- Email: [email protected]
Aaron makes final push for safe harbour
FEATURE
Aaron Makes Final Push for Safe Harbour Wayne Madsen n 20 May 1999, Undersecretary of Commerce for International Trade, David A a r o n , briefed a group largely composed of corporate attorneys on recent negotiations between the E u r o p e a n Union a n d the U n i t e d S t a t e s on i m p l e m e n t a t i o n o f America's 'safe harbour' proposals on personal data protection. The safe harbour principals arose as a result of the enactment of the EU's Directive on Data P r o t e c t i o n on 25 O c t o b e r 1998. T h e d i r e c t i v e prohibits the transfer of personally identifiable data to third countries that do not provide an "adequate" level of privacy protection. Because the EU indicated that the United States fell into the category of an "inadequate" data protection nation and the United States maintains that it relies on a sectoral and s e l f - r e g u l a t o r y a p p r o a c h to e f f e c t i v e p r i v a c y protection, the safe harbour proposals were crafted by the Clinton administration as a means to forestall an EU data embargo on the United States.
O
The safe harbour principles foresee US companies e n t e r i n g a data p r o t e c t i o n " s a f e h a r b o u r " by self-certifying that they adhere to only a relatively few of the privacy principles contained in the EU directive. The safe harbour principles are as follows: . NOTICE: An organization must inform individuals a b o u t what t y p e s of p e r s o n a l i n f o r m a t i o n it c o l l e c t s a b o u t them, h o w it c o l l e c t s that information, the purposes for which it collects such information, the types of organizations to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language that is readily u n d e r s t o o d and made available when individuals are first asked to provide personal information to the organization.
Computer Fraud & Security September 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
2. CHOICE: An organization must give individuals the opportunity to choose (opt out choice) whether and h o w p e r s o n a l
"the Europeans favoured a third
choice: the
establishment of a US government data protection with
"- ' - - a"u-m o m y
information provide is
they used
here such use unrelated to the use(s) for which they originally d i s c l o s e d it). T h e y must be p r o v i d e d with clear and conspicuous, readily available, and affordable mech-
enforcement
anisms to exercise this o p t i o n . For certain kinds of s e n s i t i v e information, such as m e d i c a l i n f o r m a t i o n , they must be given affirmative or explicit (opt in) choice. [Note: The opt-out provisions are at variance with the EU Directive, which prescribes the "opt-in" choice for all personal data covered by the directive.]
authority'''""
IF
. O N W A R D T R A N S F E R : Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal i n f o r m a t i o n they p r o v i d e (when such use is unrelated to the use(s) for which the individual originally disclosed it). When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual. For certain kinds of sensitive i n f o r m a t i o n , such as m e d i c a l i n f o r m a t i o n , individuals must be given opt-in choice. . SECURITY: Organizations creating, maintaining, using or d i s s e m i n a t i n g r e c o r d s of p e r s o n a l information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, m i s u s e , u n a u t h o r i z e d a c c e s s or d i s c l o s u r e , alteration, or destruction. . DATA INTEGRITY: An organization must keep personal data relevant for the purposes for which it has been g a t h e r e d only, c o n s i s t e n t with the principles of notice and choice. To the extent
13
FEATURE necessary for those purposes, the data should be accurate, complete and current. 6. ACCESS: Individuals must have reasonable access to information about them, derived from nonpublic records that an organization holds and be able to c o r r e c t or amend that information
"the data protection commissioners of the UK, France and Germany have expressed support for the safe harbour principles."" "" decision-making individual.
