By: David San Martin, Esq.
Hogan & Hartson, L.L.P.
Paragraph 7 of the International Safe Harbor Privacy Principles
Issued By The U.S. Department Of Commerce ("Draft").
"Organizations may wish for practical or other reasons to apply the principles to all their data processing operations, but they are only obligated to apply them to data transferred after they enter the safe harbor. To qualify for the safe harbor, organizations are not obligated to apply these principles to personal information in manually processed filing systems. Organizations wishing to benefit from the safe harbor for receiving such information from the EU must apply the principles to any such information transferred after they enter the "safe harbor.""
Comment 1. The bolded language is ambiguous as drafted.
Do the words "such information" refer to:
(i) "personal information in manually processed filing systems"?; or
(ii) data transferred after an organization enters the safe harbor? If so, does the word "data" includes "personal information in manually processed filing systems"?
Paragraph 10 of the Draft
"NOTICE: An organization must inform individuals about the purposes
for which it collects and uses information about them, how to contact the
organization with any inquiries or complaints, the types of third parties
to which it discloses the information, and the choices and means the organization
offers individuals for limiting its use and disclosure. This notice must
be provided in clear and conspicuous language when individuals are first
asked to provide personal information to the organization or as soon
thereafter as is practicable, but in any event before the organization
uses such information for a purpose other than that for which it was originally
collected or processed by the transferring organization or discloses it
for the first time to a third party(1). "
Comment 2. Notice is the most fundamental principle of the European
Union Directive on the Protection of Personal Data ("Directive"). This
notice allows consumers to make a more informed decision whether to disclose
personal information and if so, to what extent it should be disclosed,
or not to disclose personal information at all. The implementation of the
other basic principles such as choice, access and enforcement require consumer
involvement; therefore these principles are of no significance without
a meaningful notice procedure. The language bolded in the above principle
creates a loophole large enough to make the provision meaningless.
As drafted, entities could collect information from an individual without
giving such individual any notice related to the collection of information
as long as the entities provide the notice as soon thereafter as is
practicable. First, the term practicable may, (i) at times,
have a very "delayed " meaning; (ii) impose on a consumer a difficult burden
of proof in proving that the data collector did not provide notice within
the "practicable" time frame.
Second, when a consumer is not given notice of the purpose of the collection
of information prior to the consumer's disclosure, it will be extremely
difficult to prove that the data collector used the disclosed information
for a purpose other than that for which it was originally collected
(since it is possible that there was no notice and no stated purpose at
the time the data was collected).
Third, broadly defined, "purpose" allows data collectors to use the
collected information well beyond the intended transaction for which the
collected information was necessarily collected under the individual's
consent. This result will be the opposite of that mandated by Article 6-7
of the Directive, which essentially states that the identification of the
purposes for data collection means that the data not be used for other
purposes without the data individual's consent.
Therefore, this principle of notice should expressly require organizations
collecting personal information to provide a clear and meaningful notice
procedure as described herein. A meaningful notice provision should state:
(i) the identification of the entity collecting the data, (ii) the uses
for which such data is collected, and the foreseeable recipients of the
data; (iii) the type of data collected and how it is collected; (iv) whether
the disclosure of the requested data is voluntary or required, and the
consequences of refusing to provide the requested information; and (v)
the data collector's methods to ensure the confidentiality, integrity and
quality of the data (when dealing with data considered by consumers to
be sensitive, information about the steps taken by the organization collecting
data may determine whether the consumer is willing to provide such information).
Paragraph 11 of the Draft
CHOICE: An organization must offer individuals the opportunity
to choose (opt out) whether and how their personal information is (a) to
be disclosed to third parties, where disclosure is for a purpose other
than the purpose for which it was originally collected or subsequently
authorized by the individual, or (b) to be used where such use is for a
purpose that is incompatible with the purpose(s) for which it was originally
collected, or subsequently
authorized by the individual. Individuals must be provided with clear and
conspicuous, readily available, and affordable mechanisms to exercise choice.
For sensitive information, (i.e. personal information specifying medical
or health conditions, racial or ethnic origin, political opinions, religious
or philosophical beliefs, trade union membership or information specifying
the sex life of the individual) they must be given affirmative or explicit
(opt in) choice if the information is to be disclosed to a third party
or used for a purpose other than those for which it was originally
collected or subsequently authorized by the individual through the exercise
of opt in choice. In any case, an organization should treat as sensitive
any information received from a third party where the third party identifies
it as sensitive.
Comment 3. The principle as drafted allows an organization collecting
personal information to provide no opportunity to choose (whether
opt-in or opt-out) when (i) using the personal information for any purpose
as long as such purpose is not "incompatible" with the purposes for which
it was originally collected or subsequently authorized by the individual;
and (ii) the personal information is disclosed to any third party if the
disclosure is within the purpose for which it was collected or subsequently
authorized by the individuals.
