THE SAFE HARBOR: PRIVACY IN THE UNITED STATES. By Sara A. Levine and Catherine McAteer, Fasken Martineau DuMoulin LLP

Transcription

1 THE SAFE HARBOR: PRIVACY IN THE UNITED STATES By Sara A. Levine and Catherine McAteer, Fasken Martineau DuMoulin LLP Over the past 10 years there has been an explosive growth world-wide in public concern and government regulation regarding the privacy of personal information. In particular, the federal governments in Canada and the United States have significantly changed their oversight of the private sector s collection, use and disclosure of personal information. These changes were prompted in part by the regime existing in the European Union. In 1995, the European Union promulgated the Directive on the Protection of Individuals in Relation to the Processing of Personal Data (the Directive ). The Directive, which became effective in October 1998, establishes rules respecting an individual s right to privacy with regard to the processing of personal data. It also imposes general restrictions on transborder data flows to jurisdictions that do not have adequate privacy protection, effectively creating a nontariff barrier to trade. 1 The Canadian response to the Directive was to enact the Personal Information Protection and Electronic Documents Act (Canada) 2 (the PIPEDA ). The Americans, who historically have taken a market-based and sectoral approach to privacy regulation, 3 sought to avoid having to enact omnibus legislation. Accordingly, in June 2000, the United States Department of Commerce and the European Commission negotiated a compromise between the self-regulatory 1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (October 24, 1995), Articles 25 and 26, online: European Commission Homepage 95L0046&model=guichett (last accessed: April 29, 2003) [hereinafter Directive ]. 2 S.C c. 5 3 The sectoral approach to privacy regulation has resulted in an increasing number of privacy laws at the state and federal level in the United States. The sectors affected include financial services (e.g. the Gramm-Leach-Bliley Act), credit reporting agencies (e.g. the Fair Credit and Reporting Act), telemarketing, health (e.g. the Health Information Portability and Accountability Act) and education. The subject-specific legislation includes state and federal laws relating to mailing lists, employment records, electronic surveillance (including telephone and video recording and the use of global positioning systems), children s websites (e.g. the Children s Online Privacy Protection Act), and the use of Social Security numbers. This patchwork has resulted in a complex and confusing privacy landscape in the United States.

2 - 2 - approach of the U.S. and the legislative approach of the EU. What resulted was the Safe Harbor. As of April 30, 2003, 335 American companies have joined the Safe Harbor. Joining the Safe Harbour The Safe Harbor is a voluntary system which relies primarily on self-regulation. Under the regime, an American company may voluntarily agree to adhere to a privacy framework consisting of seven Safe Harbor Principles 4 (the Principles ) and accompanying Frequently Asked Questions 5 (the FAQs ), which was deemed adequate by the EU in light of the Directive. American companies that join the Safe Harbor are thereafter listed on the Safe Harbor List maintained by the U.S. Department of Commerce. 6 Currently, only organizations subject to the jurisdiction of the Federal Trade Commission ( FTC ) or the Department of Transportation may participate in the Safe Harbor. 7 Organizations may qualify for the Safe Harbor i) by joining a self-regulatory privacy program that adheres to the Principles; ii) by developing its own privacy policies that conform with the Principles; or iii) if the organization is subject to a statutory, regulatory or administrative regime that protects personal privacy. To date, the EU has not approved any such regime as adequately protecting personal data, and accordingly, only the first two methods of qualification are currently available. 8 In order to satisfy the requirements of the Safe Harbor, a qualifying U.S. corporation must publicly announce its compliance by filing certification letters annually with the Department of Commerce. 9 From the date it self-certifies to the Department of Commerce (or its designee) that 4 Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement. 5 The Principles are available at and the Frequently Asked Questions are each linked individually from documents.htm. A link to the Principles is also available on that page. 6 Safe Harbor List, online: U.S. Department of Commerce Safe Harbor Website, (last accessed: April 29, 2003). 7 For example, businesses operating in industries such as financial services or insurance are not under the jurisdiction of the FTC or the Department of Transportation and are not able to join the Safe Harbor. 8 Harvey, James A. and Sanzaro, Karen, An Overview of the Proposed Safe Harbor Privacy requirements (2000) 17 Computer Law 19 at p Safe Harbor Principles, supra note 8.

