Commentaries Jones Day - The United States-European Union Safe Harbor Agreement

Amidst the confusion over privacy laws in the United States (or the lack thereof),it ’s not surprising that waters are murky on the international front as well. In October 1998,the European Union Directive on Data Privacy (the "Privacy Directive ")went into effect.The Directive sets forth standards for protecting personal data in Europe that are far more stringent than existing standards in the United States. For U.S.-based companies serving global markets, however,Article 25 of the Directive is the clincher — it provides that all EU member states must implement national laws that forbid the transfer of personal data into any non-EU country that does not meet the EU "adequacy " standard for privacy protection.Because the laws of the United States do not meet the EU ’s "adequacy " standard,the Directive,at least in principle,would prohibit the transfer of personal information from Europe into the United States.

The stakes are enormous.The U.S.Department of Commerce recently estimated that annual trans- Atlantic transactions worth more than $120 billion are dependent on access to personal data subject to the Directive.To avert the economic and legal international quagmire that the Directive portends, various departments of the United States government have been negotiating with the EU Commission to create "frameworks " that would permit the transfer of personal data into the United States.Last summer, the Commerce Department and the Transportation Department negotiated such a "safe harbor " framework that U.S.companies under their jurisdiction can choose to "join." The Commerce Department ’s "Safe Harbor," approved by the EU in July 2000,is actually an amalgamation of several documents maintained on a Commerce Department Web site. Joining the Safe Harbor is completely voluntary, but there are important benefits for U.S.organizations that choose to sign up.Under the agreement,all 15 EU member states are bound by the European Commission ’s finding of "adequacy," which means that companies that "join " the Safe Harbor are protected from interruptions to their data flows by European authorities and that privacy claims against those companies by European citizens generally will be heard in the United States.But,at what price? That ’s the question that makes these waters so murky, causing many companies to adopt a "wait-and-see " approach.The Safe Harbor opened its gates on November 1,2000,but,after more than four months of operation,a mere two dozen companies had signed up.

So,why has the Safe Harbor remained so empty, and what does this initial reluctance by others mean for your company?

In general,an EU directive is a set of minimum legal standards in a given field of law that requires each EU Member State to implement its own national laws that meet those standards,while leaving each EU Member State a margin of choice in implementation.Once the European Commission adopts a directive,each Member State is given a specific period of time to adopt national laws at least as stringent,but no less stringent,than those set forth in the directive.The Privacy Directive is a set of rules to protect individual privacy by requiring stringent rules for the "processing of personal information." Because the Directive is a minimum standard for Member States ’ laws,,specific privacy rules vary among the different Member States.

Although the Privacy Directive is a "minimum " standard for the laws of EU Member States,its scope is very broad."Personal " information includes all information relating to an identifiable natural person. The Privacy Directive applies to both online and offline "processing " of data,,which includes virtually any operations involving personal information,with very limited exceptions.Such processing,for example, can include a company ’s database of information about actual and potential customers,suppliers,or employees.Thus,it is likely that if your company collects any information from a European subject,it is "processing personal information " within the meaning of the Directive and of the EU Member States ’ national laws..

The Safe Harbor is not a national law in any country but,rather,a bilateral agreement to cooperate between the United States and the EU.The EU and its Member States promise that they will not interrupt data flow to any U.S.company that joins the Safe Harbor.The United States,on the other hand,via the Commerce Department,promises to punish any company that joins the Safe Harbor and subsequently fails to protect adequately the data that has been transferred to it from within the EU.Thus,the purpose of the Safe Harbor is to allow continued flow of data from the EU into the United States,in the absence of "adequate " ((as defined by the Privacy Directive)federal privacy laws in the United States.

