Privacy Safe Harbor

Date: Thu, 19 Nov 1998 12:33:56 -0800 (PST)
From: Phil Agre (
To: "Red Rock Eater News Service" (
Subject: [RRE]EU/US Privacy Safe Harbor
Precedence: Bulk
List-Software: LetterRip Pro 3.0.2 by Fog City Software, Inc.
List-Subscribe: (
List-Unsubscribe: (

[The background of this letter is that the European Union recently put
into effect its Data Protection Directive, which instructs EU member
nations on how to harmonize their existing privacy laws, as well as
establishing institutional mechanisms for the enforcement of those
laws, most particularly through citizen complaints.  The most celebrated 
feature of the Directive is its position that, with some exceptions,
personal information cannot be transferred to non-EU countries whose
privacy laws are not adequate by EU standards.   The United States is
almost certainly such a country, and feverish activity has been going
on to permit American companies to do business in Europe.  Companies
have a legitimate interest in a regulatory environment that is clearly
defined and predictable, and US companies have been searching for a
"safe harbor" policy that defines actions that they can take to shield
themselves from legal action.  The US Department of Commerce recently
issued a draft "safe harbor" proposal, and this letter was sent as
part of that proposal's public comment process.  The authors of this
letter are legal experts who cover much of the spectrum of serious
opinion on privacy policy.  I have reformatted their letter to remove
special characters, insert a second space after each sentence, and
confine the text to 70 columns.]

This message was forwarded through the Red Rock Eater News Service (RRE).
Send any replies to the original author, listed in the From: field below.
You are welcome to send the message along to others but please do not use
the "redirect" command.  For information on RRE, including instructions
for (un)subscribing, see
or send a message to with Subject: info rre

Date: Thu, 19 Nov 1998 10:54:32 -0500
From: "Joel R. Reidenberg" (
Subject: EU/US Privacy safe harbor


Joel R. Reidenberg
Professor of Law
Director, Graduate Program Academic Affairs
Fordham University School of Law
140 W. 62nd Street
New York, NY 10023 (USA)
Tel: 212-636-6843
Fax: 212-636-6899

Email: (
Web: (

      November 18, 1998

Ambassador David L. Aaron
Undersecretary for International Trade
U.S. Department of Commerce
14th Street and Constitution Avenue, N.W.
Washington, DC 20230

 Comments re: International Safe Harbor Privacy Principles

Dear Ambassador Aaron:

 We are the authors of four recent books and monographs -- Data
Privacy Law: A Study of United States Data Protection (Michie
1996), Privacy in the Information Age (Brookings 1997), None of Your
Business: World Data Flows, Electronic Commerce, and the European
Privacy Directive (Brookings 1998), and Data Protection Law and
On-line Services: Regulatory Responses in Belgium, France, Germany and
United Kingdom (European Commission, forthcoming 1999) -- examining
the European Union's data protection directive (Directive 95/46/EC),
the "adequacy" of United States privacy protection under Articles
25 and 26 of that directive, and substantive data protection law in
several European Union Member States.  Four of us are law professors
who teach and research extensively in the areas of privacy and
information law; the fifth is director of economic studies at The
Brookings Institution and a former deputy assistant attorney general
in the Antitrust Division of the Justice Department and former
associate director in the Office of Management and Budget.

 The views we express below are ours alone; they do not necessarily
represent the views of the institutions with which we are affiliated
nor have we received any financial or other compensation for preparing
these comments.

