The EU-U.S. “Safe Harbor” Agreement on Personal Data Privacy

Order Code RS20823 Updated January 25, 2005 CRS Report for Congress Received through the CRS Web The EU-U.S. “Safe Harbor” Agreement on Personal Data Privacy Martin A. Weiss Analyst in International Trade and Finance Foreign Affairs, Defense, and Trade Division Summary The European Union (EU) Data Privacy Directive adopted by the European Parliament and Council on October 24, 1995 prevents EU-based organizations, public and private, from transferring personal data to countries where the legal protections for personal data are not deemed “adequate.” This Directive, intended to harmonize national European privacy policies, allowed EU member countries three years to implement the Directive. To prevent the interruption of data transfers, the U.S. Department of Commerce (DOC) negotiated the “Safe Harbor” Agreement with the EU. While the EU has recently stated that all elements of the agreement are in place, “Safe Harbor” raises many significant issues of interest to Congress. These include the extraterritorial application of EU law, non-tariff barriers, business costs, consumer protection, as well as enforcement and dispute settlement. Background1 On October 24, 1995, the European Union (EU) agreed upon Directive 95/46 EC to harmonize differing national legislation on data privacy protection.2 The Directive creates a legally binding obligation on each EU member state to implement domestic legislation conforming to a unified set of standards. It is expected to facilitate information flows within the EU, strengthen the EU’s internal market and foster the development of an information-based economy. This Directive was supplemented two years later by Directive 97/66/EC which concerned the handling and privacy of personal data in the telecommunications industry. 1 This report was originally prepared by Patricia A. Wertman, Specialist in International Trade and Finance, Foreign Affairs, Defense and Trade Division. 2 This and other official EU documents relating to data protection can be found at [http://europa.eu.int/comm/internal_market/en/dataprot/]. Congressional Research Service ˜ The Library of Congress CRS-2 On May 1, 2004, ten new Member States formally joined the European Union (EU). These nations are Cyprus, the Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia. As a result, EU legislation, including the EU Data Protection Directive (Directive 95/46/EC), as well as the adequacy finding for the U.S.-EU Safe Harbor framework, are now binding upon the new Member States. The Directive applies to all organizations, public and private, operating in the EU, including affiliates of U.S. corporations. It covers the processing of all personal data, whether done automatically or manually. There is no exception for public records, such as telephone directory listings. Only information compiled for private, personal household use is excluded. Under the Directive, data may be collected and used only for specified, explicit, and legitimate purposes. Security and accuracy must be guaranteed. Individuals have not only the right to access and the right to correct errors, but also to remedial measures and compensation, if necessary. The transfer of data to third parties may occur only under similarly strict requirements. More stringent rules apply to the processing of sensitive data, including data relating to race; ethnic origin; political, religious, or philosophical beliefs; and health status or sex life. The Directive also requires the creation of “Data Protection Agencies” (DPAs) in each of the fifteen EU member states; registration of data bases with these authorities, and, sometimes, prior DPA approval before organizations or firms may begin data processing. The transfer of personal data to any nation outside the EU that does not meet the EU test of “adequacy” with regard to privacy protection is prohibited. According to the EU, privacy protection in the United States may fail this test. The Directive, thus, potentially threatens to disrupt or, in some limited cases, even prevent the transfer of data between the EU and the United States. Rationale for the Agreement Europe and the United States have fundamentally different attitudes towards the protection of personal data. The right to privacy is a fundamental human right recognized both in the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of European Community laws. With regards to personal information, Europeans are more trusting of governments than the private sector. It follows that European governments have turned to legislation to regulate the flow of personal information. By contrast, the United States has adopted a sector-by-sector approach through a mix of legislation, regulation, and industry self-regulation, such as the federal rules applicable to medical records. Moreover, U.S. firms tend to view personal data as a valuable commercial asset rather than as an individual asset. Until recently, it had been left to the marketplace to establish privacy principles on a sector-by-sector basis. Congress has increased its involvement in the privacy area most notably with the enactment of financial privacy legislation in 1999, children’s online privacy legislation in 1998, and the consideration of online privacy legislation in the 107th Congress. To prevent the stoppage of data transfers from the EU to the U.S., the U.S. Department of Commerce (DOC) negotiated the “Safe Harbor” agreement with the EU. The agreement gained EU Commission approval in July 2000, and become operational on November 1, 2000. The DOC “Safe Harbor” website [http://www.export.gov CRS-3 /safeharbor/] provides