3 - 3 - it adheres to the Principles in accordance with the guidance set forth in FAQ 6 on Self- Certification the organization will have all the benefits of the Safe Harbor. 10 Participation in the Safe Harbor permits an organization to rely on the presumption of adequacy that it creates and therefore to continue to receive transfers of personal data from EU Member States. The undertaking to adhere to the Principles means that the organization must apply the Principles to any data received during the period that the organization is in the Safe Harbor. If the organization leaves the Safe Harbor for any reason, its obligation to collect, use or disclose that personal data in accordance with the Principles survives. The Safe Harbor Principles The Principles define personal data and personal information as data about an identified or identifiable individual that is within the scope of the Directive, received by a U.S. organization from the European Union, and recorded in any form. 11 The Directive defines personal data 12 as: any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 13 The privacy policies required by the Safe Harbor must ensure that the organization collects, uses and discloses all personal data that it receives from EU Member States in a manner that is consistent with the following seven Principles: Notice: Individuals must be notified in clear and conspicuous language of the purposes for which data is being collected, the types of third parties who will receive the information, the choices 10 Frequently Asked Question #6, online: U.S. Department of Commerce Safe Harbor Website (last accessed: April 29, 2003). 11 United States Department of Commerce, Safe Harbor Principles, (July 21, 2000), online: U.S. Department of Safe Harbor Commerce website (last accessed: April 29, 2003) [hereinafter Safe Harbor Principles ]. 12 Directive, supra not 1, Chapter 1, Article 1(1). 13 Ibid., Article 2(a).

4 - 4 - offered by the organization to limit the use and disclosure of information, and how to contact the organizations with inquiries or complaints. Choice: Individuals must have an opportunity to opt-out of any disclosures to third parties or of any uses that are incompatible with the purposes for which the personal information was originally collected or subsequently authorized. Sensitive information requires that individuals opt-in to any such disclosures or uses. Sensitive information includes information about the individual s health, race or ethnicity, political, religious or philosophical opinions or beliefs, trade union membership or sexual preferences. Onward Transfer: Personal information must not be transferred to third parties where the transfer would be inconsistent with the purposes for which the information was originally collected unless the individual has been notified and given an opportunity to opt out of the transfer. Organizations are responsible for ensuring compliance by their agents. Security: Organizations that collect and use personal information must take reasonable precautions to protect it from loss or misuse and unauthorized access, disclosure, alteration or destruction. Data Integrity: Personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected. Organizations must take reasonable steps to ensure that data is reliable, accurate, complete and current. Access: Individuals must have access to their personal information and be able to correct or delete inaccurate information. The exception to this principle occurs when the burden of providing access would be disproportionate to the risks to the individual s privacy or where the rights of other individuals would be at risk. Enforcement: Effective privacy protections must include mechanisms for ensuring compliance, recourse for individuals whose rights have been infringed, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include readily

5 - 5 - available independent recourse mechanisms, follow-up procedures for verifying that the assertions businesses make about their privacy practices are true and that privacy practices have been implemented, and the ability to remedy problems arising out of a failure to comply with the Principles. Sanctions must be sufficiently rigorous to ensure compliance by organizations and may include damages where the applicable law or private sector initiative so provides. In addition to these Principles, the Safe Harbor framework consists of Frequently Asked Questions, which provide interpretive guidance and commentary on the application of these Principles, the European Commission s adequacy decision and letters between the Department and the European Commission and from the Department of Transportation and Federal Trade Commission regarding their enforcement powers. 14 The Safe Harbor is less stringent than the Directive in some areas. For example, organizations are only required to apply the Principles to personal data transferred to them after they join the Safe Harbor. 15 Also, the Principles specifically exempt personal information in manual filing systems. Finally, the Safe Harbor allows for the processing of personal data without the individual s knowledge or consent in circumstances where the application of the Principles would prejudice the legitimate interests of the organization. This exception applies to transactions carried out by investment bankers or auditors where there is a legitimate need for confidentiality. 16 It is not clear that this is allowed by the Directive. Enforcement Generally, enforcement of an organization s compliance with the Safe Harbor is to be carried out by the private sector, backed up as needed by government enforcement under unfair and 14 Safe Harbor Documents, online: U.S. Department of Commerce Safe Harbor Website (last accessed: April 30, 2003). 15 The Directive requires that data be brought into conformity within three years of the adoption of the Directive (12 years for data held in manual filing systems). See Directive, supra note 1, Article 32(2). 16 Frequently Asked Question #4, online: U.S. Department of Commerce Safe Harbor Website (last accessed: April 29, 2003).

