[Federal Register Volume 64, Number 77 (Thursday, April 22, 1999)] [Notices] [Pages 19747-19748] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 99-10145] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE International Trade Administration Reports and Guidance Documents; Availability etc.; European Union's Directive on Data Protection; Compliance Guidance for U.S. Organizations AGENCY: International Trade Administration, U.S. Department of Commerce. ACTION: Notice of publication. ----------------------------------------------------------------------- SUMMARY: The Department of Commerce has been working very closely over the last several months with the European Commission to develop clear and predictable guidance to U.S. organizations that would enable them to comply with the European Union's Directive on Data Protection. The Directive, which went into effect late last year, allows the transfer of personally identifiable data to third countries only if they provide an ``adequate'' level of privacy protection. Because the United States relies largely on a sectoral and self-regulatory, rather than legislative, approach to effective privacy protection, many U.S. organizations have been uncertain about the impact of the ``adequacy'' standard on personal data transfers from European Community countries to the United States. Last Fall, the DOC proposed a safe harbor for U.S. companies that choose to adhere to certain privacy principles. As the DOC explained then, the principles are designed to serve as guidance to U.S. organizations seeking to comply with the European Union Directive. Organizations within the safe harbor would have a presumption of adequacy and data transfers from the European Community to them would continue. Organizations could come into the safe harbor by self certifying that they adhere to these privacy principles. The decision to enter the safe harbor is entirely voluntary. As a result of the safe harbor proposal, the European Union announced last Fall its intention to avoid disrupting data flows to the US so long as the US is engaged in good faith negotiations with the European Commission. Last November, the DOC issued draft principles for review and comment by interested organizations, noting that the content of the principles was of course crucial to the proposal. The DOC received numerous written comments in response to that draft and countless additional comments and suggestions in the subsequent months through extensive discussions with interested parties. Generally, the comments the DOC received supported the safe harbor concept. They also raised concerns with certain aspects of the principles, particularly access and onward transfer. Because the principles are quite broad and general, questions were also raised about how they would be applied in specific circumstances. DOC consultations also made clear that US organizations would welcome additional information on the benefits of being in the safe harbor and the procedures that would be followed when they were in the safe harbor. The comments the DOC received have been extremely valuable both in helping the DOC understand how data is protected in practice and in working with the European Commission to find appropriate solutions to issues raised in DOC/EC discussions. Concurrently with DOC discussions with US organizations, the DOC has had extensive discussions with the European Commission about the content and contours of the safe harbor as well as on the comments raised by US organizations. On the basis of our discussions with US negotiators and the EU Commission, the DOC has further refined the safe harbor principles to account for the many views expressed and those of our European counterparts. New Documents for Review and Comment At this point, the two sides have achieved a substantial level of consensus on the content of the principles, on the content of more specific guidance (FAQs), and safe harbor procedures and benefits. Accordingly, the DOC is now issuing for comment by US organizations the first tranche of documents that will comprise the relevant safe harbor documents. These include: (1) revised safe harbor principles; (2) frequently asked questions and answers (FAQs) on access; and (3) a draft European Commission document on the procedures that will be established for the handling of complaints where the Commission had made an adequacy determination, as it will with the safe harbor. (These documents are also available on our web site at http://www.ita.doc.gov/ ecom.) In addition to your comments on these documents, the DOC also requests your views on the weight to give the FAQs relative to the principles. The DOC will also be issuing within the week additional FAQs addressing certain sectoral concerns, procedural issues, and several clarifications requested during DOC consultations. The European Commission is also providing these documents to the Member States for their comments and review. Additional documents will be put on the ITA website as soon as they are available for review. All the draft documents are still under negotiation with the European Commission. Points of difference between the two sides have been identified in footnotes in the text and mark those parts of the document that are most likely to be revised further. Please note that these principles and the [[Page 19748]] accompanying explanatory materials were developed solely for use by US organizations receiving personal data from the EU under the safe harbor. Consequently, they rely on references to European Union law, as for example in defining sensitive information and some of the relevant exceptions, which limit their general applicability. For that reason, adoption of the principles for other purposes may well be inappropriate. Safe Harbor Benefits The Dept. of Commerce would like to highlight the several benefits of the Safe Harbor approach. They include:All 15 Member States (MS) will bound by US/EC understanding; The understanding will create the presumption that companies within the safe harbor provide adequate data protection (rather than the opposite) and data flows to those companies will continue; MS requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and US companies will have a transition period to implement safe harbor policies. Claims against US organizations will for the most part be limited to claims of non-compliance with the principles, European consumers will be expected to exhaust their recourse with the US organization first, and due process will be assured for US organizations that are subject to complaints; and Generally, only the European Commission, acting with a committee of Member State representatives (the Article 31 Committee), will be able to interrupt personal data flows from an EU country to a US organization. In addition to the documents made available today and next week, the final package of safe harbor documents will include the European Commission's Article 25.6 decision, letters from the Department of Commerce to the European Commission and a reply letter from the Commission to the Department of Commerce, and memoranda describing enforcement authority in the US for unfair and deceptive practices and European Union Member State enforcement procedures involving data protection claims. Please remember to check the website http:// www.ita.doc.gov/ecom for postings of additional documents. Document Availability: April 19, 1999 at URL; http:// www.ita.doc.gov/ecom. If you would like to speak to someone or want hard copies of the documents please call Brenda Carter-Nixon on (202) 482-5227. Address Comments: Please submit comments on any of the draft documents to the Department of Commerce by May 10, 1999. DOC requests that all comments be submitted electronically in an HTML format to the following email address: E[email protected]. If organizations do not have the technical ability to provide comments in an HTML format, they can forward them in the body of the email, or in a Word or WordPerfect format. The DOC intends to post all comments on the ITA/ECOM website. If necessary, hard copies of comments can be mailed to the Electronic Commerce Task Force, U.S. Department of Commerce, Room 2009, 14th and Constitution Ave., NW, Washington DC 20230, or faxed to 202- 501-2548. Dated: April 19, 1999. Eric Fredell, International Trade Specialist, International Trade Administration/ Trade Development. [FR Doc. 99-10145 Filed 4-20-99; 2:35 pm] BILLING CODE 3510-DR-P