[House Hearing, 107 Congress]
[From the U.S. Government Printing Office]



  THE EU DATA PROTECTION DIRECTIVE: IMPLICATIONS FOR THE U.S. PRIVACY 
                                 DEBATE

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                COMMERCE, TRADE AND CONSUMER PROTECTION

                                 of the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 8, 2001

                               __________

                           Serial No. 107-19

                               __________

      Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                               __________

                   U.S. GOVERNMENT PRINTING OFFICE
71-497                     WASHINGTON : 2001

_______________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Printing 
                                 Office
Internet: bookstore.gpo.gov  Phone: (202) 512-1800  Fax: (202) 512-2250
               Mail: Stop SSOP, Washington, DC 20402-0001


                    COMMITTEE ON ENERGY AND COMMERCE

               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman

MICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio                RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania     EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California          FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia                 SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma              BART GORDON, Tennessee
RICHARD BURR, North Carolina         PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa                    ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia             BART STUPAK, Michigan
BARBARA CUBIN, Wyoming               ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois               TOM SAWYER, Ohio
HEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona             GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING,          KAREN McCARTHY, Missouri
Mississippi                          TED STRICKLAND, Ohio
VITO FOSSELLA, New York              DIANA DeGETTE, Colorado
ROY BLUNT, Missouri                  THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia                  BILL LUTHER, Minnesota
ED BRYANT, Tennessee                 LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland     MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana                 CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California        JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska

                  David V. Marventano, Staff Director

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

        Subcommittee on Commerce, Trade, and Consumer Protection

                    CLIFF STEARNS, Florida, Chairman

NATHAN DEAL, Georgia                 EDOLPHUS TOWNS, New York
  Vice Chairman                      DIANA DeGETTE, Colorado
ED WHITFIELD, Kentucky               LOIS CAPPS, California
BARBARA CUBIN, Wyoming               MICHAEL F. DOYLE, Pennsylvania
JOHN SHIMKUS, Illinois               CHRISTOPHER JOHN, Louisiana
JOHN B. SHADEGG, Arizona             JANE HARMAN, California
ED BRYANT, Tennessee                 HENRY A. WAXMAN, California
STEVE BUYER, Indiana                 EDWARD J. MARKEY, Massachusetts
GEORGE RADANOVICH, California        BART GORDON, Tennessee
CHARLES F. BASS, New Hampshire       PETER DEUTSCH, Florida
JOSEPH R. PITTS, Pennsylvania        BOBBY L. RUSH, Illinois
GREG WALDEN, Oregon                  ANNA G. ESHOO, California
LEE TERRY, Nebraska                  JOHN D. DINGELL, Michigan,
W.J. ``BILLY'' TAUZIN, Louisiana       (Ex Officio)
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Aaron, David L., Senior International Advisor, Dorsey & 
      Whitney LLP................................................    42
    Henry, Denis E., Vice President, Regulatory Law, Bell Canada.    80
    Lawler, Barbara, Customer Privacy Manager, Hewlett Packard...    76
    Reidenberg, Joel R., Professor of Law, Fordham University 
      School of Law..............................................    66
    Rodota, Stefano, Chairman, EU Data Protection Working Party..     8
    Smith, David, Assistant Commissioner, Office of the UK 
      Information Commissioner...................................    14
    Winer, Jonathan M., Counsel, Alston and Byrd LLP.............    45

                                 (iii)

  

