July 17, 2000
Mr. John Mogg
Director DG Internal Market
Office C 107-6/72
Rue de la Loi, 200
Dear Mr. Mogg:
I am pleased to provide you with several documents: 1) the "Safe Harbor Privacy Principles," issued by the U.S. Department of Commerce on July 21, 2000; 2) Frequently Asked Questions (FAQs) that supplement the Safe Harbor Principles; 3) an overview on how organizations' safe harbor commitments will be enforced in the United States; 4) a memorandum on damages available to individuals; 5) the July 14, 2000 letter from the Federal Trade Commission; and 6) the July 14, 2000 letter from the U.S. Department of Transportation.
The Department is providing these documents under its authority to foster, promote, and develop international commerce. Both the Safe Harbor Principles and the FAQs ("the Principles") are intended to serve as authoritative guidance to U.S. companies and other organizations receiving personal data from the European Union and wishing to establish a predictable basis for the continuation of such transfers. The enforcement overview and other supporting documents are intended to explain how U.S. enforcement mechanisms, based either on law and regulation or self-regulation, will satisfy the requirements of the Enforcement Principle and ensure that an organization's commitment to adhere to the Principles will be effectively enforced. The safe harbor documents of course need to be read against the U.S. legal system and its well known features, such as class actions and contingency fees, which allow consumers even with novel claims relatively ready and inexpensive access to the courts and damages were justified.
Organizations can be assured of the benefits of the safe harbor by self-certifying that they adhere to the Principles. The Department of Commerce will arrange for a list to be maintained of all organizations that self-certify their adherence to the Principles. Both the list and the notifications submitted by organizations containing information with regard to their implementation of the Principles will be made publicly available as will any proper and final adverse determination made by a U.S. enforcement body and notified to the Department of Commerce (or its designee) that a safe harbor organization has persistently failed to comply with the Principles. Where in complying with the Principles, an organization relies in whole or in part on self-regulation, its failure to comply with such self-regulation must also be actionable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts.
On the basis of these documents, our expectation is that the European Commission will determine that this safe harbor framework provides adequate protection for the purposes of Article 25.1 of the Data Protection Directive and data transfers from the European Union would continue to organizations that participate in the safe harbor. As a result, adherence to the Principles on these terms will reduce the uncertainty about the impact of the "adequacy" standard on personal data transfers to such organizations from EU Member States.
On the basis of our dialogue, we understand that the Commission and Member States will use the flexibility of Article 26 and any discretion regarding enforcement to avoid disrupting data flows to U.S. organizations during the implementation phase of the safe harbor and that the situation will be reviewed in mid 2001. This will give U.S. organizations an opportunity to decide whether to enter the safe harbor and (if necessary) to update their information practices. We will encourage U.S. organizations to enter the safe harbor as soon as possible to enhance privacy protection and because participation in the safe harbor provides greater certainty that data flows will continue without interruption.
During the dialogue, you sought assurances that where the United States enacted privacy legislation providing greater privacy protection than the safe harbor, such protection should be applied to safe harbor data too, in cases where the law applied with respect to U.S. citizens only, but was silent on its applicability with respect to non-U.S. citizens. You noted that the EU Directive on Data Protection applies to all personal information processed in Europe, regardless of the individuals' citizenship or residency. I would like to confirm that we agree that privacy legislation should not apply differently on the basis of nationality, as provided for in paragraph 19(e) of the OECD guidelines and paragraph 70 of the explanatory memorandum and to assure you that if such legislation were proposed in Congress, we would work within the legislative process to avoid any such effects. We will also continue our efforts, in line with our general commitment to regulatory co-operation in the context of the Transatlantic Economic Partnership, to keep you informed of legislative and other developments in the United States in the field of privacy protection of which we are aware, with particular attention to any such developments that may create allowable exceptions to the Principles. Of course, you can raise any concerns about these issues under the review arrangements provided for.
Similarly, on a number of occasions I raised with you the concerns of U.S. industry about the possible effects of the safe harbor as regards jurisdiction and applicable law. I would like to confirm that it is the U.S. intention that participation in the safe harbor does not change the status quo ante for any organization with respect to jurisdiction, applicable law and liability in the European Union. Moreover, our discussions with respect to the safe harbor have not resolved nor prejudged the questions of jurisdiction or applicable law with respect to websites. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the safe harbor arrangement.
Finally, the Department of Commerce will notify the Commission in advance of any proposed FAQs or revisions to existing ones.
Robert S. LaRussa, Acting