6 - 6 - deceptive trade practices statutes. Currently, the FTC 17 and the Department of Transportation 18 are the only bodies recognized by the EU as being empowered to investigate complaints and to obtain relief and redress. The FTC may seek administrative orders, civil penalties and may pursue civil or criminal contempt for violations of such orders. 19 In addition, the Safe Harbor Principles require each organization to comply with readily available, affordable and independent third party dispute resolution mechanisms by which individual complaints can be resolved. Currently, six organizations are recognized as examples of adequate dispute resolution bodies: BBBOnline, TRUSTe, AICPA WebTrust, the Direct Marketing Association Safe Harbor Program, Entertainment Software Rating Board Privacy Online Safe Harbor Programme, and the American Arbitration Association. 20 Dispute resolution bodies are required to ensure that any sanctions imposed will correct any non-compliance and will ensure that the organization will comply in the future. In accordance with FAQ 11, the range of possible sanctions must include publicity where there has been a finding of noncompliance and the requirement to delete data in certain circumstances. Persistent failure to comply with the Principles will result in the organization being removed from the Safe Harbor List. Pursuant to FAQ 11, persistent failure means a refusal to comply with a final determination by any self-regulatory or governmental body or a determination by such a body that the organization frequently fails to comply with the Principles such that its claim to compliance is not credible. An organization is obliged to notify the Department of Commerce of its non-compliance, which will provide the organization with thirty days notice of its intention de-list the organization, and thereafter will indicate non-compliance on the Safe 17 The FTC has authority to enforce compliance with the Principles, on the basis of its authority under section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in commerce. 18 The Department of Transportation s authority is based on Title 49 United States Code Section Frequently Asked Question #11, online: U.S. Department of Commerce Safe Harbor Website (last accessed: April 29, 2003). 20 Safe Harbor Workbook, online: U.S. Department of Commerce Safe Harbor Website (last accessed: April 30, 2003).

7 - 7 - Harbor List. Failure to notify the Department of Commerce can result in sanctions being imposed under the False Statements Act. 21 The Current State of the Safe Harbor Regime The response to the Safe Harbor from U.S. corporations in the first six months of operation was minimal. During that period, only thirty-seven organizations enrolled in the program, of which only two (Hewlett Packard and Dun & Bradstreet) were large multinational organizations. 22 Rather, the companies tended to be small to medium sized businesses who were providing privacy compliance or consulting services or who were concerned with privacy issues arising from consumer transactions. 23 Early critics of the Safe Harbor argued that compliance with the Principles was expensive, impractical and unfair to US companies given the inconsistent enforcement of the Directive in EU Member States. 24 Despite the slow beginnings, however, the past year has shown a dramatic rise in the number of organizations that have joined the Safe Harbor. As discussed above, as of April 30, 2003, there are 335 companies on the Safe Harbor List. Companies come from a wide variety of sectors and it is clear that the program has broad application and appeal. Some of the biggest names include Microsoft, IBM, Intel, Staples, Weyerhauser, Yamaha and Proctor and Gamble. Companies are now joining at an average rate of one every two to three days. Pursuant to its resolution recognizing the Safe Harbor, the European Commission is required to monitor and report on the level of compliance of American organizations. 25 The Commission 21 Ibid. 22 Assey, J. M. and Eleftherious, D. A. The EU-US Privacy Safe Harbor: Smooth Sailing or Troubles Waters? (2001) 9 Catholic Univ. of America CommLaw Conspectus 145 at p. 147 [hereinafter Assey ]. 23 Ibid. 24 Castor, D. Treading Water in the Data Privacy Age: An Analysis of Safe Harbor s First Year (2002) 12 Ind. Int l & Comp. L. Rev 265 at note 174 citing W.J. Tauzin, Chairman of the U.S. House Committee on Energy and Commerce. See also Assey, supra note 19 at p Commission of the European Communities, Commission Staff Working Paper The application of Commission Decisions 520/2000/EC of 26 July 2000 pursuant to Directive 95/46 of the European Parliament and of the Council on the adequate protection of personal data provided by the Safe Harbour Privacy Principles and related Frequently Asked Questions issued by the US Department of Commerce (February 13, 2002) online: The Computer Law Review International Website (last accessed: April 30, 2003).