 
  THE EU DATA PROTECTION DIRECTIVE: IMPLICATIONS FOR THE U.S. PRIVACY 
                                 DEBATE

                              ----------                              


                        THURSDAY, MARCH 8, 2001

              House of Representatives,    
              Committee on Energy and Commerce,    
                       Subcommittee on Commerce, Trade,    
                                   and Consumer Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2123, Rayburn House Office Building, Hon. Cliff Stearns 
(chairman) presiding.
    Members present: Representatives Sterns, Deal, Shimkus, 
Bryant, Buyer, Radanovich, Pitts, Bono, Walden, Bass, Tauzin 
(ex officio), Towns, DeGette, Doyle, Markey, and Gordon.
    Staff present: Ramsen Betfarhad, majority counsel; Yong 
Choe, legislative clerk; and Bruce M. Gwinn, minority counsel.
    Mr. Stearns. Subcommittee on Commerce, Consumer Protection, 
and Trade will convene.
    I like to start as much as possible right on time, so I 
hope we will start a precedent, so that members will understand 
that if we arrive early then we get things moving, and then we 
don't have to spend as much time here waiting.
    I welcome you all to the second hearing of the Subcommittee 
on Commerce, Trade, and Consumer Protection of the Energy and 
Commerce Committee. I especially want to acknowledge our 
distinguished guests from Europe, Professor Stefano Rodota, the 
president of the Italian Data Protection Commission and 
chairman of an EU Data Protection Working Group; and Mr. David 
Smith, Assistant UK Information Commissioner.
    I thank you for making the long journey and am pleased to 
have distinguished European officials such as yourself 
addressing our subcommittee. So thank you.
    My colleagues, the purpose of today's hearing is twofold. 
First, we seek to learn more about the European approach to 
information privacy. Second, we wish to consider the impact of 
the European Data Protection Directive on international 
commerce in general and e-commerce specifically.
    In highlighting the EU Data Protection Directive for 
consideration today, I hope we can get answers to the following 
questions. What is the directive? How is it implemented? How is 
it enforced? What, if anything, can we in the United States 
involved in the information privacy debate learn from the 
directive which encapsulates the European approach to 
information privacy? What implications does the directive 
harbor with relation to international commerce; specifically, 
transatlantic commerce? And what is the import of safe harbors 
and model contracts?
    My colleagues, the answers to these questions have 
significant implications for companies who want to do business 
in and with Europe. This hearing not only represents the 
subcommittee's second in a series of privacy hearings, but also 
represents the first hearing under the subcommittee's trade 
jurisdiction.
    In a coming week or 2, I expect to unveil the topic and 
time table of as many as five subcommittee hearings addressing 
the information privacy issue. Moreover, the subcommittee, as 
part of its trade jurisdiction, will begin to examine legal and 
regulatory measures that may impede the growth of e-commerce 
globally.
    I rely on the words of one of our witnesses in highlighting 
the significance of our inquiry today when he said, ``The EU 
privacy directive is probably the most important law by which 
the EU is writing the rules of cyberspace.''
    Mr. Winer is not alone in his concern. Many large 
transnational and even U.S. businesses with modest 
international operations have expressed the same concerns to me 
and other members in private.
    Raising issues of significant import to our increasing 
knowledge and information-based economy in my office is one 
thing. Raising those issues in a congressional hearing is a 
totally different matter. I encourage all companies and 
interested parties to engage and speak their views openly on 
this issue while we are still defining the parameters.
    I am concerned about the potentially regressive impact of 
the directive and its implementing statute now in effect in 11 
out of the 15 member states on international commerce, and more 
specifically on commerce between the European community and the 
United States. I am not convinced, nor is corporate U.S. 
America, that the safe harbor provisions negotiated by 
Ambassador Aaron in the previous administration will help 
mitigate the concern over regressive effects.
    The Ambassador has accurately noted, ``While we and the 
Europeans share many basic values, the European Union directive 
comes from a different legal tradition and historical 
experience.'' The safe harbor principles are reflective of 
those European traditions and experiences, and as such at times 
don't harmonize well with our American legal tradition and 
historical experiences.
    I encourage President Bush and the administration to begin 
the examination of this important issue on an expedited basis. 
By way of holding this hearing, we, as members of both the 
subcommittee and the full Energy and Commerce Committee, want 
to stress our keen interest in the trade ramifications of the 
directive. We will follow this issue carefully, and if need be 
we will make our wishes known in more definitized ways.
    And with that, I am pleased to recognize the ranking 
member, Mr. Towns.
    Mr. Towns. Thank you very much, Mr. Chairman, for holding 
this hearing. I think this is a very, very important hearing, 
and I want to salute you for that. And I would also like to ask 
permission to put my entire statement in the record.
    Mr. Stearns. Without objection, so ordered.
    Mr. Towns. We have all heard the terrible abuses that have 
occurred when personal information is misused. A person's job 
can be lost, their creditworthiness can be destroyed, and their 
personal peace of mind can also be destroyed.
    But privacy is not only a problem for consumers; it is a 
major issue for business as well. While privacy policies can 
limit business marketing opportunities, the effect of privacy 
policies on consumer confidence is a far more important fact in 
the future success of e-commerce.
    Today we will hear how the European Union has chosen to 
balance commercial and consumer privacy interests. And as in so 
many cases, we will learn how regulations in one country can 
threaten the ability of U.S. firms to engage in foreign 
commerce. Compliance with the EU Privacy Directive is not 
optional.
    In order to transfer personal data on any type out of the 
EU, a U.S. firm will soon be forced to comply. A firm that 
fails to comply can be blocked from transferring data out of 
the European Union.
    In conclusion, Mr. Chairman, let me say I am not interested 
in defending either the EU Privacy Directive or the safe harbor 
agreement. That is not my interest. However, I do believe that 
privacy protections need to be uniform, and they need to be 
transparent. Consumers should not have to hire law firms and 
investigators and negotiators to identify privacy protections 
that companies have agreed to provide in private contracts.
    Furthermore, no consumer, no matter where they live, is due 
any less than the highest privacy protection a company provides 
to any other consumer. When a company agrees to a particular 
privacy policy, it should provide everyone it serves with those 
same benefits.
    Finally, any privacy policy is meaningless unless it is 
enforceable. Therefore, government has an important part to 
play in making privacy enforceable.
    Mr. Chairman, I look forward to working with you on these 
matters. Consumers all over the world are demanding greater 
control over their personal data. This Congress has an 
important role to play in making sure consumers get the privacy 
protection they deserve, and I am certain that you will provide 
leadership in that regard.
    I yield back.
    [The prepared statement of Hon. Edolphus Towns follows:]

PREPARED STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN CONGRESS 
                       FROM THE STATE OF NEW YORK