As stated in comment 2 above, without a meaningful notice procedure the principles of choice, access and enforcement are fundamentally flawed.
The word "incompatible" allows for broad interpretations of its meaning, which would circumvent the intention of Articles 6 and 7 of the Directive as explained in comment 2.
The principles, pursuant to Article 10 of the Directive, should clearly
state that an individual's refusal to allow the further unrelated use of
his or her personal information, beyond that which is necessary to complete
the transaction at issue, should not form the basis for the denial of access
to the goods or services in question.
Paragraph 14 of the Draft
ONWARD TRANSFER: An organization may only disclose personal information
to third parties consistent with the principles of notice and choice. Where
an organization has not provided choice and the organization wishes
to transfer the data to a third party, it may do so if it first either
ascertains that the third party subscribes to the principles or is subject
to the Directive or another adequacy finding or enters into a written agreement
with such third party requiring that the third party provide at least the
same level of privacy protection as is required by the relevant principles.If
the organization complies with these requirements, it shall not be held
responsible(unless the organization agrees otherwise) when a
third party to which it transfers such information processes it in a way
contrary to any restrictions or representations, unless the organization
knew or should have known the third party would process it in such a contrary
way and the organization has not taken reasonable steps to prevent or stop
such processing.
Comment 4. The bolded language actually denies the already qualified
protection afforded under the above stated principle of CHOICE. The bolded
language in practice would allow an organization: (i) not to provide choice
to individuals; and (ii) to disseminate the data collected to any third
party, as long as the disseminating organization ascertains that the third
party abides by the principles or contracts to abide by such principles.
If thereafter the third party misuses the information (including sensitive
information) the disseminating organization will have no liability for
the consequences brought upon the individual by such misuse.
Paragraph 17 of the Draft
ACCESS: Individuals must have access to personal information
about them that an organization holds and be able to correct, amend,
or delete that information where it is inaccurate, except where the
burden or expense of providing access would be disproportionate to the
risks to the individual's privacy in the case in question, or where
the rights of persons other than the individual would be violated.
Comment 5. The bolded language does not set forth the allocation
of risks and benefits proportionally between data collectors and consumers.
The language should read "the burden or expense of providing access
would be disproportionate to the benefits provided by using the collected
data"
Paragraph 18 of the Draft.
ENFORCEMENT: Effective privacy protection must include
mechanisms for assuring compliance with the principles, recourse for individuals
to whom the data relate affected by non--compliance
with the principles, and consequences for the organization when the principles
are not followed. At a minimum, such mechanisms must include (a) readily
available and affordable independent recourse mechanisms by which each
individual's complaints and disputes are investigated and resolved by
reference to the principles and damages awarded where the applicable law
or private sector initiatives so provide; (b) follow up procedures for
verifying that the attestations and assertions businesses make about their
privacy practices are true and that privacy practices have been implemented
as presented; and (c) obligations to remedy problems arising out of failure
to comply with the principles by organizations announcing their adherence
to them and consequencesfor such organizations. Sanctions must be sufficiently
rigorous to ensure compliance by organizations.
1. It is not necessary to provide notice when disclosure is made to
a third party that is acting as an agent to perform task(s) on behalf of
and under the instructions of the organization. The onward transfer principle,
on the other hand, does apply to such disclosures.
Comment 6. The principles should expressly advocate for the enactment
of criminal penalties for violations to such principles. Arguably, criminal
penalties may be interpreted to be outside what is intended as judicial
remedy under Article 22-23 of the Directive. However, criminal liability
may be the only effective enforcement to prevent data collectors from intentionally
violating the principles based on benefits provided by the violation as
compared with the potential damages, if any, to be awarded for such violation.
As summarized below, the lack of meaningful enforcement relating to
data collection practices is becoming irrefutably evident in the online
environment. The mechanism chosen by governmental authorities to deal with
data privacy issues has been industry self-regulation. Such regulation
has merely been suggestive and has not ensured compliance with core fair
information practices principles. Complaints about online abuses are increasing
at a six-fold rate annually. Redress has not been readily available. Class
action lawsuits and complaints to the Federal Trade Commission have been
filed in order to slow down the frenetic pace of violations to privacy
rights afforded in the online environment. Critics claim that such impunity
is being justified in the name of purported technological leadership, which
in turn advocates for an unregulated online marketplace. This unregulated
scenario is allowing huge rewards for few a citizens while the great majority
endures a harsher environment in their pursuit of happiness.
Legislation is inevitable, unless societies want social unrest and the breakdown of their basic social fabric. Government enforcement of fair information practices in all media, by means of civil and criminal penalties, along with meaningful private remedies would create strong incentives for entities to adopt and implement fair information practices regardless of the transacting environment. Such decisive steps may help the harnessing of this evolutionary era with a minimum social breakdown.