[11742]
March 20, 2000
TO: INTERNATIONAL COMMITTEE No. 10-00
SEC PRIVACY RULES WORKING GROUP
TECHNOLOGY TASK FORCE
RE: COMMERCE REQUESTS COMMENT ON LATEST EU PRIVACY SAFE HARBOR
DOCUMENTS
______________________________________________________________________________
Since the fall of 1998, the US Department of Commerce and the European Commission have
engaged in negotiations over a safe harbor for US companies from the European Union data protection
directive. See Memoranda to International Committee 35-98 dated Nov. 20, 1998; 18-99 dated April 27,
1999; 20-99 dated May 3, 1999; 23-99 dated May 18, 1999; and 48-99 dated Nov. 17, 1999. Among
other things, the directive prohibits the flow of personal information from European Union member
states to any recipient outside the EU that lacks adequate privacy protections. Companies complying
with the terms of the safe harbor would have a presumption of adequacy in this regard, significantly
reducing the potential that data flows to those companies would be challenged under the directive.
The US financial services industry has asked that the EC find that financial services firms subject
to the Gramm-Leach-Bliley Act and/or the Fair Credit Reporting Act have adequate privacy protections
based on compliance with those laws. Commerce and the EC expect to complete the initial negotiations
over the basic safe harbor package on March 31, 2000. It appears, however, that the negotiators will not
reach agreement on the financial services request before completing the basic safe harbor package.
In preparation for their March 31 meeting with the EC, Commerce posted most of the
revised safe harbor documents on its web site late Friday afternoon, with a request for final
comments by March 28, 2000. These documents can be found at
http://www.ita.doc.gov/td/ecom/menu1.html. (See Memorandum to International Committee 48-99 dated
Nov. 17, 1999 for a summary of the documents that comprise the safe harbor package.) Please note
that the formal correspondence between Commerce and the EC and the text of the Article 25.6
adequacy determination have not been posted yet, although they are expected early this week. These
three remaining pieces of the safe harbor package are critical, as they will set forth the procedural
benefits for companies that choose to certify compliance with the safe harbor.
The exchange of letters between Commerce and the EC also will be of particular importance to
financial services industries, because they likely will set forth an agreement to continue to negotiate with
respect to financial services. Ambassador Aaron’s cover letter states that “[b]ecause more time is needed
to examine recent developments in U.S. laws governing privacy in the financial services sector and the
Financial Modernization Act regulations are not yet complete, we will continue working with the
European Commission with the goal of bringing the benefits of the safe harbor to the financial services
sector. We do not anticipate interruptions in data flows while we continue our good faith efforts to
resolve these issues.” Thus, we understand that the political standstill that has been in effect since
October 1998 will remain in effect for financial services firms. We expect that the exact status of
financial services will be treated in more detail in the correspondence between Commerce and the EC.
The Institute intends to sign on to comment letters on the safe harbor documents filed by the
various privacy coalitions such as CSI in which we participate and may not file an individual comment
letter. We would expect comments filed by CSI or the Institute to assert that the substantial privacy
protections afforded to consumers of financial services by the Gramm-Leach-Bliley Act are adequate
and effective and that US financial services firms should be permitted to certify compliance with the safe
harbor based on compliance with that Act and the rules promulgated thereunder. We also would
strongly support the continuation of the political standstill with respect to enforcement of the Directive
until negotiations over this issue are complete.
If you have any questions about the safe harbor documents, please contact me by phone at (202)
371-5430, fax at (202) 326-5841 or e-mail at rcg@ici.org.
Robert C. Grohowski
Assistant Counsel