Dear Colleagues:
The Department of Commerce has been working very closely over the last several months with the European Commission to develop clear and predictable guidance to U.S. organizations that would enable them to comply with the requirements of the European Union's Directive on Data Protection regarding personal data transfers to third countries. The Directive, which went into effect late last year, allows the transfer of personally identifiable data to third countries only if they provide an "adequate" level of privacy protection. Because the United States relies largely on a sectoral and self-regulatory, rather than legislative, approach to effective privacy protection, many U.S. organizations have been uncertain about the impact of the "adequacy" standard on personal data transfers from European Community countries to the United States.
Last Fall, the Department proposed a safe harbor for U.S. companies that choose to adhere to certain privacy principles. As we explained then, the principles are designed to serve as guidance to U.S. organizations seeking to comply with the "adequacy" requirement of the European Union Directive. Organizations within the safe harbor would have a presumption of adequacy and data transfers from the European Community to them would continue. Organizations could come into the safe harbor by self certifying that they adhere to these privacy principles. The decision to enter the safe harbor is entirely voluntary.
As a result of the safe harbor proposal, the European Union announced last Fall its intention to avoid disrupting data flows to the US so long as the US is engaged in good faith negotiations with the European Commission. That "standstill" continues in effect.
Last November, the Department issued draft principles for review and comment by interested organizations, noting that the content of the principles was of course crucial to the proposal. We received numerous written comments in response to that draft and countless additional comments and suggestions in the subsequent months through extensive discussions with interested parties. Generally, the comments we received supported the safe harbor concept, although they did raise questions about certain aspects of the principles, particularly access and onward transfer.
Because the principles are quite broad and general, the comments also raised questions about how they would be applied in specific circumstances. Our consultations also made clear that US organizations would welcome additional information on the benefits of being in the safe harbor and the procedures that would be followed when they were in the safe harbor. The comments we received have been extremely valuable, both in helping us understand how data is protected in practice and in working with the European Commission to find appropriate solutions to issues raised in our discussions.
Concurrently with our discussions with US organizations, we have had extensive discussions with the European Commission about the content and contours of the safe harbor as well as on the comments raised by US organizations. On the basis of our discussions with US organizations and the Commission, we have revised the safe harbor principles to account for your views and those of our European counterparts.
New Documents for Review and Comment
At this point, the two sides have achieved a substantial level of consensus on the content of the principles, on the content of more specific guidance (frequently asked questions or FAQs), and on the safe harbor procedures and benefits. Accordingly, we are now issuing for comment by US organizations the first tranche of documents that will comprise the relevant safe harbor documents. These include: (1) revised safe harbor principles; (2) frequently asked questions and answers (FAQs) on access; and (3) a draft European Commission document on complaint procedures for organizations within the safe harbor (and other Commission "adequacy" decisions). (These documents are also available on our web site at http://www.ita.doc.gov/ecom.) In addition to your comments on these documents, we also request your views on the weight to give the FAQs relative to the principles.
We will also be issuing within the week additional FAQs addressing certain sectoral concerns, procedural issues, and several clarifications requested during our consultations. Additional documents will be put on our website as soon as they are available for review.
All these documents are still in draft form and under negotiation with the European Commission. Points of difference between the two sides have been identified in footnotes in the text and mark those parts of the document that are most likely to be revised further. The European Commission is also providing these documents to the Member States for their review and comment.
Please note that these principles and the accompanying explanatory materials were developed solely for use by US organizations receiving personal data from the EU under the safe harbor. Consequently, they rely on references to European Union law, as for example in defining sensitive information and some of the relevant exceptions, which limit their general applicability. For that reason, adoption of the principles for other purposes may well be inappropriate.
Safe Harbor Benefits
The benefits for U.S. organizations of being in the safe harbor include:
Comments and Consultations
We hope you will take time to review and consider the draft documents and provide your views at your earliest convenience, but no later than May 10, 1999. We also plan to continue our dialogue with interested parties in the next few weeks. We hope to finalize the texts in May and to reach a final conclusion on this issue by the U.S.-E.U. Summit, which will be held June 21.
Sincerely,
Ambassador David L. Aaron
Attachments:
A: How to Submit Comments (see guidance below)
B: Draft International Safe Harbor Principles - April 19, 1999
C: Draft Frequently Asked Questions - Access - April 19, 1999
D: EC
Draft Cover Note and Description of the Procedures... - April, 19,
1999
Please submit all comments on any of the draft documents to the Department of Commerce by May 10, 1999. (Note that the deadline for comments has now been extended to Friday, May 14, 1999). We request that all comments be submitted electronically in an HTML format to the following email address: Ecommerce@ita.doc.gov. If your organization does not have the technical ability to provide comments in an HTML format, please forward them in the body of the email, or in a Word or WordPerfect format. We intend to post all comments on our website and your efforts to comply with the format request will greatly facilitate this effort.
Please note that several additional documents will be posted in the near future. We request that you check our website for those documents (http://www.ita.doc.gov/ecom).
If necessary, hard copies of comments can be mailed to the Electronic Commerce Task Force, U.S. Department of Commerce, Room 2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxed to 202-501-2548.
Please direct any questions to Eric Fredell at Eric_Fredell@ita.doc.gov or 202-482-0343.