By joining the Safe Harbor,a company is essentially promising to protect personal information received from the EU to the degree required by the Privacy Directive,even though no United States law requires such protection.More specifically,it is promising to abide by the seven "Principles " set forth in the Safe Harbor,which mirror the stringent data protection requirements of the Privacy Directive (although the Principles are slightly less stringent than the Directive).Briefly,the Safe Harbor Principles require a company who joins (or "certifies")to provide:

•Notice: The company must notify individuals about the purposes for which they collect and use information about them,the procedures for submitting inquiries and complaints,anticipated disclosures of the information,and the choices offered to the individuals for limiting such disclosures.

• Choice: The company must provide the opportunity for individuals to opt-out of (or say no to)the use of personal information in at least two situations:1)disclosures of personal information to third parties and 2)use of personal information for a purpose that is "incompatible " with the purpose for which it was originally collected.In addition,certain sensitive information may not be shared with a third party, or disclosed for a purpose other than the purpose for which the information was collected,without affirmative,opt-in consent.

• Onward transfer: The company may not transfer data to a third party that it knows or should know would process the data in a way that is inconsistent with the Safe Harbor Principles.

• Access: To the extent the company retains information,individuals must be able to access personal information about them,and correct it or delete it when it is inaccurate,except when the burden on the company to provide such access is unreasonable.

• Security: The company must protect data from loss,misuse,unauthorized access,disclosure, alteration,or destruction.

• Data integrity: The company must take steps to ensure the data is reliable and accurate.

• Enforcement: The company must implement "available and affordable independent recourse mechanisms " to investigate and resolve individual complaints,including the award of damages in appropriate cases.

There are three requirements for participating in the Safe Harbor:comply,register,and renew.

The first step,compliance with the seven Safe Harbor Principles,is the most burdensome. At present,however,there are at least two industry self- regulatory programs,Trust-e and BBBOnline,that provide guidelines and ongoing verification of adherence to the Principles,as well as a dispute resolution mechanism that satisfies the Safe Harbor Principle of "enforcement." Companies can benefit from the services offered by these programs by signing on to their seal programs.Alternatively,a company can achieve compliance with the Safe Harbor Principles by instituting its own self-regulatory program,or by relying on sector-specific regulations, which may be available to organizations in certain industry sectors that are subject to specific bodies of law that protect privacy consistently with the Directive.

The second step,registration,is basically ministerial.The Commerce Department provides a "fill-in-the-blank " registration form at its Web site.Submitting the form is a public declaration of compliance with the Safe Harbor Principles.The organization ’s certification is publicized on the "Safe Harbor List," which is maintained on the agency ’s Web site,providing notice to the world that the organization is entitled to uninterrupted flow of data from the EU.

The final requirement for participation in the Safe Harbor is annually to verify your organization ’s continuing compliance with the Safe Harbor Principles.Both Trust-e and BBBOnline provide annual verification services.Companies that do not participate with these programs may base their verification of compliance upon self-assessment.

In exchange for the EU ’s promise not to interrupt data flows to companies that join the Safe Harbor, the United States,working through the Commerce Department and the Federal Trade Commission,has promised to take action against companies that have joined the Safe Harbor but subsequently fail to abide by the Safe Harbor Principles.However,before U.S. federal authorities will step in to enforce the Safe Harbor Principles,private enforcement mechanisms must first fail.Organizations certified under the Safe Harbor are required to have procedures for verifying their own compliance with the Principles,a system for dispute resolution for investigating and resolving individual complaints,and remedies for problems arising out of a failure to comply with the Principles.

If private enforcement fails,depending on which sector the organization is in,either the Federal Trade Commission or the Department of Transportation will then provide government enforcement of the Safe Harbor Principles;failure to comply with the self-regulatory framework is actionable as unfair competition and/or a deceptive trade practice.

A gap in enforcement of the Safe Harbor exists, however,for organizations in sectors that are not subject to the jurisdiction of either the Federal Trade Commission or the Department of Transportation, such as certain financial institutions and telecommunications common carriers.As to organizations in such sectors,no mechanism of legal enforcement of the Safe Harbor exists.Talks between the EU and the U.S.are expected to close this gap in the future.