8 - 8 - examined the Safe Harbor regime and released a working paper on February 13, 2002 (the 2002 Working Paper ) 26 with another evaluation expected some time later this year. It will be interesting to see the results of that second evaluation in light of the rapid increase in the number of companies joining the Safe Harbor. The Commission s research for the 2002 Working Paper revealed that a substantial number of organizations that self-certified did not observe the required level of transparency. Apart from the required self-certification declaration, many do not state in their published privacy policy statements that they adhere to the Principles and in some cases, the policy statement could not be accessed on the organization s website. Less than half the organizations reviewed by the Commission posted privacy policies that reflected all seven Principles. In particular, the Access Principle, which includes the right to amend incorrect data, was frequently not mentioned. The Commission also found that in many cases the organizations policies lacked clarity. Typically, information relating to enforcement mechanisms available to consumers or to the content of terms such as sensitive data was not readily available. In some cases, organizations had multiple privacy policies, each relating to different types of data. 27 The effect of these problems is that individuals would have difficulty determining which rules applied to their data and how to enforce their rights. While the Commission was satisfied with the sanctions available to dispute resolution bodies in dealing with complaints from individuals, it was concerned that not all such bodies had undertaken to publicize their findings. Out of six dispute resolution bodies used by companies on the Safe Harbor list only two have made such an undertaking (The Direct Marketing Association and BBBOnline). Despite these broad concerns, however, the Commission expressed satisfaction with the progress made by Safe Harbor. The Commission agreed with the U.S. Department of Commerce that 26 Ibid. 27 For instance, one policy with respect to data collected in the U.S., another with respect to data collected from the EU.

9 - 9 - some of the shortcomings identified could be put down to teething problems and seemed satisfied with the actions taken by the Federal Trade Commission to address these problems. Alternatives to the Safe Harbor There are a few other limited circumstances in which data may legally be transferred from the European Economic Area to an organization in the U.S that has not joined the Safe Harbor. A transfer is allowed if the individual s consent has been obtained, if the transfer is necessary to perform a contract entered into at the customer s request or that is in the interest of the customer, or if the transfer required is in the interest of the data subject. Data may also be transferred without restriction if it is in the public interest, for the purpose of litigation, or if the information is publicly available. In addition, on June 18, 2001, the EU approved standard contractual clauses for data transfers which are designed to ensure adequate protection for personal data transferred outside the EU. Pursuant to this decision, Member States are required to recognize the use of model clauses as providing adequate safeguards and fulfilling the requirements of the Directive. These clauses are not required for transfers to approved countries, which as of January 1, 2004, will include Canada. 28 Conclusion In November of this year, the Safe Harbor will celebrate its third anniversary. Despite a lukewarm response in its early months, the program is enjoying broad acceptance in the U.S. business community. U.S. organizations view the program as a straightforward means of complying with the EU Directive and ensuring the uninterrupted flow of data from their EU customers and affiliated organizations. For its part, the European Commission expressed satisfaction in its recent working paper on the adequacy of Safe Harbor, citing relatively minor concerns, which it admitted were likely due to teething problems. Remarkably, the U.S. and 28 European Union Press Release Data Protection: Commission Approves Standard Contractual Clauses for Data Transfers to Non-EU Countries (June 18, 2001) online: The European Union Delegation to the United States Homepage, (last accessed: April 29, 2003)

10 EU have found a compromise between the EU view of privacy as a fundamental right and the U.S. opinion that such rights be balanced with the potential benefit that this information may present to society. While governments seek compromise, the reality of the marketplace is that organizations can no longer afford to ignore the privacy concerns of individuals. With the growth of e-commerce and the increasing public awareness that personal data is a commodity, consumers are demanding that their privacy be taken seriously. The Safe Harbor and the PIPEDA are examples of a global trend that is likely to forever alter the way that organizations and governments collect and use personal information.