3

Adequacy via the Safe HarborAdequacy via the Safe Harbor

Safe Harbor certification is voluntary representation to European business partners and European citizens that U.S. companies will comply with the Safe Harbor Framework;

Eligibility limited to entities who fall under jurisdiction of the FTC and DOT – financial services sector, insurance, telecommunications common carriers, non-profits and meat processing enterprises not eligible ;

Nearly 1,600 U.S. organizations, including multinationals and SMEs are certified; valid for one year and commitment must be reaffirmed annually

4

The Safe Harbor FrameworkThe Safe Harbor Framework

• 7 Privacy Principles7 Privacy Principles

• 15 Frequently Asked Questions 15 Frequently Asked Questions

• EU’s Adequacy DeterminationEU’s Adequacy Determination

• Letters Between DoC & ECLetters Between DoC & EC

• Letters Between FTC, DOT, and ECLetters Between FTC, DOT, and EC

• http://export.gov/safeharbor/

5

Compliance & EnforcementCompliance & Enforcement

In general, enforcement takes place in the U.S. in accordance with U.S. law (Section 5 Authority under FTC Act);

Private Sector Enforcement which has 3 elements: verification, dispute resolution, and remedies;

Human Resources* – Special Case: Must use EU data protection authorities for dispute resolution & follow national data protection laws with regard to HR; know about works councils

6

ComplianceCompliance & Enforcement& Enforcement

U.S. culture of customer service is highly effective in addressing customer complaints/concerns, perhaps more than comprehensive legislation;

Independent recourse mechanisms are required to notify DoC of a company’s failure to comply with the Safe Harbor principles, and FTC has authority to take action.

No referrals or complaints filed with the EU DPAs; TRUSTe, BBB, DMA, and others report internal complaints resolved.

7

The Article 26 DerogationsThe Article 26 Derogations

Joining Safe Harbor is not the only means of meeting the EU Directive’s requirements

Choices include:

“Unambiguous” consent of the data subject Necessary to perform contract Codes of Conduct Standard Contractual Clauses Direct compliance/registration with EU Authorities

http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

8

Developments in Data Protection/PrivacyDevelopments in Data Protection/Privacy

ISO’s Joint Technical Committee Work on Global Privacy Standard (4th Working Draft);

ISO’s JTC-1 SC 27 Proposes “Study Period” to examine forensic processes’ standardization for digital evidence;

International Conference of Data Protection & Privacy Commissioners serves as liaison to ISO privacy standards development;

Standards Council of Canada convinces ISO/TMB to study creation of Technical Committee for Privacy – June 2008

9

Developments in Data Protection/Privacy cont’dDevelopments in Data Protection/Privacy cont’d

EC’s DG for Information Society & Media proposes draft privacy rules for RFID technologies;

Article 29 Working Party’s 2008 Work Program includes standards development, e-discovery, review of regulatory framework for ecom- munications within EU, search engines and new technologies with privacy implications;

Since autumn 2007, rising concern in the EU over the use of e-discovery for massive data transfers to U.S. either in anticipation of litigation or as a result of ongoing civil court action.

10

Transatlantic Engagement Transatlantic Engagement

Continued dialogue with the European Commission; Conference on International Transfers of Personal Data, Brussels, October 2006; October 2007 in Washington, DC;

Workshop on International Transfers of Data, October 21, 2008, Centre de Conferences Albert Borschette (CCAB), Rue Froissart 36, B-1049 Brussels, Belgium

Increased Emphasis by Industry on Harmonizing Approval Process for Binding Corporate Rules; push by Art. 29 WP Chair has resulted in new BCR documents

11

We Self-Certify Compliance with:

Safe Harbor Certification Mark

12

For additional information or questionsFor additional information or questions

Damon C. GreerU.S. Department of CommerceTelephone: (202) 482-5023 Fax: (202) 482-5522Email: damon.greer@mail.doc.govhttp://export.gov/safeharbor/