    Mr. Chairman, I want to thank you for holding this important 
hearing. Privacy is clearly one of the highest priority consumer 
protection issues we face. We have all heard the terrible abuses that 
have occurred when personal information is misused. A person's job can 
be lost. Their creditworthiness can be destroyed, as can their peace of 
mind.
    But privacy is not only a problem for consumers; it is a major 
issue for business. While privacy policies can limit business marketing 
opportunities, the effect of privacy policies on consumer confidence is 
a far more important factor in the future success of e-commerce.
    A survey conducted by AT Kearney management consultants and 
reported in November of last year in the publication ``BizReport'' 
confirms this point. Let me quote, ``E-retailers worldwide lose $6.1 
billion in sales, due to an 80 percent failure rate among online 
purchase attempts . . .'' and that ``Invasive information requests are 
blamed for 52 percent of sales that fall apart, followed by reluctance 
to enter credit card data (46 percent) . . '' Clearly, business is 
paying a big price for the confidence consumers lack in the privacy and 
security of their online transactions.
    Today, we will hear how the European Union (EU) has chosen to 
balance commercial and consumer privacy interests. And, as in so many 
cases, we will learn how regulations in one country can threaten the 
ability of U.S. firms to engage in foreign commerce. Compliance with 
the EU privacy directive is not optional. In order to transfer personal 
data of any type out of the EU, a U.S. firm will soon be forced to 
comply. A firm that fails to comply can be blocked from transferring 
data out of the EU.
    Because the U.S. has no comprehensive national privacy policy, much 
less one that is comparable to the EU directive, the EU has decided 
that all American firms lack adequate privacy protections for personal 
data. The privacy provisions of the recently enacted financial 
modernization legislation do not, according to the EU and many others, 
provide adequate privacy protection. U.S. firms, therefore, are in a 
bind.
    Recognizing this fact, the EU and the U.S. entered into a Safe 
Harbor Agreement last year. The Safe Harbor has one purpose. It allows 
certain U.S. firms to declare their compliance with agreed upon privacy 
protections that the EU does consider to be ``adequate,'' so that U.S. 
data firms can continue doing business in Europe.
    The way it works is that U.S. firms, and I am happy to say that one 
such firm--Hewlett Packard--is represented here today at this hearing, 
must certify to the Department of Commerce that they comply with the 
privacy protections in the Safe Harbor. Everything is public and is 
open for consumers and all to see. The Commerce Department's web site 
has both the privacy principles as well as the names of the 27 entities 
who, so far, have certified they comply with the Safe Harbor.
    Certain firms cannot take advantage of the Safe Harbor's 
protection. Financial institutions--banks, securities firms, and 
insurance companies--do not have safe harbor protection at this time. 
In fact, some financial and other firms have actually organized in an 
effort to convince the EU and the U.S. to terminate the Safe Harbor 
altogether.
    Instead, the only way for financial firms currently to comply is 
through the negotiation of private contracts either with their EU 
customers directly or with EU privacy officials in each country where 
they operate. It is unfortunate that we do not have a U.S. financial or 
other firm with us today who can tell us about the privacy contracts 
that have been negotiated. Although we may assume, we do not actually 
know the extent to which these contracts comply with the privacy 
directive. We also do not know the extent to which U.S. firms are 
offering EU consumers privacy protections they deny their U.S. 
consumers. Hearing from someone in the financial services industry 
could have helped clarify these matters.
    In conclusion Mr. Chairman, let me say, I am not interested in 
defending either the EU privacy directive or the Safe Harbor Agreement. 
However, I do believe that privacy protections need to be uniform, and 
they need to be transparent. Consumers should not have to hire law 
firms and investigators to identify privacy protections that companies 
have agreed to provide in private contracts.
    Furthermore, no consumer, no matter where they live, is due any 
less than the highest privacy protection a company provides to any 
other consumer. When a company agrees to a particular privacy policy, 
it should provide everyone it serves with those same benefits. Finally, 
any privacy policy is meaningless unless it is enforceable. Government, 
therefore, has an important part to play in making privacy enforceable 
and uniform.
    Mr. Chairman, I look forward to working with you on these important 
matters. Consumers all over the world are demanding greater control 
over their personal data. This Congress has an important role to play 
in making sure consumers get the privacy protection they deserve.

    Mr. Stearns. I thank my colleague.
    Mr. Shimkus, gentleman from Illinois?
    Mr. Shimkus. Thank you, Mr. Chairman. We appreciate this 
hearing, and I think it has great implications, as everyone has 
said.
    The UE Privacy Directive has important implications for 
U.S. companies who are doing or want to do business with Europe 
and with our largest trading partner. But I want to put on 
record my concern, after hearing the decision rendered by the 
European Court of Justice earlier this week, that allows the 
European Union to lawfully suppress political criticism of 
institutions and of leading figures.
    In this country, in the history of our country, we have 
basically had some distrust of national government, 
symbolically, in the creation of the Bill of Rights to our 
Constitution over 200 years ago. In so doing, the first one 
being the First Amendment, freedom of speech, what the 
implication is here is that our--probably our strongest allies 
and democratic countries may not have that faith and trust in 
the freedom of expression, of political expression.
    This decision is very disturbing, one that could have major 
implications on the privacy issue and an impact on future 
business relations between the U.S. and EU companies. And I 
hope that we will have some addressing of this issue in this 
hearing.
    I do appreciate the long distance you all have traveled. I 
just did the same trip 3 weeks ago as a member of the NATO 
Parliamentary Assembly. We visited the UE Commission, and I 
think next year we're going to have a chance to visit the UE 
Parliament with discussions on transatlantic issues of great 
importance to us. But I think this hearing is very, very 
important, and I look to be a full participant.
    And I thank the Chairman and yield back my time.
    Mr. Stearns. I thank my colleague.
    The gentleman from New Hampshire, Mr. Bass?
    Mr. Bass. No statement.
    Mr. Stearns. The gentleman from Indiana, Mr. Buyer?
    Mr. Buyer. No statement.
    [Additional statements submitted for the record follow:]