information to U.S. organizations and makes available an up-todate list of U.S. organizations that adhere to the “Safe Harbor” principles (currently 217). The “Safe Harbor” was created to permit U.S. companies that voluntarily adhere to the principles to continue cross-border data transfers with EU member states. The principles are designed to serve as guidance to U.S. organizations seeking to comply with the “adequacy” requirement of the directive, and would provide organizations within the “Safe Harbor” a presumption of adequacy and data transfers from member states of the European Union could continue. Organizations would come into the “Safe Harbor” by self-certifying that they adhere to these privacy principles. In a February 13, 2002 working paper (SEC (2002) 196), the EU Commission noted that all elements of the “Safe Harbor” agreement are in place. Current European concerns address the level of transparency needed to discern an individual firm’s commitment to the agreement and the fact that the dispute settlement mechanisms have not been tested. Other European and domestic concerns include the vagueness of “adequacy” determination, the lack of agreement on transfer of personal information in financial services, the possible disputed legality of FTC enforcement, and the actual willingness of the FTC to prosecute US firms on behalf of the EU. Basics of the “Safe Harbor” Framework In addition to the EU Privacy Directive itself, the “Safe Harbor” framework encompasses seven basic principles, fifteen “frequently asked questions” (FAQs), the EU Commission’s “adequacy” decision, an exchange of letters between the DOC and the EU Commission, and an exchange of letters between the United States Departments of Transportation (DOT) and Federal Trade Commission (FTC) and the EU Commission . These are all available on the DOC website. The seven basic principles, in edited and abridged form, are:3 • Notice: An organization must inform individuals about the purposes for which it collects and uses information, how to contact the organization with inquiries or complaints, and the types of third parties to which it discloses the information. • Choice: An organization must offer individuals the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. For sensitive information, individuals must explicitly opt-in when personal data is to be transferred to a third party or used for a purpose other than the one for which it was originally collected or subsequently authorized. Sensitive information includes information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information regarding the individual’s sex life. CRS-4 • Onward Transfer: In transferring information to a third party, organizations must apply the Notice and Choice Principles. Third parties acting as agents must provide the same level of privacy protection either by subscribing to “Safe Harbor,” adhering to the Directive or another adequacy finding, or entering into a contract that specifies equivalent privacy protections. • Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. • Data Integrity: Personal information must be relevant for the purposes for which it is to be used. . . . an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. • Access: Individuals must have access to the information about them that an organization holds and must be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense would disproportionate to the risks to the individual’s privacy or where the rights of others would be violated. • Enforcement: Effective privacy protection must include mechanisms for verifying compliance; readily available and affordable independent recourse mechanisms in cases of non-compliance; and consequences for the organization when the Principles are not followed. Sanctions must be rigorous enough to ensure compliance. Eligibility and Enforcement While joining “Safe Harbor” is voluntary, any organization that receives data from the EU must comply with the Privacy Directive. Participation in the “Safe Harbor”is open to any U.S. organization that is subject to regulation by the Federal Trade Commission (FTC), which enforces a variety of consumer protection laws, including those related to unfair and deceptive practices, and to United States air carriers and ticket agents that are subject to regulation by the Department of Transportation (DOT). To qualify, organizations must self-certify annually in a letter to the DOC that they adhere to the safe harbor principles. Enforcement of the “Safe Harbor” Agreement is to be undertaken both by the private sector and by federal and state authorities enforcing unfair and deceptive practices laws. Private sector enforcement has three components: verification, dispute resolution, and remedies. Persistent failure to comply will result in withdrawal of “Safe Harbor” status, a fact that will be listed on the “Safe Harbor” website, and also, potentially, by regulatory action. A cause of congressional concern is the questioned legality of FTC enforcement. During the “Safe Harbor” negotiations, the FTC guaranteed that it would investigate cases upon European request, but according to some, the FTC might not have enforcement authority.4 4 Reidenberg, Joel R. “E-Commerce and Trans-Atlantic Privacy.” Houston Law Review, Fall, 2001. pp. 719-738. CRS-5 Organizations that do not fall under the jurisdiction of the FTC and the DOT are not eligible for “Safe Harbor.” Notably, this includes U.S. financial firms and telecommunications carriers. In particular, the EU does not consider that the Fair Credit Reporting Act (P.L. 91-508; 15 U.S.C. 1681 et seq.) or the recently enacted Financial Services Modernization Act (P.L. 106-102, popularly known as the Gramm-Leach-Bliley Act) provide adequate privacy protections. As a result, negotiations between the United States and the EU to achieve an agreement covering the financial sector continue. While negotiations regarding data transfers in the financial services are still taking place, a”standstill” on any EU action against data transfers from the EU to the U.S. is in effect. The U.S. government and private financial institutions have called upon the EU to grant an “adequacy” determination to financial services firms. They argue that privacy legislation such as the Fair Credit Reporting Act, the Financial Services Modernization Act, and numerous state laws confer more than “adequate” protection of data privacy in the financial services industry.5 Issues for Congress “Safe Harbor” is clearly intended to facilitate trans-Atlantic data exchange and, hence, trans-Atlantic commerce, both on-line and off. Nevertheless, it raises a number of policy concerns that may be of interest to Congress6: • Extraterritoriality: Article 25 of the EU Directive allows for individual analysis of third-party countries that transfer personal information from Europe and gives the EU the right to halt the flow of information if they determine that the third parties do not have “adequate” privacy protection. A determination of “adequacy” can be made by any EU member. This presents two specific concerns. First, the Directive extends EU law beyond EU boundaries, not just to the US, but to any nation with which EU organizations are likely to exchange personal information. Second, some analysts are concerned that since the definition of “adequacy” is left vague, the EU and its member states, could selectively define “adequate” protection, thus using data privacy as a form of non-tariff barrier.7 • Consumer Protection: In recent years, the privacy issue has achieved heightened importance among consumers, particularly those using the Internet. Consumer advocates in Europe worry that “Safe Harbor” falls short of European data protection laws. Some Europeans are concerned whether EU citizens who feel that their privacy rights are being violated will have the right to sue in United States courts. Domestically, some are concerned that U.S. firms will be extending greater protection to Europeans than to our own citizens. The effectiveness of businessbacked self-regulatory privacy programs such as BBBOnline and TRUSTe has also 5 Yerkey, Gary G. “U.S., EU Move to Close Gap in Dispute Over Data Privacy but No Resolution in Sight.” International Trade Reporter, Vol. 19, No. 30, July 25, 2002. 6 See also, United States Library of Congress. Congressional Research Service. Electronic Commerce: An Introduction, by Glenn J. McLoughlin, CRS Report RS20426; and Internet Privacy: Overview And Pending Legislation, by Marcia S. Smith, CRS Report RL31408. 7 See Solveig Singleton, Privacy As A Trade Issue: Guidelines for United States Trade Negotiators. The Heritage Foundation. March 18, 2002. CRS-6 been questioned. Balancing consumer and business interests in a workable regulatory framework, however, might provide a competitive advantage, building consumer confidence and furthering the development of e-commerce. • Relationship to the U.S. Law: While the “Safe Harbor” framework might be seen as accommodating international realities, FTC and DOT enforcement could give “Safe Harbor” the force of law. The U.S. Congress did not participate in its formulation, but must contend with private sector concerns regarding its requirements. Moreover, in extending EU law on privacy to U.S. organizations, it affects the domestic debate on privacy issues. The EU Directive has been seen by some as a model of data privacy protection and reportedly played a role in the January 1, 2001 implementation of a new privacy law in Canada.8 Some suggest that as the Internet strengthens its global presence, and other countries, such as those in Europe, take an active position in creating standards for this new medium, the importance of U.S. standards and rules will likely diminish. • Compliance: Compliance within the EU itself is uneven. The EU Commission took legal action against six states — Denmark, France, Germany, Ireland, Luxembourg, and the Netherlands for failure to comply with the Directive. According to one source, Luxembourg has been condemned by the Court for its non-compliance. Ireland has a Bill in Parliament, but it has not been adopted yet. The cases against Denmark, France, Germany, and the Netherlands have since been dropped. • Encryption: The privacy of data in the computer age is often achieved by using encryption technology. Thus, US policy on the export of encryption technology shadows this issue. Even after the July 2000 liberalization, allowing export of encryption products of any strength to both government and private sector entities in the EU, export of encryption technology remains subject to certain controls. • Market Segmentation: The Directive may cause firms to segregate their European operations, especially their data processing, from those in the United States and elsewhere. This compliance could require expensive organizational changes. Data subject to the Directive may have to be maintained and processed separately and a series of notices and permissions are required. Affiliates and subsidiaries might be considered “third parties,”ensuing that data derived by a European subsidiary might not be transferrable to its U.S. parent. Restrictions apply as long as the data is held, that is, in perpetuity. 8 See Pritchard, Timothy. “Canada Strengthens Internet Privacy.” New York Times, December 23, 2000, p. B2.