Privacy and Security in the Information Privacy and Security in the Information AgeAge

Conference, Melbourne, Australia Conference, Melbourne, Australia August 16, 2001August 16, 2001

The United States Government’s The United States Government’s Approach to Privacy:Approach to Privacy:

The EU Directive and the The EU Directive and the Safe Harbor FrameworkSafe Harbor Framework

Patricia M. SefcikPatricia M. Sefcik

U.S. Department of CommerceU.S. Department of Commerce

2

Privacy in Europe and the U.S.Privacy in Europe and the U.S.

The European privacy system is The European privacy system is based on comprehensive based on comprehensive legislation.legislation.

The U.S. privacy system is based on The U.S. privacy system is based on self regulation and sector specific self regulation and sector specific legislation in highly sensitive areas legislation in highly sensitive areas such as financial, medical, such as financial, medical, children’s and genetic information.children’s and genetic information.

3

Historical Overview: Safe HarborHistorical Overview: Safe Harbor

OCTOBER 1998– EU’s sweeping privacy directive went into effect

JULY 2000– Safe Harbor principles are deemed adequate

NOVEMBER 1, 2000– Safe Harbor becomes effective– DOC launches safe harbor website

http://www.export.gov/safeharbor JANUARY 4, 2001

– Official Department of Commerce roll-out JANUARY-AUGUST, 2001

– Outreach events

4

Safe Harbor ImplementationSafe Harbor Implementation

What are the Benefits? What are the Benefits?

Who Can Join and How?Who Can Join and How?

How and Where will Safe Harbor be How and Where will Safe Harbor be Enforced?Enforced?

5

The Safe Harbor FrameworkThe Safe Harbor Framework

• 7 Privacy Principles7 Privacy Principles• 15 FAQ’s15 FAQ’s• European Commission’s adequacy European Commission’s adequacy

determination determination• Letters between U.S. Dept. of Letters between U.S. Dept. of

Commerce and the European Commerce and the European CommissionCommission

• Letters from U.S. Dept. of Letters from U.S. Dept. of Transportation and Federal Trade Transportation and Federal Trade CommissionCommission

6

The 7 Safe Harbor PrinciplesThe 7 Safe Harbor Principles

1)1) NoticeNotice

2)2) ChoiceChoice

3)3) Onward TransferOnward Transfer

4)4) SecuritySecurity

5)5) Data IntegrityData Integrity

6)6) AccessAccess

7)7) EnforcementEnforcement

7

The Safe Harbor PrinciplesThe Safe Harbor Principles

(1) NOTICE(1) NOTICE Inform individuals about the purpose for which Inform individuals about the purpose for which

the information is being collected.the information is being collected.

Inform individuals about how to contact the Inform individuals about how to contact the organizations with inquiries or complaints.organizations with inquiries or complaints.

Provide information on the types of third Provide information on the types of third parties to which information is being disclosed, parties to which information is being disclosed, and the choices and means offered for limiting and the choices and means offered for limiting its use and disclosure.its use and disclosure.

8

The Safe Harbor PrinciplesThe Safe Harbor Principles

(2) CHOICE (2) CHOICE

An organization must offer individuals the opportunity An organization must offer individuals the opportunity to choose (opt out) whether their personal information to choose (opt out) whether their personal information is (a) to be disclosed to a third party, or (b) to be used is (a) to be disclosed to a third party, or (b) to be used for a purpose that is incompatible with the purposes for a purpose that is incompatible with the purposes for which it was originally collected or subsequently for which it was originally collected or subsequently authorized by the individual. authorized by the individual.

Individuals must be provided with clear and Individuals must be provided with clear and conspicuous, readily available, and affordable conspicuous, readily available, and affordable mechanisms to exercise choice.mechanisms to exercise choice.

9

The Safe Harbor PrinciplesThe Safe Harbor Principles

CHOICE: Sensitive InformationCHOICE: Sensitive Information

For sensitive information (i.e. medical/ health For sensitive information (i.e. medical/ health conditions; racial/ethnic origin; political conditions; racial/ethnic origin; political opinions; religious/ philosophical beliefs; trade opinions; religious/ philosophical beliefs; trade union membership; sex life), individuals must union membership; sex life), individuals must be given affirmative or explicit (opt in) choice be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third if the information is to be disclosed to a third party or used for a purpose other than those party or used for a purpose other than those for which it was originally collected or for which it was originally collected or subsequently authorized.subsequently authorized.

10

The Safe Harbor PrinciplesThe Safe Harbor Principles

(3) ONWARD TRANSFER(3) ONWARD TRANSFER

To disclose information to a third party, To disclose information to a third party, organizations must apply the notice and choice organizations must apply the notice and choice principles.principles.

