1

SAFE HARBOR FRAMEWORK

Barbara S. Wellbery

Morrison & Foerster LLP

2000 Pennsylvania Avenue

Washington, DC 20006

202/887-1549

bwellbery@mofo.com

2

“BRIDGING OUR DIFFERENT APPROACHES TO PRIVACY WHILE MAINTAINING DATA FLOWS AND

A HIGH LEVEL OF PRIVACY PROTECTION”

3

U.S. APPROACH TO PRIVACY PROTECTION

• Self-regulation• Sector specific legislation

– sensitive areas, such as financial, medical, children’s, and genetic information

– where the market doesn’t work -- telecommunications, cable

4

EU APPROACH -- OMNIBUS LEGISLATION

European Directive on Data Protection

– Went into effect in October 1998– Law covers all industry sectors and virtually all

personal data.

5

VERY BROAD DEFINITION OF PERSONAL INFORMATION

• Information relating to an identified or identifiable natural person -- includes information collected about a person in his business capacity

– Employee’s name and phone extension;

– Insurance information to process medical payments; and

– Customer name and address.

6

WHEN MAY PERSONAL DATA BE TRANSFERRED LEGALLY TO THIRD COUNTRIES?

Personal data may be transferred to U.S. organizations (and other third countries) only if:

• There is an applicable derogation (exception)

in the Directive;

• They are covered by an ‘adequacy’

determination; or

• They have a contract with the data exporter in

place.

7

WHAT IF AN ORGANIZATION HAS NONE OF THOSE IN PLACE?

Companies in Europe may not legally transfer personal data to that organization.

8

BENEFITS OF THE SAFE HARBOR

• Provides predictability and continuity for U.S. organizations;

• All 15 MS bound by EU adequacy determination;

• Data flows to US safe harbor organizations continue;

• Provides streamlined, less expensive way of providing adequacy

9

SAFE HARBOR BENEFITS (CON’T)

– Allows U.S. companies to apply one privacy regime to all data transferred from EU;

• Eliminates need for prior approval before transfer begins or makes such approvals automatic;

• Prevents EU authorities from targeting U.S. organizations; and

10

SAFE HARBOR BENEFITS (CON’T)

• For the most part, enforcement will take place in the U.S., not in Europe, and will be interpreted in accordance with U.S. law.

11

NEGOTIATED STANDSTILL -- POLITICAL COMMITMENT

• Not a legally binding commitment;

• It can be challenged at any time;

• Commitment continues while US companies decide whether to and then implement the safe harbor;

• It will last at least until the first review in June 2001.

12

OVERVIEW OF SAFE HARBOR FRAMEWORK

• Notice

• Choice

• Onward Transfer

• Access

• Security

• Data Integrity

• Enforcement

7 Principles

13

FREQUENTLY ASKED QUESTIONS AND OTHER DOCUMENTS

• 15 Frequently Asked Questions (FAQS)

These provide further clarification for specific areas or sectors;

• Exchange of Letters between the U.S. and EU;

• Memoranda on Damages and Enforcement;

14

FREQUENTLY ASKED QUESTIONS AND OTHER DOCUMENTS (CON’T)

• Letters from DoT and FTC indicating willingness to enforce safe harbor;

• The European Commission’s Adequacy Decision; and

• Text on Non-Discriminatory Practices.

15

ENFORCEMENT

Organizations must have:

– Procedures for verifying that safe harbor policies have been implemented;

– A readily available and affordable independent dispute resolution mechanism, so that each individual’s complaint can be heard; and

– Obligation to remedy problems arising from failure to comply.

16

ENFORCEMENT (CON’T):OPTIONS FOR COMPLIANCE

Join a self-regulatory privacy program that adheres to the safe harbor privacy framework; or

Develop your own self-regulatory privacy policy that is compliance with the safe harbor.

17

OPTIONS FOR COMPLIANCE (CON’T)

[Be subject to a statutory, regulatory, administrative, or other body of law that effectively protects privacy.] This is not operative at this point.

18

ENFORCEMENT - (CON’T)

Verification – FAQ 7

– Organizations must verify that the safe harbor framework has been fully implemented; and

– Verification documentation must be made available during the course of an investigation.

– Verification can be done through self-assessment or outside compliance review.

19

ENFORCEMENT (CON’T)VERIFICATION

• Self-assessment– Must be procedures

in place for regular objective compliance reviews.

– Must retain records on implementation.

– Annual self-assessment must be signed by a corporate officer.

• Outside review–Must demonstrate EU

information is being handled in compliance with the safe harbor.

–Must retain records on implementation.

–Annual compliance review should be signed by the reviewer or corporate officer.

20

ENFORCEMENT (CON’T)

• Third party dispute resolution mechanism – FAQ 11:

– Must be independent;

– Must be readily available and inexpensive;

– Must hear all eligible privacy complaints; and

– Must provide consumers with information about how the dispute will be handled.

21

ENFORCEMENT (CON’T)

• Third party dispute resolution mechanism must provide sufficient sanctions to ensure compliance.

• These should include publicity and deletion of data in certain circumstances.

22

FAILURE TO COMPLY WITH THE SAFE HARBOR

• A U.S. organization that persistently fails to comply with the safe harbor requirements is no longer entitled to safe harbor benefits.

• Such an organization will be labeled as failing to comply on the DOC list, but only after it has been given 30 days’ notice and an opportunity to respond.

23

FAILURE TO COMPLY... (CON’T)

• FAQ 11 defines a persistent failure to comply as arising where an organization refuses to comply with a final determination by a self regulatory or government body or where such body determines that the organization frequently fails to comply with the safe harbor framework to the point where its claim to comply is no longer credible.

24

FAILURE TO COMPLY... (CON’T)

Dispute resolution mechanisms must notify the appropriate government agency and the Department of Commerce of persistent failures to comply.

25

FAILURE TO COMPLY WITH THE SAFE HARBOR (CON’T)

• Failure to comply with the safe harbor may also lead to enforcement action by the FTC or DoT.

• The FTC and DoT have committed to reviewing on a priority basis referrals received from privacy programs and from EU MS DPAs.

• They are supposed to act in response to complaints or referrals, not to monitor safe harbor compliance.

26

ENFORCEMENT SUMMARY

First enforcement layer Private sector or government enforcementU.S. or DPAs

Second enforcement layerMust be government enforcementfor now FTC or DOT

27

WHAT COMPANIES ARE ELIGIBLE FOR THE SAFE HARBOR?

• Have to be U.S. organization; and

• Have to be subject to Section 5, “unfair and deceptive” practices of the Federal Trade Commission; or

28

ELIGIBLE COMPANIES (CON’T)

Have to be an air carrier (a defined term in the statute that includes travel agents and airlines) subject to the Dept. of Transportation’s 49 U.S.C. 41712 (which is patterned after Section 5 of the FTC Act).

29

FINANCIAL SERVICES SECTOR

• Because the Financial Modernization Act had just been passed and regulations were not yet adopted, both sides decided more time was needed to evaluate legislation.

• Treasury Department in consultation with the Department of Commerce will head up these negotiations.

• Interruptions in data flows are not anticipated while good faith efforts continue to address these issues.

30

WILL PROPOSED U.S. LEGISLATION OBVIATE THE NEED FOR THE SAFE HARBOR?

• None of the legislation proposed at the federal level is as comprehensive as the European directive.

• Any U.S. Legislation is unlikely to meet all the requirements for an “adequacy” determination.

31

Any Questions ?