Finally,it is important to recognize that,while joining the Safe Harbor ensures that your trans- Atlantic data transfers will not be interrupted,joining the Safe Harbor does not insulate you from other penalties that may arise if your company violates the specific law of an individual Member State that goes beyond the Safe Harbor Principles.Thus,for example,if your company is found to violate some aspect of German privacy law,and German law provides some additional penalty,such as a fine,for violation of that law,your company would be subject to those fines if jurisdiction of Germany ’s courts over your company could be established.Again,because EU directives provide minimum legal standards, individual Member States are free to implement stricter laws,and joining the Safe Harbor is not insurance against laws that go beyond the minimum requirements of the Privacy Directive.The only "safety " your company gets from joining the Safe Harbor is that if you comply with the Safe Harbor Principles,no EU Member State will interrupt data transfers from the EU to your company.

The primary benefit of joining the Safe Harbor is that all 15 EU Member States are bound to permit data transfers to your company for as long as your company certifies that it is in compliance with the Safe Harbor Principles.Alternative methods provided in the Safe Harbor for gaining this assurance,such as by entering into private agreements with individual EU Member States,are projected to be much more costly and time consuming for the majority of U.S. organizations.Especially for small or medium-sized enterprises that rely on data from more than one EU Member State,the automatic "adequacy " presumption of the Safe Harbor provides the simplest and cheapest way of protecting data flow from the EU.

On the other hand,there are essentially two cons associated with joining.First,certifying for the Safe Harbor subjects your company to potential liability for unfair trade practices,a liability risk that would not otherwise exist.Just how vigorous the Federal Trade Commission will be in enforcing the Safe Harbor Principles against certified organizations remains to be seen.In weighing risks and benefits of joining,however,it should be remembered that the first level of enforcement is private,not government, enforcement.Thus,it is unlikely that your company will be ambushed by the government as a result of joining the Safe Harbor.

The second con associated with joining the Safe Harbor is the cost associated with compliance.For most organizations,the largest cost is due to the requirement that all individuals be able to access and change their personal data.If,however,your company is already certified with one of the self- regulatory seal programs,compliance with the Safe Harbor might not involve a significant additional expenditure.

If your company is greatly dependent on data flow from Europe (taking into account personal data collected both online and offline),the real question might be,can you afford not to join the Safe Harbor? At present,this is a difficult question to answer because it is unclear how vigorous EU privacy commissioners will be in interrupting data flow to non-certified U.S.organizations.Without joining the Safe Harbor (and assuming your company is not within one of the Safe Harbor ’s narrow exceptions), your company runs the risk that European authorities will suddenly halt transfer of data.Because most EU Member States have already implemented laws in accordance with the Privacy Directive,and because U.S.laws are not deemed to provide "adequate " protection of data,transfer halts could occur at any time,even today.Until the first real test-battle occurs between an EU authority and a U.S.organization, however,this risk is difficult to measure.From a technical standpoint,ceasing data flow is not easy, though also not impossible.In addition,at least theoretically,halts in transfer to the U.S.should be limited until at least mid-2001 due to a political "standstill " agreement that remains in effect until that time.According to officials at the European Commission,the standstill implies that the privacy commissioners of EU Member States will demonstrate leniency in enforcement of data protection laws against U.S.organizations,while the effectiveness of the Safe Harbor during this standstill is evaluated.Despite the supposed standstill,however,in at least two incidences,Sweden and France have already refused to permit data transfers to the United States.

The reluctance of other EU Member States to halt transfers,thus far,is probably the reason most U.S.companies have maintained a wait-and-see approach to joining the Safe Harbor.At least until enforcement questions begin to be answered by EU officials,and also by the U.S.Department of Commerce and Federal Trade Commission,it may be that the Safe Harbor will remain a lonely harbor.

This Technology Commentaries is a publication of Jones,Day,Reavis &Pogue and should not be construed as legal advice on any specific facts or circumstances.The contents are intended for general informational purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm,to be given or withheld at its discretion.The mailing of this publication is not intended to create,and receipt of it does not constitute,an attorney-client relationship.