 PREPARED STATEMENT OF HON. W.J. ``BILLY'' TAUZIN, CHAIRMAN, COMMITTEE 
                         ON ENERGY AND COMMERCE

    I want to start by thanking Subcommittee Chairman Stearns for 
calling the first ever Congressional hearing, in either the House or 
Senate, specifically focused on the EU Privacy Directive. The topic of 
today's hearing is extremely relevant to the Committee's consideration 
of privacy and information exchange issues.
    The development of electronic commerce has accentuated the fact 
that the U.S. economy is interdependent on the rest of the world. The 
Internet and other electronic networks expand the ability of businesses 
to reach new or untapped markets worldwide. These technologies 
fundamentally shrink the size of the globe. Policies affecting 
electronic commerce made by the world's largest trading block--the 
European Union--have an impact on the U.S. It also has an impact on how 
the U.S. Congress will approach the debate over privacy.
    The U.S. and EU Member States approach the issue of privacy from 
different perspectives. Europeans are instilled with the belief that 
privacy is a fundamental human right. There are a number of reasons for 
this belief, including the vast and traumatic experiences of the Nazi 
regime during the 1940's. Another reason for this perspective is the 
simple fact that many EU countries are relatively new democracies. It 
was not long ago that Kings and Queens ruled throughout Europe. In the 
U.S., we take a different approach towards privacy as we have 
fundamental protections to free expression provided in the U.S. 
Constitution, including the First Amendment. By in large, we also rely 
heavily on the private sector to protect consumer privacy.
    I believe that the EU Privacy Directive may act as a de-facto 
privacy standard on the world. It may or may not be permissible under 
the WTO because of the technical structure and specific carve-outs, but 
it certainly is an effort to impose the EU's will on the U.S. While I 
recognize that similar charges have been laid against certain U.S. 
policies, the EU Privacy Directive could be the imposition of the one 
of the largest free trade barriers ever seen and is a direct reversal 
of the efforts we have made in various free trade agreements. It 
certainly provides for extraterritorial enforcement of EU principles on 
Americans and American companies.
    I have serious reservations about the real impact of the EU Privacy 
Directive on commerce and trade. I am very concerned that U.S. 
companies, which have been the creators and the leaders of E-commerce, 
will be forced to deal with such a restrictive concept. I would love 
for someone to provide some type of compliance cost analysis for the 
Privacy Directive but that simply hasn't been done. I suspect the costs 
would be in the multi-billions, and are all costs that will be passed 
onto consumers.
    One of the many drawbacks of imposing something like the Privacy 
Directive on the entire world is that one-size does not fit all. 
Europeans do not view lawsuits as an answer to problems. In the U.S., 
lawsuits are filed at the drop of a hat. A stock dropped too much or 
too fast, a lawsuit gets filed. A neighbor's dog barks too loud, a 
lawsuit gets filed. That is a reality that we have to deal with. 
However, such lawsuits could cripple the beneficial exchange of 
information that is a cornerstone of American business practices today.
    Compliance and enforcement of the Privacy Directive has, at best, 
been spotty in European nations. In fact, a number of nations have not 
even bothered to required enact implementing legislation. This lax 
attitude is something that Americans are not used to. We do not build 
elaborate restrictions with a wink and a nod so they can be ignored. 
Given this, we need to know whether enforcement of the Privacy 
Directive on U.S. companies represent a double standard when compared 
to enforcement of European firms. We also need to know the consequences 
for competition if this occurs.
    I must admit that I take a dim view about the way that the EU went 
about enacting this new privacy regime. The EU designed the rules and 
told the U.S. companies to abide by them or risk losing the transfer of 
any data from European nations. In essence, do it or suffer the 
consequences. There was no international negotiations. The U.S. was 
allowed to participate in negotiations resulting in the so-called 
``Safe Harbor'' but it is interesting to note that very few firms have 
signed up for it.
    The Safe Harbor raises a whole host of issues in and of itself. For 
instance, the legal status of the Safe Harbor is highly questionable. 
Further, the Safe Harbor doesn't cover financial firms. Indications are 
that privacy provisions of the ``Gramm-Leach-Bliley'' Financial 
Services Modernization Act are not ``adequate'' for purposes of the 
Privacy Directive. This is non-sense, as many people make a compelling 
case that these provisions are too strong. More importantly, what are 
global financial firms to do? They don't qualify for the Safe Harbor 
and U.S. law, which they must obey, is being overrun by the Privacy 
Directive.
    Recently, the EU has been designing so-called ``model contracts'' 
that can be used to meet the stringent requirements of the Privacy 
Directive. Many experts have suggested that the model contracts will be 
imposed on U.S. firms as a way to ``top-off'' or strengthen the Safe 
Harbor. This seems to directly contradict the purpose of the Safe 
Harbor and the negotiations that took place. Was the Department of 
Commerce duped into supporting the Safe Harbor? Are the Europeans 
really trying to find ways to strengthen the Privacy Directive?
    I am hopeful that this hearing will provide some insight and 
provide some comfort regarding the EU Privacy Directive. Unless or 
until that occurs, I think it only appropriate to consider all the 
options this Committee can take. Many have asked for our assistance in 
steering the new Administration towards the proper perspective on this 
issue. I think we should give serious consideration to doing just that.
                                 ______
                                 
  PREPARED STATEMENT OF HON. MIKE DOYLE, A REPRESENTATIVE IN CONGRESS 
                     FROM THE STATE OF PENNSYLVANIA

    Mr. Chairman, thank you for calling this hearing to discuss the 
issue of personal data privacy as it relates to international e-
commerce and trade. E-commerce transcends global boundaries at light-
speed, literally bringing the world to individual consumers and 
industries and offering an unprecedented opportunity for advancement 
and economic growth.
    During last week's hearing, I voiced my concerns that in the past, 
over-zealous federal regulations sometimes created unnecessary burdens 
on business. I firmly believe that it is the responsibility of the 
federal government to find the most appropriate balance that ensures we 
do not unintentionally choke out our emerging high-technology e-
commerce sector while at the same time providing floor requirements 
relating to basic privacy protections for consumers and industry alike.
    And while I find the European Union approach towards personal data 
protection noble insofar as they recognize the importance of an 
individual's control over the sharing of personal information, it goes 
without saying that applying such government actions here in the United 
States would raise some troublesome issues and almost surely conflict 
with the Constitution.
    But, if we in America do not act to establish some general 
requirements to ensure the integrity of personal privacy for our 
citizens and global consumers, both Americans and Europeans may very 
well risk losing out on vast economic opportunities.
    Here in the United States, the Safe Harbor provisions represent a 
good start, but lack they comprehensive application to all sectors of 
our economy. In my view, it is important that the same, uniform minimum 
standards are applied to all transactions involving online personal 
privacy, regardless of the particular economic sector they may fall.
    While the European Union Privacy Directive is a source of concern 
to me on various levels, I do believe that it serves, as does this 
hearing, as a catalyst for discussion and implementation of real online 
personal privacy protections.
    No doubt that several US firms, separate from the Safe Harbor 
principles, have negotiated with the European Union to ensure the 
security of personal data is maintained when conducting transatlantic 
e-commerce. Such aggressive industry self-regulation is just the type 
of proactive, responsible action that assuages consumer unease and 
concern with e-commerce privacy.
    In my view, an effective blend of industry self-regulation within a 
comprehensive framework of federal minimum standards must become the 
new standard for 21st century e-commerce in the United States if our 
industries and consumers are to continue to capitalize on high-
technology sector growth.
    Mr. Chairman, I am eager to work with you and my colleagues of the 
Subcommittee on ways to facilitate the prosperity global e-commerce.
                                 ______
                                 