where it is inaccurate. Reasonableness of a c c e s s depends on the nature and sensitivity of the i n f o r m a t i o n collected and its intended uses. For i n s t a n c e , access must be provided
to an individual where the i n f o r m a t i o n in question is sensitive or u s e d for s u b s t a n t i v e p u r p o s e s that a f f e c t that
. E N F O R C E M E N T : Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals, and c o n s e q u e n c e s for the organization when the principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which individuals' complaints and disputes can be r e s o l v e d ; (b) s y s t e m s for v e r i f y i n g that the attestations and assertions businesses make about their p r i v a c y p r a c t i c e s are true and p r i v a c y practices have been implemented as resented; and (c) obligations to remedy problems arising out of and consequences for organizations announcing adoption of these principles and failing to comply with the principles. Sanctions must be sufficient to ensure compliance by organizations and must provide individuals the means for enforcement. Aaron said there was a clear majority of support within the U n i t e d S t a t e s for the safe h a r b o u r principles. He said no one has told him to "stop the train" on the proposals. A a r o n ' s contention was countered by representatives of the civil liberties and privacy communities. Aaron's special assistant on
14
electronic commerce, Barbara Wellbery, stated that the data protection commissioners of the UK, France and Germany have expressed support for the safe harbour principles. Aaron said that in order to streamline the process for companies to adhere to the safe harbour principles, the D e p a r t m e n t o f C o m m e r c e w o u l d p r o v i d e c o m p a n i e s with a ' b o i l e r p l a t e ' s t a t e m e n t o f s e l f - c e r t i f i c a t i o n . He also said that the Clinton administration was committed to pushing for the "longest possible transition period" for companies to implement the principles. A a r o n c o n c e d e d t h e r e w e r e still m a j o r d i s a g r e e m e n t s b e t w e e n the US and the E U ' s D i r e c t o r a t e G e n e r a l XV on e n f o r c e m e n t of the principles. Aaron said that the Europeans had two choices: (1) the establishment by US companies of self-regulatory bodies for every industry sector or (2) the European data protection authorities would have to take responsibility for enforcement. According to Aaron, the European data protection commissioners prefer the first option. He also indicated that the Europeans favoured a third c h o i c e : the establishment of a US government data protection authority with enforcement authority. The administration o p p o s e s the creation of such a body.
"Maybe the Safe Harbour Arrangement will do for international privacy what the Wassenaar Arrangement has done for international encryption use,"
Aaron said he was still pressing the Europeans on the definition of the "exceptional circumstances" under which the Europeans could cut o f f data f l o w s to the United States. Aaron also said the United States and Europe were currently operating under a "Standstill A g r e e m e n t " , by w h i c h EU m e m b e r states have committed not to pursue enforcement actions while the US and Europe are negotiating in "good faith". Aaron did warn US companies that the political arrangements
Computer Fraud & Security September 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE between the US and Europe stand to be undermined by certain privacy advocates who have signalled their intent to bring complaints cases before European judicial authorities, particularly in the UK, to test the EU directive's application vis d vis the United States• He suggested that any judicial rulings in Europe could undermine the Safe Harbour Arrangement.
to people communicating in encrypted form without the g o v e r n m e n t having a back door to snoop - s o m e t h i n g already ruled a violation of the First Amendment by two US Federal Courts. Aaron also said that the US has a differing view ' 'V e from E u r o p e o f what c o n s t i t u t e s " senslt~ reformat1 " ' O n " in databases. The EU directive is very clear on this - - sensitive information is data that reveals ethnic or racial origin, political opinions, religious or philosophical b e l i e f s or trade union m e m b e r s h i p , and data concerned with the health or sexual life of a data subject. •
Aaron stated that he hoped to wrap up negotiations with DG-XV Director John Mogg by 21 June 1999. He f o r e s e e s that the closure of negotiations will be f o l l o w e d by the s i g n a t u r e of a S a f e H a r b o u r "'Arrangement" between the EU and United States. One observer, wryly noting that Aaron was largely responsible for drafting the 1998 changes to the W a s s e n a a r A r r a n g e m e n t on e x p o r t c o n t r o l s on c r y p t o g r a p h y , said: " M a y b e the Safe H a r b o u r Arrangement will do for international privacy what the Wassenaar Arrangement has done for international encryption use." Aaron also stated that the US has held firm on implementation of the EU Directive's Article 9. That article permits data subjects to change incorrect p e r s o n a l data held on them. Aaron said he was c o n c e r n e d a b o u t the possible implications the EU directive might have on First A m e n d m e n t c o n s t i t u t i o n a l rights. "People might have the right to change a news story about themselves u n d e r such a right to correct information", c o n t e n d e d Aaron. One observer commented that Aaron's support for the First Amendment as it pertains to correction of erroneous personal data should be contrasted with his opposition
"the US has a differing view from Europe of what constitutes sensitive information"
Computer Fraud & Security September 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
"that third party definition should not apply to US companies that share data with 'affiliates'."
Aaron also reported that the US has a difference with Europe over the definition of "third party" receivers of personal data. He felt that the third party definition should not apply to US companies that share data with "affiliates". Aaron said the Europeans are concerned about data transfers to potential "data havens" that are beyond the reach of any enforcement m e c h a n i s m . W e l l b e r y indicated that several US government agencies have raised objections to the EU's third party transfer prohibilions, although she declined to name the agencies. Many of the industry representatives profusely thanked Aaron for his "hard work" in hammering out the safe harbour principles with Europe. Prudential, Dun and B r a d s t r e e t , Oracle, and the S e c u r i t i e s Industries Association were among the many corporate interests represented at the briefing.