 In our respective writings and public statements concerning
privacy, we have disagreed frequently and, on occasion, sharply about
the desirable level of substantive privacy protection for personal
information and about the constitutionality, effectiveness, and
the advisability of various means of achieving privacy protection.
We submit these comments jointly today to highlight the fact that,
despite our divergent views on other privacy issues, on these
critical points we are in complete agreement.  In addition to these
joint comments, Professor Swire is also submitting a set of technical

 We appreciate the opportunity to submit comments on the November
4, 1998, draft of International Safe Harbor Privacy Principles,
and we applaud the Department of Commerce, you, and your colleagues
for pursuing discussions with the European Union to create a set
of international principles that would be recognized globally as
meeting the requirements of Article 25 and 26 of Directive 95/46/EC.
Agreement on such principles would diminish the threat that
enforcement of the data protection directive might interrupt trade
with the European Union and reduce the transaction costs associated
with complying with the Directive.

 The key to creating effective principles and achieving the benefits
that such principles promise, however, is in their specificity
and comprehensiveness.  Specific, comprehensive principles make it
comparatively easy for consumers, businesses, and regulators alike
to know what is expected, what level of privacy is provided, and
whether there is compliance.  Such principles also diminish the room
for conflicting interpretations by information collectors and users
and by national data protection regulators, thereby increasing the
certainty that the principles will, in fact, constitute "adequate"
data protection and therefore a safe-harbor under Directive 95/46/EC.

 We believe that the proposed International Safe Harbor Privacy
Principles are too vague and incomplete to serve their intended
purpose.  Specifically, we believe the following examples reflect
substantial difficulties for international data transfers that this
proposed draft does not resolve:

 1. The applicability of the "Safe Harbor" is ambiguous

 We find the scope of application of the "safe harbor" perplexing.
The preamble seems to merge sectoral regulation that may provide
a statutory basis for "adequacy" with collective, industry
self-regulatory schemes and isolated independent mechanisms.  Yet
many issues for compliance and the sufficiency of each of these means
to satisfy "adequacy" are different.  In addition, the "safe harbor"
does not delineate how to treat a company that subscribes to the
principles in connection with one set of activities, such as on-line
services, but engages in many others such as employee data transfers.
Furthermore, the draft exempts "proprietary information" from the
principles without any definition.  We do not understand what this
term means in relation to the generally accepted definition of
"personal information" as information relating to an identified or
identifiable person.

 2. Transparency is not yet accomplished

 The "safe harbor" leaves a number of critical issues for transparency
unresolved.  For example, the notice requirement does not include
any disclosure of the identity of the organization collecting
personal information.  We also believe the provision on access
leaves significant ambiguity in the ability of individuals to see
the information relating to them.  "Reasonable access" is only vaguely
defined in the clause and likely to be interpreted quite differently
by the various stakeholders.  At the same time, the blanket exclusion
of public record information from the access right raises serious
questions about whether the resulting data protection is "adequate"
under Directive 95/46/EC.

 In addition, the "safe harbor" is silent on the transparency of those
companies subscribing to the principles; there is no provision for
the public disclosure of companies promising to adhere to the "safe
harbor."  For example, a statement in corporate disclosure documents
such as Form 10K or 10Q filed with the Securities and Exchange
Commission would make adherence public and indicate that a particular
company thought compliance was material to its business practices.

 3. The role of consent

 We are concerned that the "safe harbor" relies too heavily on
consent as an absolute basis for any treatment of personal information.
Especially in the case of sensitive information such as medical data,
consent may not be recognized as an appropriate ground for certain
uses of personal information.  For example, it is doubtful whether
consent should be considered valid where medical care is provided to
a sick patient on condition of using personal medical information for
marketing purposes.

 4. Enforcement is ill-defined

 We are unconvinced that the draft "safe harbor" provision on
enforcement adds a meaningful standard to the principles.  The list
of mechanisms by which compliance might be assured does not contribute
to clear rules or practices for companies to follow or for individuals
to pursue in the vindication of claims.  The draft gives no guidance
on the content for "systems for verifying that the attestations and
assertions business make .  . . are true" nor does the draft provide
any indication as to how such measures might overcome the rejection of
non-independent supervision by data protection authorities.  Even with
respect to remedies, the draft is too vague to provide any guidance.
Enforcement in the American legal system typically includes causes
of action and damages for violations of standards.  The draft speaks
of "recourse" and "consequences," yet does not establish any useful
criteria for dispute settlement nor address the question of damages
for injuries caused to individuals by violations of the principles.
In combination with the vagueness of the substantive principles, the
enforcement provision offers unclear protection for individuals and
uncertainty for U.S. business.

