1 You can find the materials on the Internet at http://www.ita.doc.gov/ecom/menu.htm.
[11409]
November 17, 1999
TO: INTERNATIONAL COMMITTEE No. 48-99
TECHNOLOGY TASK FORCE
RE: DEPARTMENT OF COMMERCE REQUESTS COMMENT ON EU PRIVACY
DIRECTIVE SAFE HARBOR
______________________________________________________________________________
Since last fall, the US Department of Commerce and the European Commission have engaged
in negotiations over a safe harbor for US companies from the European Union data protection directive.
The directive prohibits the flow of personal information from European Union member states to any
recipient outside the EU that lacks adequate privacy protections. Companies complying with the terms
of the safe harbor would have a presumption of adequacy in this regard, significantly reducing the
potential that data flows to those companies would be challenged under the directive.
On November 15, 1999, Commerce published the safe harbor documents on its web site and
requested comment by December 3, 1999.1 The Institute is considering whether to submit a comment
letter. Given the short comment period, we must request that any comments that you would like the
Institute to make must be forwarded to me no later than Friday, November 26, 1999.
There are four sets of documents that will define the terms of the safe harbor:
1. The international safe harbor privacy principles. These include principles on notice, choice,
onward transfer, security, data integrity, access, and enforcement.
2. Frequently asked questions. There are fifteen sets of frequently asked questions that further
explain the safe harbor principles.
3. Exchange of Letters. The concept of the safe harbor will be explained in a letter from
Ambassador David Aaron of the Department of Commerce to John Mogg of the EC. That
letter will also request that the EC make a determination that companies complying with the
safe harbor have a presumption of adequacy under the directive. The reply letter from John
Mogg will explain that the EC has made that finding and provide further administrative
details about the safe harbor.
4. Article 25.6 Decision on Adequacy. Attached to Mr. Mogg’s letter will be an Article 25.6
decision by the EC. Article 25.6 gives the EC the power to make decisions determining that
the data protection provided by a particular non-EU country is adequate for purposes of the
directive.
One of the remaining issues being negotiated involves how companies in the financial services
industry will be treated under the safe harbor. Ambassador Aaron’s cover letter notes that the US has
requested that the EC provide separate adequacy determinations on the Fair Credit Reporting Act and
the recently enacted Gramm-Leach-Bliley Act of 1999, and that those requests are still pending.
This memorandum is being sent by facsimile, with Ambassador Aaron’s cover letter inviting
comment and the safe harbor privacy principles attached, and by regular mail, with all of the safe harbor
documents attached. All of these documents also can be found on the Department of Commerce web
site at http://www.ita.doc.gov/ecom/menu.htm.
If you have any questions about the safe harbor documents, please contact me by phone at (202)
371-5430, fax at (202) 326-5841 or e-mail at rcg@ici.org.
Robert C. Grohowski
Assistant Counsel
Attachments