PREPARED STATEMENT OF HON. BOBBY L. RUSH, A REPRESENTATIVE IN CONGRESS 
                       FROM THE STATE OF ILLINOIS

    Mr. Chairman, thank you for holding this important hearing on the 
European Union Privacy Directive. I particularly want to thank 
Professor Rodota and Mr. Smith for traveling such a long distance to 
discuss this important topic. This hearing is significant for two 
reasons.
    First, ensuring an ongoing dialogue between the European Union and 
the United State regarding the EU's Privacy Directive and its 
underlying purpose is critical for ensuring continued and uninterrupted 
trade between our nation and the countries which make up the European 
Union. The European Union is one of our most valued trade partners. 
However, it is clear that the United State's privacy laws in many 
sectors of our economy do not meet the strict standards of the European 
Union Privacy Directive. Only by working together can we ensure that 
the inadequacy of U.S. privacy laws and strength of the European 
Union's Privacy Directives do not lead to disruption in our strong 
trade relationship.
    Second, we in the United States can learn a great deal from the 
European Union's Privacy Directive. The United States does not have a 
comprehensive privacy policy. Some sectors of our economy have no 
protections what so ever. Also, in some cases, information is 
susceptible to misappropriation and misuse. Also, in many cases 
enforcement is limited to government action because no private cause of 
action is provided. The European Union's Privacy Directive represents 
an example of a strong law covering many different types of information 
which provides extensive enforcement mechanisms.
    However, the European Union's Privacy Directive is not without its 
faults. Some would argue that it covers information which is clearly 
public. We in Congress need to learn from the European Union's efforts 
what works and what doesn't. It provides one of the clearest examples 
of what is feasible and infeasible.
    I commend the witnesses from Europe for their work in this area and 
those witnesses who have worked with the European Union to ensure their 
is no disruption in the trade relationship between the United States 
and the European Union.

    Mr. Stearns. With that, we will have the first panel, 
Professor Stefano Rodota, Chairman, European Union Data 
Protection Working Group, and Mr. David Smith, Office of the UK 
Information Commissioner.
    I want to thank, again, both of you for your coming the 
long distances, and I look forward to your opening statement. 
So you can give your opening statement right now if you would. 
Professor, we will start with you.

   STATEMENTS OF STEFANO RODOTA, CHAIRMAN, EU DATA PROTECTION 
WORKING PARTY; AND DAVID SMITH, ASSISTANT COMMISSIONER, OFFICE 
               OF THE UK INFORMATION COMMISSIONER

