Title: The U.S.E.U. Safe Harbor Framework Past, Present,
1The U.S.-E.U. Safe Harbor Framework
Past, Present, Future
Workshop on International Transfers of Personal
Data Centre Albert Borschette, Brussels,
Belgium October 21, 2008
- Damon Greer
- U.S. Department of Commerce
-
-
2U.S.- EU Safe Harbor ? The Past
- 28 years ago, the Organization for Economic
Cooperation and Development (OECD) released its
Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data - 15 years later, European Unions Data Protection
Directive (95/46/EC) was issued 3 years later,
in 1998, member states were to have implemented
the directive with national data protection laws - 8 years ago, U.S. does not meet EUs adequacy
requirement U.S. Dept. of Commerce and European
Commission (DG Internal Markt) negotiate
compromise Adequacy decision received July 26,
2000 U.S.-EU Safe Harbor Framework in force
November 1, 2000 - Today , nearly 1,700 U.S. organizations certified
to Safe Harbor 310 through October 15, 2008.
3Adequacy via the Safe Harbor
- Safe Harbor certification is voluntary
representation to European business partners and
European citizens that U.S. companies will comply
with the Safe Harbor Framework - Eligibility limited to entities who fall under
jurisdiction of the FTC and DOT financial
services sector, insurance, telecommunications
common carriers, non-profits and meat processing
enterprises not eligible - Multinationals and SMEs are certified valid for
one year and commitment must be reaffirmed
annually
4The Safe Harbor Framework The Present
- 7 Privacy Principles
- 15 Frequently Asked Questions
- EUs Adequacy Determination
- Letters Between DoC EC
- Letters Between FTC, DOT, and EC
- http//export.gov/safeharbor/
5(No Transcript)
6(No Transcript)
7Compliance Enforcement
- In general, enforcement takes place in the U.S.
in accordance with U.S. law (Section 5 Authority
under FTC Act) - Private Sector Enforcement which has 3 elements
verification, dispute resolution, and remedies - Human Resources Special Case Must use EU
data protection authorities for dispute
resolution follow national data protection laws
with regard to HR know about works councils
8Compliance Enforcement
- U.S. culture of customer service is highly
effective in addressing customer
complaints/concerns, perhaps more than
comprehensive legislation - Independent recourse mechanisms are required to
notify DoC of a companys failure to comply with
the Safe Harbor principles, and FTC has authority
to take action. - No referrals or complaints filed with the EU
DPAs TRUSTe, BBB, DMA, and others report
internal complaints resolved.
9 The Article 26 Derogations
- Joining Safe Harbor is not the only means of
meeting the EU Directives requirements - Choices include
- Unambiguous consent of the data subject
- Necessary to perform contract
- Codes of Conduct
- Standard Contractual Clauses
- Direct compliance/registration with EU
Authorities - http//ec.europa.eu/justice_home/fsj/privacy/index
_en.htm
10Data Protection/Privacy The Future
- ISOs Joint Technical Committee Work on Global
Privacy Standard - (Committee Draft)
- ISOs JTC-1 SC 27 Proposes Study Period to
examine forensic - processes standardization for digital
evidence - International Conference of Data Protection
Privacy Commissioners - serves as liaison to ISO privacy standards
development - Standards Council of Canada convinces ISO/TMB to
study - creation of Technical Committee for Privacy
June 2008
11Data Protection/Privacy The Future contd
- ECs DG for Information Society Media
proposes draft - privacy rules for RFID technologies
- Article 29 Working Partys 2008 Work Program
includes standards - development, e-discovery, review of
regulatory framework for ecom- - munications within EU, search engines and
new technologies with - privacy implications
- For some time, concern in the EU over the use
of e-discovery - for massive data transfers to the U.S.
either in anticipation of litigation - or as a result of ongoing civil court
action.
12Transatlantic Engagement
- Continued dialogue with the European Commission
Conference on International Transfers of Personal
Data, Brussels, October 2006 October 2007 in
Washington, DC - Workshop on International Transfers of Data,
October 21, 2008, Centre de Conferences Albert
Borschette (CCAB), Rue Froissart 36, B-1049
Brussels, Belgium Today - Increased Emphasis by Industry on Harmonizing
Approval Process for Binding Corporate Rules
push by Art. 29 WP Chair has resulted in new BCR
documents , nine member states announce mutual
recognition for BCRs
13We Self-Certify Compliance with
Safe Harbor Certification Mark
14(No Transcript)
15 For additional information or questions
- Damon C. Greer
- U.S. Department of Commerce
- Telephone (202) 482-5023
- Fax (202) 482-5522
- Email damon.greer_at_mail.doc.gov
- http//export.gov/safeharbor/