15
Aaron Makes Final Push for Safe Harbour Wayne Madsen n 20 May 1999, Undersecretary of Commerce for International Trade, David A a r o n , briefed a group largely composed of corporate attorneys on recent negotiations between the E u r o p e a n Union a n d the U n i t e d S t a t e s on i m p l e m e n t a t i o n o f America's 'safe harbour' proposals on personal data protection. The safe harbour principals arose as a result of the enactment of the EU's Directive on Data P r o t e c t i o n on 25 O c t o b e r 1998. T h e d i r e c t i v e prohibits the transfer of personally identifiable data to third countries that do not provide an "adequate" level of privacy protection. Because the EU indicated that the United States fell into the category of an "inadequate" data protection nation and the United States maintains that it relies on a sectoral and s e l f - r e g u l a t o r y a p p r o a c h to e f f e c t i v e p r i v a c y protection, the safe harbour proposals were crafted by the Clinton administration as a means to forestall an EU data embargo on the United States.
O
The safe harbour principles foresee US companies e n t e r i n g a data p r o t e c t i o n " s a f e h a r b o u r " by self-certifying that they adhere to only a relatively few of the privacy principles contained in the EU directive. The safe harbour principles are as follows: . NOTICE: An organization must inform individuals a b o u t what t y p e s of p e r s o n a l i n f o r m a t i o n it c o l l e c t s a b o u t them, h o w it c o l l e c t s that information, the purposes for which it collects such information, the types of organizations to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language that is readily u n d e r s t o o d and made available when individuals are first asked to provide personal information to the organization.
Computer Fraud & Security September 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
2. CHOICE: An organization must give individuals the opportunity to choose (opt out choice) whether and h o w p e r s o n a l
"the Europeans favoured a third
choice: the
establishment of a US government data protection with
"- ' - - a"u-m o m y
information provide is
they used
here such use unrelated to the use(s) for which they originally d i s c l o s e d it). T h e y must be p r o v i d e d with clear and conspicuous, readily available, and affordable mech-
enforcement
anisms to exercise this o p t i o n . For certain kinds of s e n s i t i v e information, such as m e d i c a l i n f o r m a t i o n , they must be given affirmative or explicit (opt in) choice. [Note: The opt-out provisions are at variance with the EU Directive, which prescribes the "opt-in" choice for all personal data covered by the directive.]
authority'''""
IF
. O N W A R D T R A N S F E R : Individuals must be given the opportunity to choose whether and the manner in which a third party uses the personal i n f o r m a t i o n they p r o v i d e (when such use is unrelated to the use(s) for which the individual originally disclosed it). When transferring personal information to third parties, an organization must require that third parties provide at least the same level of privacy protection as originally chosen by the individual. For certain kinds of sensitive i n f o r m a t i o n , such as m e d i c a l i n f o r m a t i o n , individuals must be given opt-in choice. . SECURITY: Organizations creating, maintaining, using or d i s s e m i n a t i n g r e c o r d s of p e r s o n a l information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, m i s u s e , u n a u t h o r i z e d a c c e s s or d i s c l o s u r e , alteration, or destruction. . DATA INTEGRITY: An organization must keep personal data relevant for the purposes for which it has been g a t h e r e d only, c o n s i s t e n t with the principles of notice and choice. To the extent
13
FEATURE necessary for those purposes, the data should be accurate, complete and current. 6. ACCESS: Individuals must have reasonable access to information about them, derived from nonpublic records that an organization holds and be able to c o r r e c t or amend that information
"the data protection commissioners of the UK, France and Germany have expressed support for the safe harbour principles."" "" decision-making individual.
where it is inaccurate. Reasonableness of a c c e s s depends on the nature and sensitivity of the i n f o r m a t i o n collected and its intended uses. For i n s t a n c e , access must be provided
to an individual where the i n f o r m a t i o n in question is sensitive or u s e d for s u b s t a n t i v e p u r p o s e s that a f f e c t that
. E N F O R C E M E N T : Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals, and c o n s e q u e n c e s for the organization when the principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which individuals' complaints and disputes can be r e s o l v e d ; (b) s y s t e m s for v e r i f y i n g that the attestations and assertions businesses make about their p r i v a c y p r a c t i c e s are true and p r i v a c y practices have been implemented as resented; and (c) obligations to remedy problems arising out of and consequences for organizations announcing adoption of these principles and failing to comply with the principles. Sanctions must be sufficient to ensure compliance by organizations and must provide individuals the means for enforcement. Aaron said there was a clear majority of support within the U n i t e d S t a t e s for the safe h a r b o u r principles. He said no one has told him to "stop the train" on the proposals. A a r o n ' s contention was countered by representatives of the civil liberties and privacy communities. Aaron's special assistant on
14
electronic commerce, Barbara Wellbery, stated that the data protection commissioners of the UK, France and Germany have expressed support for the safe harbour principles. Aaron said that in order to streamline the process for companies to adhere to the safe harbour principles, the D e p a r t m e n t o f C o m m e r c e w o u l d p r o v i d e c o m p a n i e s with a ' b o i l e r p l a t e ' s t a t e m e n t o f s e l f - c e r t i f i c a t i o n . He also said that the Clinton administration was committed to pushing for the "longest possible transition period" for companies to implement the principles. A a r o n c o n c e d e d t h e r e w e r e still m a j o r d i s a g r e e m e n t s b e t w e e n the US and the E U ' s D i r e c t o r a t e G e n e r a l XV on e n f o r c e m e n t of the principles. Aaron said that the Europeans had two choices: (1) the establishment by US companies of self-regulatory bodies for every industry sector or (2) the European data protection authorities would have to take responsibility for enforcement. According to Aaron, the European data protection commissioners prefer the first option. He also indicated that the Europeans favoured a third c h o i c e : the establishment of a US government data protection authority with enforcement authority. The administration o p p o s e s the creation of such a body.
"Maybe the Safe Harbour Arrangement will do for international privacy what the Wassenaar Arrangement has done for international encryption use,"
Aaron said he was still pressing the Europeans on the definition of the "exceptional circumstances" under which the Europeans could cut o f f data f l o w s to the United States. Aaron also said the United States and Europe were currently operating under a "Standstill A g r e e m e n t " , by w h i c h EU m e m b e r states have committed not to pursue enforcement actions while the US and Europe are negotiating in "good faith". Aaron did warn US companies that the political arrangements
Computer Fraud & Security September 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
FEATURE between the US and Europe stand to be undermined by certain privacy advocates who have signalled their intent to bring complaints cases before European judicial authorities, particularly in the UK, to test the EU directive's application vis d vis the United States• He suggested that any judicial rulings in Europe could undermine the Safe Harbour Arrangement.
to people communicating in encrypted form without the g o v e r n m e n t having a back door to snoop - s o m e t h i n g already ruled a violation of the First Amendment by two US Federal Courts. Aaron also said that the US has a differing view ' 'V e from E u r o p e o f what c o n s t i t u t e s " senslt~ reformat1 " ' O n " in databases. The EU directive is very clear on this - - sensitive information is data that reveals ethnic or racial origin, political opinions, religious or philosophical b e l i e f s or trade union m e m b e r s h i p , and data concerned with the health or sexual life of a data subject. •
Aaron stated that he hoped to wrap up negotiations with DG-XV Director John Mogg by 21 June 1999. He f o r e s e e s that the closure of negotiations will be f o l l o w e d by the s i g n a t u r e of a S a f e H a r b o u r "'Arrangement" between the EU and United States. One observer, wryly noting that Aaron was largely responsible for drafting the 1998 changes to the W a s s e n a a r A r r a n g e m e n t on e x p o r t c o n t r o l s on c r y p t o g r a p h y , said: " M a y b e the Safe H a r b o u r Arrangement will do for international privacy what the Wassenaar Arrangement has done for international encryption use." Aaron also stated that the US has held firm on implementation of the EU Directive's Article 9. That article permits data subjects to change incorrect p e r s o n a l data held on them. Aaron said he was c o n c e r n e d a b o u t the possible implications the EU directive might have on First A m e n d m e n t c o n s t i t u t i o n a l rights. "People might have the right to change a news story about themselves u n d e r such a right to correct information", c o n t e n d e d Aaron. One observer commented that Aaron's support for the First Amendment as it pertains to correction of erroneous personal data should be contrasted with his opposition
"the US has a differing view from Europe of what constitutes sensitive information"
Computer Fraud & Security September 1999 3723/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved
"that third party definition should not apply to US companies that share data with 'affiliates'."
Aaron also reported that the US has a difference with Europe over the definition of "third party" receivers of personal data. He felt that the third party definition should not apply to US companies that share data with "affiliates". Aaron said the Europeans are concerned about data transfers to potential "data havens" that are beyond the reach of any enforcement m e c h a n i s m . W e l l b e r y indicated that several US government agencies have raised objections to the EU's third party transfer prohibilions, although she declined to name the agencies. Many of the industry representatives profusely thanked Aaron for his "hard work" in hammering out the safe harbour principles with Europe. Prudential, Dun and B r a d s t r e e t , Oracle, and the S e c u r i t i e s Industries Association were among the many corporate interests represented at the briefing.
15