    Mr. Rodota. Thank you, Mr. Chairman. Thank you for inviting 
me to testify today at this important hearing.
    I am Stefano Rodota. I am the Chairman of the Italian Data 
Protection Commission. I am also a professor of law, and I have 
been for several years a member of the Italian Parliament and 
of the European Parliament. So I shared the same responsibility 
you have now.
    So I am chairman of the Data Protection Working Group 
established by the European directive of data protection passed 
by the European Parliament, as you know, and the Council in 
1995. And I must say that when compared to other pieces of 
European legislation, the directive presents a prominent 
feature. It aims at protecting fundamental rights and freedoms, 
although this objective is twinned with the free movement of 
services.
    This approach has been recently stressed by a major 
development in the charter of fundamental rights of the 
European Union signed in December of last year by the European 
Parliament, the Council----
    Mr. Stearns. Professor, could I have you pull the speaker 
up just a little closer to you?
    Mr. Rodota. Oh, yes.
    Mr. Stearns. Yes. That will be fine.
    Mr. Rodota. Yes, sorry.
    Mr. Stearns. No, no. That is fine. Thanks.
    Mr. Rodota. It is better.
    Mr. Stearns. Yes, that is better.
    Mr. Rodota. Oh, thank you.
    So I was saying that I would like to stress that the same 
approach was shared by the charter of the fundamental rights of 
the European Union passed in December of last year by the 
European Parliament, the Council, and the Commission. And two 
specific provisions are devoted to privacy and data protection.
    So now data protection must be considered a fundamental 
human right, and the same chart makes reference to the 
necessity of an independent authority.
    These independent authorities, existing in all 15 countries 
in Europe, meet together in the Data Protection Working Party, 
which is also called Article 29 Group. And this group has an 
advisory status and acts independently, and since its creation 
has adopted several recommendations and opinions.
    In Italy, the directive was implemented by the Data 
Protection Act in 1996, and then complemented by secondary 
legislation and, I would like to stress, by a number of codes 
of conduct which represent an important factor of flexibility.
    I can leave you an English version of the Act, together 
with the articles of the European chart.
    Mr. Stearns. By unanimous consent, we will make that part 
of the record.
    Mr. Rodota. Yes. Thank you.
    At that time, in 1996, Italy was the only member state of 
the European Union, together with Greece, without a specific 
data protection law. But you know what technologies say--using 
appropriate technologies, late comers can make a leap frog. 
Something like that happened in Italy. Using the European law, 
and transposing immediately for all the member states the 
directive into its legal system, Italy jumped at the top of the 
European data protection.
    The implementation of the law has not been easy, but the 
societal effects are astonishing. Our Commission has been 
dealing during the past 4 years with nearly 100,000 offers 
submitted by phone, fax, e-mail, writing, and as formal 
requests to the Commission acting in alternative to the 
judiciary.
    Statistically, the main people's concern regards health 
insurance, telecommunications, direct marketing, labor 
relationship, police data, banks. People can act directly 
toward the data controller. For instance, 4 million customers 
asked banks not to send them commercial advertising. The 
implementation of the law raised more resistances in the public 
administration than in the private sector that has not at all 
suffered the dramatic consequences foreseen by some interested 
circle.
    So the high level of data protection legally in the UE 
indicates an amassing paradox. Privacy was invented in the U.S. 
and has long been considered to be typical of the American 
society. Europe now is the region of the world where maybe 
personal data is most protected--are most protected. This does 
not mean, however, that--in my opinion, that European-U.S. 
systems are mutually opposed.
    It is an instance of misrepresentation to simplify the 
picture by making Europe the domain of law and the U.S. the 
domain of self-regulation. Indeed, it is exactly the framework 
provided by European directives and national laws which is 
making it possible to develop self-regulatory codes and 
contract models on a larger scale.
    And at the same time, we recognize that many highly 
sensitive issues are being dealt with in the U.S. by means of 
legislative tools. We have been impressed, for instance, by the 
Executive Order to prohibit the use of genetic data for Federal 
employees. We must take this perspective seriously. We cannot 
accept a full-speed world in the data protection field, more 
and more one of the most important and critical matters in the 
globalized world.
    Many devices can be used--national legislation, regional 
rules like in European Union, international guidelines, model 
contracts, and, finally, international conventions. We must 
provide a common framework.
    In my double capacity, I would like to work in this area. 
For making possible more fruitful cooperation, the working 
group is now planning a visit in the U.S. mid-June.
    Coming back to the directive, it has been implemented in 
eleven out of the 15 EU member states. Of course, the European 
Commission has started an infringement procedure against the 
four member states that have not yet notified the implementing 
measures--France, Germany, Ireland, and Luxembourg.
    However, if we consider both the core principles and the 
creation of supervisory authorities, I would say that almost 
all member states are now in line with the fundamentals of the 
directive.
    Germany and France are, for different reasons, in a similar 
paradox. They are late in passing the implementing measures. 
However, their data protection legislation is sound and well 
established. According to some observers, this paradox shows 
that adapting old laws may prove harder than passing a brand-
new law.
    The Netherlands seem to have experienced one of the most 
interesting parliamentary debates. This was prompted by an 
amendment aimed at excluding the private sector from the 
jurisdiction of the Data Protection Authority. The business 
community argued that they would feel more comfortable with the 
powers of self-disciplinary bodies, but the amendment was 
rejected because the Dutch government found that it may have 
been incompatible with the directive.
    So all member states share now the same values and are 
legally bound by the same core principles, directly connected 
with a strong commitment to make effective fundamental human 
rights in this very sensitive area.
    It means that also commercial and economic interests must 
be evaluated in this broader context. At the same time, the 
directive was aware of the problem of transferring that outside 
the European Union. The well-known Articles 25 and 26 reflects 
these concerns through a reference to an adequate level of data 
protection. Until now only Canada, Switzerland, and Hungary 
have met the adequacy test in the judgment of Article 29 
working party.
    At the same time, Articles 25 and 26 have made possible 
and--made possible to buildup a completely new system based for 
the U.S. on the safe harbor entered in force on October 25 last 
year--a special opportunity given to the U.S. company. But we 
have also the new adequacy system, including the standard 
contractual clauses, and the draft by the Commission services, 
and that I received the positive opinion of the Article 29 
working group.
    In my opinion, such clauses are crucial in ensuring 
transborder data flow because----
    Mr. Stearns. Professor, if you don't mind, we just have----
    Mr. Rodota. I will stop. I am ending.
    Mr. Stearns. Sure.
    Mr. Rodota. Just 1 minute. Are crucial because many 
companies make business on a global scale and because data 
flows from the European Union are not linked to the U.S. Both 
systems will be experimented with. It will be especially 
interesting to evaluate the enforcement system.
    It does not work, however, that here are interesting 
developments in the attitude of the business community. More 
and more privacy protection is considered a value to be offered 
with goods and services. Opt-in and not opt-out has been 
indicated as the best approach by prominent European companies 
during their hearing before the European Parliament last 
January.
    So we are living in a transitional period and indeed need 
cooperation as wide as possible. Thank you for giving me this 
opportunity. May I conclude with my very best wishes for your 
future discussions which are crucial for the democratic values 
that we share.
    Thank you very much.
    [The prepared statement of Stefano Rodota follows:]