 Moreover, we are concerned by the confusion regarding the legal
effect of the proposed International Safe Harbor Privacy Principles.
Typically, American law uses the term "safe harbor" to mean a set
of precisely defined practices recognized by a designated regulatory
agency to satisfy an existing legal obligation in the United States.
In the absence of U.S.  statutory obligations, we understand this
"safe harbor" is, instead, intended as a designation by the European
Union that U.S. companies complying with the terms of these principles
would qualify to transfer personal information to the United States
under Article 25(6) or Article 26 of Directive 95/46/EC.  Under
Directive 95/46/EC, a determination of the sufficiency of these
principles will made by the Commission subject to referral to the
Committee, consisting of representatives from each of the Member
States, established under Article 31 of the Directive, and, if
necessary, to referral to the Council of Ministers for an overruling
decision.  In making the initial determination on the value of these
principles as "adequate" data protection, the Commission consults with
the Working Party, composed of representatives of the data protection
supervisory agencies of the Member States, established under Article
29 of the Directive.  Although the opinion of the Article 29 Working
Party is only advisory, each of the group's members have enforcement
responsibilities for international data transfers.  Hence, even if
these principles are accepted by the Commission and the Article 31
Committee or the Council of Ministers, European law and Directive
95/46/EC require the data protection agencies in each of the European
member states to interpret whether there is compliance and accord a
significant margin for interpretation to those agencies.

 The Working Party has addressed itself for the past two years to
the question of what constitutes "adequate" data protection under
Articles 25 and 26.  Those views are collected in the Working Party's
report this summer, Working Document on Transfers of Personal Data to
Third Countries: Applying Articles 25 and 26 of the EU Data Protection
Directive.  While our views on the substance of the Working Party's
conclusions differ, we are agreed that the current draft of the
International Safe Harbor Privacy Principles appear inconsistent with
the Working Party's conclusions.  In particular, the vagueness and
omission in the draft International Safe Harbor Privacy Principles
contradict the search for specific substantive standards enumerated
in the Article 29 Working Party's opinions.  We do not, therefore,
believe that these principles will resolve the international data
flow issues for U.S. companies at the member state level and urge you
to explore the problems of interpretation that these principles will

 Thank you again for your efforts to create International Safe Harbor
Privacy Principles.  We appreciate this opportunity to comment and
we stand ready, individually and collectively, to work with you to
address the concerns and ambiguities that we have identified and
to provide any other assistance you might require in completing your
important task.

     Respectfully submitted,

     Fred H. Cate
     Professor of Law
     Indiana University School of Law -- Bloomington
     Author, Privacy in the Information Age
     211 South Indiana Avenue
     Bloomington, IN 47401

     Robert E. Litan
     Director, Economic Studies
     The Brookings Institution
     Co-Author, None of Your Business
     1775 Massachusetts Avenue, N.W.
     Washington, DC 20036

     Joel R. Reidenberg
     Professor of Law
     Fordham University School of Law
     Co-Author, Data Privacy Law and
     Data Protection Law and On-line Services
     140 West 62nd Street
     New York, NY 10023

     Paul M. Schwartz
     Professor of Law
     Brooklyn Law School
     Co-Author, Data Privacy Law and
     Data Protection Law and On-line Services
     250 Joralemon Street
     Brooklyn, NY 11201

     Peter P. Swire
     Professor of Law
     Ohio State University College of Law
     Co-Author, None of Your Business
     55 West 12th Avenue
     Columbus, OH 43210

To CSE 268D homepage
Maintained by Joseph Goguen
Last modified 19 November 1998