Thank you for sharing!

Your article was successfully shared with the contacts you provided.
On Nov. 1, the long-awaited “safe harbor” agreement, designed to make it easier for U.S. companies to comply with the stringent data privacy laws of the European Union, went into effect. That same day, the U.S. Department of Commerce, which had negotiated the rules with the EU for two years, eagerly opened its doors for business. It issued a press release trumpeting the benefits of signing on to the voluntary privacy framework, and put up a new and informative Web site (See www.export.gov/safeharbor). But business has been disappointingly slow. A month has already lapsed, and aside from companies in the “privacy business” such as watchdog groups, the number of safe harbor participants can be counted on one finger of one hand. That company, The Dun & Bradstreet Corporation, registered on Nov. 17. “The motivating force for us is that we already complied” with the EU’s privacy rules, said Jean Cantrell, Dun & Bradstreet’s executive director for government affairs. The company, a “big supporter” of the safe harbor agreement, “knew pretty much what the expectations would be,” in advance, she said. When the final rules were issued in June, the company found it “didn’t have a lot of retrofitting to do,” she added. However, Dun & Bradstreet appears to be the exception to the rule. According to privacy experts, most U.S. companies have adopted a “wait and see” attitude. They have been slow to seek shelter for a number of reasons, including uncertainty over enforcement issues, compliance costs and a reluctance to step into the spotlight. “No one really wants to be the first one to put his head up over the trench and charge the machine guns,” said Stewart A. Baker, a partner with Washington, D.C.’s Steptoe & Johnson. On the flip side, he said, “the penalty for being a little cautious is not that great.” The EU privacy directive, which went into effect in October 1998, authorizes its 15 member states to cut off data flows to other countries, including the United States, whose privacy laws are not considered “adequate.” Currently, permission to cut off data flows under the directive is theoretically suspended until June 2001. But at least two EU members Sweden and France have refused to permit the transfer of consumer and employee data outside the country on several occasions. Indeed, Dun & Bradstreet was inspired in part to seek safe harbor certification as early as it did because Sweden had blocked a data transfer to the company. “The Swedish data protection authority suggested that if we were in the safe harbor, they would be more inclined to permit the transfer,” Cantrell said. Registering then became a “no-brainer,” she added, “since we were going to do it anyway.” Safe harbor is supposed to provide protection for a participating U.S. company by requiring that member states deem the company’s privacy policies “adequate,” and permit data transfers accordingly. Critics point out, however, that the program does not protect against private citizen suits, a major concern for many companies. Another sticking point is United States enforcement of the safe harbor standards. The Federal Trade Commission can sue a participating company for “unfair and deceptive trade practices” if it does not live up to the European standards. Alternatively, a U.S. firm can assure compliance with the EU rules through EU-approved private contracts with European data providers, and indeed, many companies already do so “offline and under the radar screen,” said John B. Kennedy, co-chair of the new media practice at Morrison & Foerster LLP’s New York office. The advantage of this approach, Kennedy said, is that it avoids FTC jurisdiction. Many companies are also watching for signals from the other side of the Atlantic. Even sources in the Department of Commerce admit that the matter of EU enforcement is still “very much of an open issue.” Privacy lawyers expect Europe to proceed with caution. “I don’t think the EU can justify cutting off data flows they don’t want a trade war,” said Steptoe & Johnson’s Baker. “But they are under pressure to demonstrate that it works or get rid of it,” he added. Indeed, the EU is having problems getting its own member states in line. It has sued six countries for their failure to comply with the directive at all. While the state of enforcement remains unsettled, companies have little incentive to sign on to a voluntary program that would require them to implement costly privacy standards. “The issue facing U.S. companies is whether they want to take on” an obligation that goes “exponentially beyond” that required by current U.S. law, said Thomas E. Crocker Jr., a partner in the Washington, D.C., office of Alston & Bird. The United States has some industry-specific privacy laws in the financial and medical sectors, and some protections regarding data on children, but no overall, uniform standards have yet to be enacted. So as a result, “precious few companies are currently in full compliance” with each of the European safe harbor principles, said John T. Bentivoglio, of counsel at Washington, D.C.’s Arnold & Porter. SEVEN PRINCIPLES Safe harbor requires companies to comply with seven principles, including issues of notice, choice, transfer to third parties, access, security, data integrity and enforcement. The rules apply to both consumer data transferred from Europe and records of company employees working in Europe. Any of these obligations may present concerns for any one company, but privacy lawyers single out “access” as particularly problematic. The principle requires companies to provide consumers and employees access to their personal data to correct, amend or delete it. This could require processing “vast amounts of data,” Crocker said. And for financial institutions in particular, the issue is whether they can participate in safe harbor at all, since the FTC has no jurisdiction over banks, he added. Despite the slow start, observers expect that safe harbor will eventually catch on. Companies are studying the program. A Department of Commerce lawyer said they receive “upwards of 15 to 20 calls a day” from companies with technical questions about safe harbor. The future of safe harbor, privacy lawyers predict, will depend largely on the results of a “test case,” in which the EU attempts enforcement of the directive against a U.S. company. “We haven’t really had a pitched battle between the EU and a supposedly intransigent U.S. company,” said Morrison & Foerster’s Kennedy. “No one has seen what the consequences could be for noncompliance,” he added. “A costly or embarrassing data imbroglio” could propel companies to sign up, Kennedy said. “Whenever you are driving down the thruway and you see flashing lights ahead, everybody slows down,” he added. But lawyers also expect that, down the road, the EU will ease up a little. “The EU recognizes that its data privacy directive is onerous,” said Arnold & Porter’s Bentivoglio. “It will try to soften it in implementation,” he predicted. At the same time, the EU directive “raises the bar” for the relatively lenient privacy standards in the U.S., said Christopher Wolf, a partner in the Washington, D.C., office of Proskauer Rose LLP. “The U.S. is becoming a little bit of an island surrounded by countries” with stricter privacy laws, said Kennedy. He pointed out that Argentina and Canada recently enacted privacy laws “more stringent than what we have here.” Commercial pressure to ratchet up the privacy standard is also building, “as an entire industry builds up around privacy and encryption,” Kennedy said. “The trend is toward more enforcement and more compliance,” he said.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.