  PREPARED STATEMENT OF STEFANO RODOTA, CHAIRMAN, EU DATA PROTECTION 
                             WORKING PARTY

    Mr Chairman, Honourable Members, Thank you for inviting me to 
testify today at this important hearing. My name is Stefano Rodota, and 
I am the Chairman of the Data Protection Working Party that was 
established by the EU Directive on the protection of physical persons 
with regard to the processing of personal data. This Directive was 
passed by the European Parliament and the Council in 1995, that is 
after 5 years of fierce discussions on the proposal presented by the 
European Commission in 1990: passing legislation on such a complex 
issue is not easy--neither in the EU nor in the US, you will say . . .
    Since the creation of a Data Protection Commission in Italy (1997) 
I also wear the hat of Privacy Commissioner, and in this capacity I 
would like to share with you a couple of ideas on the concrete 
implementation of the Directive in my country. Before doing that, may I 
say something about the European approach to privacy and data 
protection, that may explain some of the difficulties that we have 
experienced in bridging the gap with the approach of the US Government.
    When compared to other pieces of European legislation, the 
Directive presents a prominent feature: it aims at protecting 
``fundamental rights and freedoms'', although this objective is twinned 
with the free movement of information and services. This approach has 
been recently stressed by a major development: in the Charter of 
Fundamental Rights of the European Union, that was signed in December 
2000 by the European Parliament, the Council and the Commission, two 
specific provisions are devoted to privacy and data protection. Let me 
quote them.
            Article 7, Respect for private and family life.
    Everyone has the right to respect for his or her private and family 
life, home and communications.
                Article 8, Protection of Personal Data.
    1. Everyone has the right to the protection of personal data 
concerning him or her.
    2. Such data must be processed fairly for specified purposes and on 
the basis of the consent of the person concerned or some other 
legitimate basis laid down by law. Everyone has the right of access to 
data which has been collected concerning him or her, and the right to 
have it rectified.
    3. Compliance with these rules shall be the subject to control of 
an independent authority.
    These independent authorities, as you know, meet together in the 
Data Protection Working Party, which is also called ``Article 29'' 
Group, although its powers are to be found in Article 30 of the 
Directive. The Working Party, that I'm honoured to chair since last 
year, has an advisory status and acts independently. Since its 
creation, it has adopted a number of Recommendations and Opinions, some 
of which were devoted to the different versions which led to the final 
shape of the ``Safe Harbor''. All these documents are available to the 
public at the following web page: http://www.europa.eu.int/comm/
internal__market/en/media/dataprot/wpdocs/
The Italian experience.
    In Italy, the Directive was implemented by the Data Protection Act 
(1996). This Act is being complemented by secondary legislation and--
may I stress this aspect--by a number of Codes of conduct, which 
represent an important factor of flexibility. All the relevant 
documents are available at: http://www.garanteprivacy.it
    Judging from my personal experience on the ground, I can testify 
that the provisions by which the Directive was implemented in Italy are 
being invoked on such a wide range of issues that were probably hard to 
imagine when the law was passed--there are over 2,000 claims pending 
before the Garante, covering almost all business areas and 
administration branches--but no company has gone out of business--nor 
has it suffered the dramatic consequences that were anticipated by some 
interested circles. In Capitol Hill, you are in a good position to know 
that lobbying groups sometimes tend to exaggerate the cost of new 
legislation. In earlier times, the same happened during the 
Parliamentary discussions on child labour legislation, but nobody today 
would argue that such legislation was not appropriate.
    When the Directive was passed (1995) in Italy there was no 
legislation in this area, and the issue was virtually confined to the 
academic and literary circles. In less than 4 years, the word 
``Privacy'' has entered into the daily vocabulary of the average 
Italian (without any Italian translation: the media and the man in the 
street just say ``Privacy'', and they seem to know what they mean). 
Sometimes I'm myself puzzled about that.
    The widespread use of the word ``Privacy'', in Italy and in other 
non-English speaking countries, indicates an amazing paradox. Privacy 
was ``invented'' in the US, and has long been considered to be typical 
of American society. Still, Europe is nowadays the region of the world 
where personal data is most protected--so much so that the Charter of 
Fundamental Rights of the European Union has recently included data 
protection among fundamental human rights (see Article 8, quoted 
above).
    This does not mean, however, that the European and the US systems 
are mutually opposed or absolutely irreconcilable. For instance, it is 
an instance of misrepresentation to simplify the picture by making 
Europe the domain of law and the US the domain of self-regulation. 
Indeed, it is exactly the legislative framework provided by EU 
directives and national laws which is making it possible to develop 
self-regulatory codes and contractual models on a large scale. At the 
same time, many highly sensitive issues and topics are being dealt with 
in the USA by means of legislative tools, as shown by the many laws 
passed in the US at the State level and by the Executive Order issued 
by Clinton on 8 February 2000 to prohibit the use of genetic data for 
federal employees.
The implementation of the Directive in other EU countries
    The Directive has been implemented in 11 out of the 15 EU Member 
States. The deadline for implementation was October 1998 and of course, 
as in many other policy areas, the European Commission has started an 
infringement procedure against the four Member States that have not yet 
notified the implementing measures (France, Germany, Ireland and 
Luxembourg). It is the Commission's duty, and I strongly hope that this 
will help in completing the implementing process. However, if we 
consider both the ``core principles'' of data protection and the 
creation of Supervisory Authorities, I would say that almost all Member 
States are now in line with the ``fundamentals'' of the Directive 
(please, don't ask me to name the one or two countries that may still 
make an exception).
    Germany and France are, for different reasons, in a similar 
paradox: they are late in passing the implementing measures; however, 
their data protection legislation is sound and belongs to the best 
established in Europe (the two were the main source of inspiration of 
the European Directive). According to some observers, this paradox 
shows that ``adapting'' old laws may prove harder than passing a brand 
new law, but the case of Germany is certainly made more complex by the 
Federal structure of the State, that implies several levels of 
discussion.
    The Netherlands seem to have experienced one of the most 
interesting parliamentary debates. As far as I understand, this was 
prompted by a major initiative aimed at excluding the private sector 
from the ``jurisdiction'' of the Data Protection Authority: roughly 
speaking, the business community argued that they would feel more 
comfortable with the powers of self-disciplinary bodies, and they found 
sympathetic ears in the Dutch Parliament; an amendment to this purpose 
was tabled, but the Dutch Government found that it may have been 
incompatible with the Directive, and the idea was finally rejected.
The provisions of the Directive with regard to transborder data flows
    A prominent feature of the EU approach, if compared to the US 
privacy debate, is that the Directive provides with a single framework 
which applies irrespective of the business sector concerned, and 
regardless of the nature of the data controller (public or private 
body), although some broad exceptions are allowed.
    In the recent past, some observers have argued that, since the 
Directive had been drafted at the time of mainframe computers, its 
provisions would be outdated in the Internet era. The experience gained 
in the meantime points to the opposite conclusion: all the core 
principles established by the directive, such as the right of access, 
rectification, deletion and the right to damages are drafted in a way 
that copes with technology developments, and they work properly 
irrespective of the technology used to process personal data.
    Incidentally, a similar debate took place with regard to the OECD 
Privacy Guidelines, that are based on the same core principles. At the 
end, as you know, the applicability of the OECD Guidelines to 
electronic commerce was reaffirmed by the Ministerial Conference held 
in Ottawa in 1998, although the Guidelines are much ``older'' than the 
Directive (OECD Guidelines: 1980, EU Directive: 1995!).
    Of course, the Internet revolution carries its lot of new 
challenges, but these normally concern the issues of applicable law and 
jurisdiction, rather than the content of the substantive rules, and 
this is the same kind of problems that does arise in many other areas 
of Law.
    To be concrete, may I give you one example: which law applies to 
the online collection of personal data from individuals of country 
``A'' by a company established in country ``B'' using a server located 
in country ``C''?
    When the countries concerned are within the European Union, the 
answer is simple: the law of Member State ``B'', that is the country in 
which the company is established. In my opinion, this solution is well 
balanced:

