REQUEST FOR COMMENTS ON PROPOSED SAFE HARBOR FROM EU DATA PROTECTION DIRECTIVE

1 See Memorandum to International Committee No. 35-98, dated November 20, 1998. 2 http://www.ita.doc.gov/ecom/menu.htm. [10934] April 27, 1999 TO: ELECTRONIC COMMERCE ADVISORY COMMITTEE No. 4-99 INTERNATIONAL COMMITTEE No. 18-99 TECHNOLOGY TASK FORCE RE: REQUEST FOR COMMENTS ON PROPOSED SAFE HARBOR FROM EU DATA PROTECTION DIRECTIVE ______________________________________________________________________________ As reported to you earlier, the US and the European Union have been engaged in ongoing negotiations over the terms of a safe harbor that would protect US businesses from enforcement actions under the EU Data Protection Directive.1 On April 19, 1999, the Department of Commerce issued for comment the first tranche of documents that will comprise the safe harbor. Copies of these documents are attached. More documents are to be posted to the Department of Commerce web site during the week of April 26, 1999.2 The European Commission is concurrently seeking comments on the materials from EU member states. The Directive, which went into effect on October 25, 1998, governs the processing of personal data in the EU and the transfer of that data to countries outside the EU. By its terms, the Directive prohibits the transfer of data to countries outside the EU that lack adequate privacy protections. The safe harbor would create a presumption that, for purposes of the Directive, companies complying with the safe harbor terms adequately protect privacy. This presumption would substantially reduce the possibility of disruptions to data flows to and from European sources. The draft would allow companies access to the safe harbor in two ways. Where an organization is subject to US statutory, regulatory, administrative or other law that effectively protects personal data privacy, it qualifies for the safe harbor to the extent that its activities are governed by those laws or rules. In the absence of laws or rules protecting privacy, a company would need to satisfy seven privacy principles: notice, choice, onward transfer, security, data integrity, access and enforcement. Comments to the proposed safe harbor are due to the Department of Commerce by May 10, 1999. The Institute expects to comment on this proposal. If you have comments that you would like the Institute to make, please forward them to me no later than the close of business on May 5, 1999. I can be reached in the following ways: Phone: (202) 371-5430 Fax: (202) 326-5841 E-mail: rcg@ici.org Robert C. Grohowski Assistant Counsel Attachments