Notice and Choice are not required for data Notice and Choice are not required for data

transfers to an agent (someone who acts on behalf transfers to an agent (someone who acts on behalf of the transferor) if it is first determined by the of the transferor) if it is first determined by the organization that the agent complies with the safe organization that the agent complies with the safe harbor principles, or is subject to the directive or harbor principles, or is subject to the directive or another adequacy finding, or enters into a written another adequacy finding, or enters into a written agreement with the organizationagreement with the organization..

11

The Safe Harbor PrinciplesThe Safe Harbor Principles

(4) SECURITY(4) SECURITY Organizations creating, maintaining, using or Organizations creating, maintaining, using or

disseminating personal information must take disseminating personal information must take reasonable precautions to protect it from loss, reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, misuse and unauthorized access, disclosure, alteration and destruction.alteration and destruction.

Organizations must take more care to protect Organizations must take more care to protect

sensitive information, as it is defined in the sensitive information, as it is defined in the principles.principles.

12

The Safe Harbor PrinciplesThe Safe Harbor Principles

(5) DATA INTEGRITY(5) DATA INTEGRITY

Personal information must be relevant for the Personal information must be relevant for the purposes for which it is to be used. An purposes for which it is to be used. An organization may not process personal organization may not process personal information in a way that is incompatible with information in a way that is incompatible with the purposes for which it has been collected or the purposes for which it has been collected or subsequently authorized by the individual. subsequently authorized by the individual.

To the extent necessary for those purposes, an To the extent necessary for those purposes, an organization should take reasonable steps to organization should take reasonable steps to ensure that data is reliable for its intended use, ensure that data is reliable for its intended use, accurate, complete, and current.accurate, complete, and current.

13

The Safe Harbor PrinciplesThe Safe Harbor Principles

(6) ACCESS (6) ACCESS

Individuals must have access to personal Individuals must have access to personal information about them that an organization information about them that an organization holds and be able to correct, amend, or delete holds and be able to correct, amend, or delete that information where it is inaccurate, except that information where it is inaccurate, except where the burden or expense of providing where the burden or expense of providing access would be disproportionate to the risks access would be disproportionate to the risks to the individual’s privacy in the case in to the individual’s privacy in the case in question, or where the rights of persons other question, or where the rights of persons other than the individual would be violated.than the individual would be violated.

14

The Safe Harbor PrinciplesThe Safe Harbor Principles

(7) ENFORCEMENT(7) ENFORCEMENT

1.1. Follow-up procedures for Follow-up procedures for verifyingverifying that safe that safe harbor policies and mechanisms have been harbor policies and mechanisms have been implemented;implemented;

2.2. Readily available and affordable independent Readily available and affordable independent recourse mechanismsrecourse mechanisms to investigate and resolve to investigate and resolve complaints brought by individuals;complaints brought by individuals;

3.3. Obligations to Obligations to remedyremedy problems arising out of a problems arising out of a failure by the organization to comply with the failure by the organization to comply with the principles.principles.

15

DIRECT COMPLIANCE WITH DIRECT COMPLIANCE WITH

THE EU DIRECTIVETHE EU DIRECTIVE

CONSENTCONSENT

ENTERING INTO A MODEL ENTERING INTO A MODEL

CONTRACTCONTRACT

Other Ways To Comply Other Ways To Comply With The Directive:With The Directive:

16

Safe Harbor: Safe Harbor: Next StepsNext Steps

Mid-Year ReviewMid-Year Review ““Visual” ComplianceVisual” Compliance Financial Service NegotiationsFinancial Service Negotiations DPA VisitDPA Visit EU Directive ReviewEU Directive Review

17

CONCLUSIONCONCLUSION

Additional resources are available on Additional resources are available on the safe harbor website the safe harbor website www.export.gov/safeharborwww.export.gov/safeharbor

• Safe Harbor List (updated regularly)Safe Harbor List (updated regularly)• Safe Harbor WorkbookSafe Harbor Workbook• Safe Harbor Documents (including Safe Harbor Documents (including

Principles, FAQ’s, correspondence)Principles, FAQ’s, correspondence)• Historical Documents (including Historical Documents (including

public comment) public comment)

18

Contact InformationContact Information

Patricia Sefcik, DirectorPatricia Sefcik, Director

Office of Electronic Commerce Office of Electronic Commerce International Trade Administration International Trade Administration

U.S. Department of CommerceU.S. Department of CommerceRoom 2003Room 200314th & Constitution Avenues, NW14th & Constitution Avenues, NWWashington, DC 20230Washington, DC 20230

Tel: (202) 482-0216Tel: (202) 482-0216Fax: (202) 482-5522Fax: (202) 482-5522E-Mail: patty_sefcik@ita.doc.govE-Mail: patty_sefcik@ita.doc.gov