- The Washington Times - Sunday, April 16, 2000

Back in the 1970s there was a popular leisure suit ensemble known as the "Full Cleveland." In the so-called "safe harbor" agreement with the European Union under the EU's Privacy Directive, announced March 17 by the Clinton administration, the administration has just outfitted us in the "Full Brussels." And, as American business in Cleveland and elsewhere soon will learn, it is a straitjacket.

The agreement follows more than two years of negotiations for a safe harbor to protect U.S. firms from sanctions imposed by the EU for failure to live up to the Directive. In the absence of a safe harbor, Article 29 of the directive authorizes privacy commissioners in each EU country to stop data flows to U.S. firms that do not provide "adequate protection" data relating to persons in the EU. Technically, the agreement is not a legally binding international agreement but only "guidance" to U.S. companies on how they can comply with the EU directive and avoid enforcement by EU privacy commissioners. From the EU side, the formalities are more complex. The agreement must be ratified by several committees and a vote of the EU members. The first critical EU vote occurred March 30 and endorsed proceeding with the agreement.

To qualify for safe harbor, a U.S. company has the option of participating in a self-regulatory organization or implementing a privacy policy, and self-certifying to the Commerce Department annually that it qualifies, backed up by enforcement by the U.S. Federal Trade Commission for "unfair or deceptive trade practices" if it does not live up to the standards it implements. Alternatively, it can enter into EU-approved contracts directly with the entities in the EU that transfer data to the U.S. or submit to the jurisdiction of the EU privacy commissioners. No matter which option it selects, the U.S. company must adopt the privacy protections of the EU directive.

The directive's privacy standards go far beyond any that every applied in the United States. They include:

(A) Notice requirements by which a U.S. company must inform individuals about the purposes for which it collects and uses personal data.

(B) Disclosure of the types of third parties to which it will disclose the information.

(C) An opportunity to opt out of transfers of personal data to third parties for uses that are incompatible with the purpose for which the data was originally collected (more onerous "opt-in" requirements apply to so-called "sensitive information" governing medical or health conditions, racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership or sex life).

(D) "Reasonable precautions" to protect personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction.

(E) "Reasonable steps" to ensure that data are "reliable, accurate, complete and current."

Some of the more controversial requirements govern "access" rights: Individuals must be given access to their personal information in order to correct, amend or delete it. Finally, there must be meaningful enforcement against the company when it does not follow the above principles.

Examples of how these standards have played out thus far in Europe are illuminating:

(1) France has refused to allow a North American cosmetics multinational to transfer employee names to Belgium for salary processing unless they were coded.

(2) Sweden has prohibited an airline reservations system from processing information about requests for kosher meals and wheelchairs on airline flights.

(3) French telecommunications operators are not allowed to tell operators in another country the identity of a calling party.

(4) Sweden has refused to allow transfer to Italian authorities of a list of Italian permanent residents of Sweden for purposes of issuing passports.

(5) France has required contractual guarantees of adherence to French law for the transfer of Mormon genealogical records to Utah. The burden of complying with these EU standards could be a rude surprise to any U.S. company that receives personal data from Europe, such as a U.S.-based website accessed by a European resident or a multinational processing European personnel records.

At a minimum, the directive may require appointment of a full-time privacy compliance officer and implementation of extensive software screening procedures to identify, segregate and separately process European-origin data. How this will affect the cost of doing business or whether it is even technologically feasible are open questions. And yet the "agreement" already appears to be in place.

Beyond compliance, there are broader concerns about the safe harbor agreement.

• First, no agreement was reached on financial services, which are subject to further discussion and to a continued "standstill" on enforcement by the EU for an unspecified period. The EU has taken the view that the recently passed Financial Services Modernization Act is not adequate as a safe harbor. Senate Banking Committee Chairman Phil Gramm, Texas Republican, has expressed concern to the commerce secretary about the treatment of financial institutions under the safe harbor agreement and has called for congressional consultations.

• Second, related to this point, some critics have argued the appropriateness of a de facto imposition of EU privacy standards in the U.S. at the same time the Congress and states are considering privacy measures. Timed to coincide with the imminent release by the Clinton administration of its own privacy legislative proposals, which are likely to track those of the EU, the agreement is viewed by some as a none-too-subtle effort to influence or even pre-empt the deliberative process of U.S. elected legislators. This approach is particularly questionable in light of a recent bipartisan proposal in Congress to create a Privacy Protection Commission to study privacy issues for 18 months and then recommend legislation to Congress in other words to go slow.

• Third, safe harbor is not the only path the administration could have pursued. Under Article 13, of the directive EU member states can avoid full application of the directive for a variety of "national" reasons, including national security, criminal enforcement, "important economic or financial interests" and regulatory functions.

The administration has adopted the directive for the United States without any of these derogations that would allow a EU member state to implement less-than-full standards, (indeed the European Commission is in the process of suing six EU states for their failure to comply with the directive at all).

For the United States at least to consider other approaches is relevant because the EU also stands to lose economically if it cuts off its data flows to the U.S. In addition, the EU needs the agreement with the U.S. for leverage in order to reach accommodations with other areas that do not provide "adequate protection" of data, such as Latin America and the Middle East, not to mention major data processing centers like Japan and India. Surely, the United States has some bargaining power on this issue.

• Fourth, the safe harbor agreement raises questions under the First Amendment. In one of its Frequently Asked Questions (FAQs) explaining the agreement, the Commerce Department acknowledges that the agreement does not override First Amendment rights for journalists. But what about other Americans?

• Fifth, safe harbor protects only against enforcement actions by EU data commissioners. It provides no protection from private citizen suits, which the directive also authorizes. It therefore is a flawed agreement.

In short, the safe harbor agreement with the EU is one "Full Brussels" that does not wear well on the U.S. body politic.



Thomas E. Crocker is a partner in the law firm of Alston & Bird.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide