safe harbours

This page looks at 'Safe Harbors' - bilateral or multilateral agreements concerned with data protection.

     stormy seas

As we highlighted on earlier pages of this guide, perceptions about privacy and the shape of national privacy legislation vary widely. Although the OECD guidelines offer an invaluable statement of principle, there's no overarching global agreement about data collection and handling. For example, there's no equivalent to the Berne Convention, TRIPS Agreement and WIPO treaties discussed in our Intellectual Property guide.

Safe Harbor agreements - notably that between the US and EU - provide one mechanism for reconciling differing national practice. In essence, the US-EU agreement that was concluded in 2000 provides privacy practice certification for US businesses to avoid interruptions in dealings with the EU or prosecution by European authorities under European privacy laws.

Certification is meant to assure that individual businesses (irrespective of US legislative requirements) provides adequate privacy protection in terms of the EU Data Protection Directive.

We'll be discussing such agreements in the near future. In the interim an introduction is provided by

the US Commerce Department's Safe Harbor site

the February 2002 European Commission staff paper (PDF) about implementation of the agreement

the Commission's 2000 Decision (PDF) on the Agreement and Opinion on the level of protection provided by the 'Safe Harbor Principles'

None of Your Business: World Data Flows, Electronic Commerce & the European Privacy Directive (Washington: Brookings 98) by Peter Swire & Robert Litan

proceedings (PDF) from the 1998 Protecting Privacy: The Transatlantic Debate Over Data Protection conference

Swire's 1998 paper Of Elephants, Mice, and Privacy: International Choice of Law & the Internet

Joel Reidenberg's 2000 Resolving Conflicting International Data Privacy Rules in Cyberspace (PDF) and 2001 Ecommerce and Trans-Atlantic Privacy (PDF)

     and beyond the harbour

Some advocates have called for a broader framework, based on the OECD guidelines. The US Commerce Department for example proposed the following International Safe Harbor Privacy Principles in 1999.

1. Notice An organization must inform individuals about the purposes for which it collects information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or discloses it to a third party.

2. Choice An organization must offer individuals the opportunity to choose (opt out) whether and how personal information they provide is used or disclosed to third parties (where such use is incompatible with the purpose for which it was originally collected or with any other purpose disclosed to the individual in a notice). They must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise this option. For sensitive information, such as medical and health information, information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of the individual they must be given affirmative or explicit (opt in) choice.

3. Onward Transfer An organization may only disclose personal information to third parties consistent with the principles of notice and choice. Where an organization has not provided choice because a use is compatible with the purpose for which the data was originally collected or which was disclosed in a notice and the organization wishes to transfer the data to a third party, it may do so if it first either ascertains that the third party subscribes to the safe harbor principles or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant safe harbor principles.

4. Security Organizations creating, maintaining, using or disseminating personal information must take reasonable measures to assure its reliability for its intended use and reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

5. Data Integrity Consistent with these principles, an organization may only process personal information relevant to the purposes for which it has been gathered. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is accurate, complete, and current.

6. Access Individuals must have [reasonable] access to personal information about them that an organization holds and be able to correct or amend that information where it is inaccurate.

The reasonableness of access depends on the nature and sensitivity of the information collected, its intended use and the expense/difficulty of providing the individual with access to the information.

7. Enforcement Effective privacy protection must include mechanisms for assuring compliance with the safe harbor principles, recourse for individuals to whom the data relate affected by non-compliance with the principles, and consequences for the organization when the principles are not followed. At a minimum, such mechanisms must include

a) readily available and affordable independent recourse mechanisms by which an individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide;

b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and

c) obligations to remedy problems arising out of failure to comply with these principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

    next page (privacy statements and seals)