The U.S.E.U. Safe Harbor Framework Past, Present,

1
The U.S.-E.U. Safe Harbor Framework
Past, Present, Future
Workshop on International Transfers of Personal
Data Centre Albert Borschette, Brussels,
Belgium October 21, 2008

• Damon Greer
• U.S. Department of Commerce

2
U.S.- EU Safe Harbor ? The Past

• 28 years ago, the Organization for Economic
  Cooperation and Development (OECD) released its
  Guidelines on the Protection of Privacy and
  Transborder Flows of Personal Data
• 15 years later, European Unions Data Protection
  Directive (95/46/EC) was issued 3 years later,
  in 1998, member states were to have implemented
  the directive with national data protection laws
• 8 years ago, U.S. does not meet EUs adequacy
  requirement U.S. Dept. of Commerce and European
  Commission (DG Internal Markt) negotiate
  compromise Adequacy decision received July 26,
  2000 U.S.-EU Safe Harbor Framework in force
  November 1, 2000
• Today , nearly 1,700 U.S. organizations certified
  to Safe Harbor 310 through October 15, 2008.

3
Adequacy via the Safe Harbor

• Safe Harbor certification is voluntary
  representation to European business partners and
  European citizens that U.S. companies will comply
  with the Safe Harbor Framework
• Eligibility limited to entities who fall under
  jurisdiction of the FTC and DOT financial
  services sector, insurance, telecommunications
  common carriers, non-profits and meat processing
  enterprises not eligible
• Multinationals and SMEs are certified valid for
  one year and commitment must be reaffirmed
  annually

4
The Safe Harbor Framework The Present

• 7 Privacy Principles
• 15 Frequently Asked Questions
• EUs Adequacy Determination
• Letters Between DoC EC
• Letters Between FTC, DOT, and EC
• http//export.gov/safeharbor/

5
(No Transcript)
6
(No Transcript)
7
Compliance Enforcement

• In general, enforcement takes place in the U.S.
  in accordance with U.S. law (Section 5 Authority
  under FTC Act)
• Private Sector Enforcement which has 3 elements
  verification, dispute resolution, and remedies
• Human Resources Special Case Must use EU
  data protection authorities for dispute
  resolution follow national data protection laws
  with regard to HR know about works councils

8
Compliance Enforcement

• U.S. culture of customer service is highly
  effective in addressing customer
  complaints/concerns, perhaps more than
  comprehensive legislation
• Independent recourse mechanisms are required to
  notify DoC of a companys failure to comply with
  the Safe Harbor principles, and FTC has authority
  to take action.
• No referrals or complaints filed with the EU
  DPAs TRUSTe, BBB, DMA, and others report
  internal complaints resolved.

9
The Article 26 Derogations

• Joining Safe Harbor is not the only means of
  meeting the EU Directives requirements
• Choices include
• Unambiguous consent of the data subject
• Necessary to perform contract
• Codes of Conduct
• Standard Contractual Clauses
• Direct compliance/registration with EU
  Authorities
• http//ec.europa.eu/justice_home/fsj/privacy/index
  _en.htm

10
Data Protection/Privacy The Future

• ISOs Joint Technical Committee Work on Global
  Privacy Standard
• (Committee Draft)
• ISOs JTC-1 SC 27 Proposes Study Period to
  examine forensic
• processes standardization for digital
  evidence
• International Conference of Data Protection
  Privacy Commissioners
• serves as liaison to ISO privacy standards
  development
• Standards Council of Canada convinces ISO/TMB to
  study
• creation of Technical Committee for Privacy
  June 2008

11
Data Protection/Privacy The Future contd

• ECs DG for Information Society Media
  proposes draft
• privacy rules for RFID technologies
• Article 29 Working Partys 2008 Work Program
  includes standards
• development, e-discovery, review of
  regulatory framework for ecom-
• munications within EU, search engines and
  new technologies with
• privacy implications
• For some time, concern in the EU over the use
  of e-discovery
• for massive data transfers to the U.S.
  either in anticipation of litigation
• or as a result of ongoing civil court
  action.

12
Transatlantic Engagement

• Continued dialogue with the European Commission
  Conference on International Transfers of Personal
  Data, Brussels, October 2006 October 2007 in
  Washington, DC
• Workshop on International Transfers of Data,
  October 21, 2008, Centre de Conferences Albert
  Borschette (CCAB), Rue Froissart 36, B-1049
  Brussels, Belgium Today
• Increased Emphasis by Industry on Harmonizing
  Approval Process for Binding Corporate Rules
  push by Art. 29 WP Chair has resulted in new BCR
  documents , nine member states announce mutual
  recognition for BCRs

13
We Self-Certify Compliance with
Safe Harbor Certification Mark
14
(No Transcript)
15
For additional information or questions

• Damon C. Greer
• U.S. Department of Commerce
• Telephone (202) 482-5023
• Fax (202) 482-5522
• Email damon.greer_at_mail.doc.gov
• http//export.gov/safeharbor/