 on the one hand, it allows data controllers to comply with one 
        single set of rules (instead of 15 or more), and this is very 
        business-friendly;
 on the other hand, it protects citizens from the possible 
        circumvention of their rights: using a server located in a 
        third country would be an easy route to circumvention, but what 
        matters for the Directive is the country in which the economic 
        activity of the controller is located.
    This approach makes sense, as all Member States share the same 
values and are legally bound by the same ``core'' principles, enshrined 
in the Directive. Of course, the above applies only insofar as the data 
controller is established in a EU Member State: where this is not the 
case, the issue is far more complex. If the data controller is 
established in a country with ``no rules'' on data protection, the same 
approach would result in the absolute lack of guarantees for the data 
subject, whose personal data could be processed without any 
restriction.
    In my opinion, there is therefore a case for an International 
instrument on data protection, as recently stressed in the ``Venice 
declaration'' by all the colleagues convened at the 22nd International 
Conference on Privacy and Data Protection.
    However, in the absence of an international instrument, the 
Directive has established two very important safeguards:

1. By requiring that Member States apply the Directive where the data 
        controller is established in a third country but processes 
        personal data using equipment located in the EU territory 
        (Article 4c);
2. By the well known ``Article 25'', that prompted a number of alarming 
        articles in the US press, warning against what was called ``the 
        Great Wall of Europe'': according to this provision, personal 
        data can be transferred from the EU to third countries only if 
        the receiving country ensures an ``adequate'' level of data 
        protection. Until now, only Canada, Switzerland and Hungary 
        have met the ``adequacy test'' in the judgement of the Article 
        29 Working Party.
    I agree that Article 25 sounds like a bold provision. However, to 
be understood, this general rule must be read together with the many 
exceptions established by Article 26, which allow a significant degree 
of flexibility (examples: the data transfer is allowed if the 
individual has given his unambiguous consent, or where necessary for 
the performance of a contract with the data subject, or to protect his 
vital interests, and so on). In addition, data transfers can also take 
place where the controller adduces appropriate safeguards, that can be 
offered by way of contractual provisions.
    As you probably know, standard contractual clauses have been 
drafted by the Commission Services and have received the positive 
Opinion of the Data Protection (``Article 29'') Working Party. In my 
opinion, such clauses are crucial in ensuring transborder data flows, 
because many companies make business on a global scale and because data 
flows from the EU are not limited to the US. These clauses, when 
adopted, will not be mandatory but if companies choose to use them, 
they will be able to cut out most of the administrative loops which the 
contractual route otherwise requires.
The Safe Harbor
    The Safe Harbor is living proof that the Directive allows 
significant flexibility. In finding that the SH offers adequate 
protection, the European Commission may have gone beyond the letter of 
Article 25, which refers to ``domestic law'' or international 
commitments, and has accepted a set of rules that are proposed to US 
companies on a voluntary basis, but I will not re-open that debate: all 
that I want to stress, is that on the European side there has been a 
lot of good will.
    I understand that, until now, only twenty five US organisations 
have adhered to the Safe Harbor, and it is to be hoped that their 
number will increase, after all the commendable efforts that were 
deployed on both sides to secure the deal.
    Mr Chairman, Honourable Members, thank you for giving me the 
opportunity to testify. May I conclude with my very best wishes for 
your future discussions, which are crucial for the democratic values 
that we share.

    Mr. Stearns. Thank you, Professor Rodota.
    We are going to recess now. We have possibly two votes on 
the House floor.
    So, Mr. Smith, we will reconvene after we come back, and we 
ask for your patience.
    And I think with the two votes it will be difficult to set 
a time, because I think one of them is an adjournment vote. So 
we will reconvene probably perhaps in about 20 minutes, 25 
minutes.
    [Brief recess.]
    Mr. Stearns. The Subcommittee on Commerce, Trade, and 
Consumer Protection will reconvene.
    And, Mr. Smith, thank you for your patience, and we look 
forward to your opening statement.
    I say to my colleagues, we are giving each of these 
gentlemen 10 minutes, instead of the customary 5 minutes, 
because of the distance they have traveled and also as a 
courtesy so that we can really have an impact from all of their 
feelings on this issue.
    So, Mr. Smith, you have the floor for an opening statement.

                    STATEMENT OF DAVID SMITH

    Mr. Smith. Thank you very much, Chairman, and thank you for 
allowing me some extra time.
    I am David Smith, Assistant Information Commissioner from 
the United Kingdom. I work for Elizabeth Franz, the UK's 
Information Commissioner, recently renamed Information 
Commissioner to reflect duties she has under the UK's new 
Freedom of Information Act. She was formerly Data Protection 
Commissioner. She continues as the UK's independent supervisory 
authority, and it is in that role that I am here and I will 
talk.
    So I can't act as a representative either of the European 
Commission or even of the UK government. I am a representative 
of the UK's independent supervisory authority.
    I won't go through my testimony in great detail. I am happy 
to answer questions in relation to it. I will just highlight 
one or two points.
    It starts with the origins of data protection law, 
particularly in the UK. And as Professor Rodota said, we do see 
data protection law as an aspect of human rights, individuals' 
rights to have some knowledge of the information that is kept 
and used about them, a right to some control over who has 
access to that information, and how they use it, and some 
safeguards and rules that we know businesses that keep that 
information will abide by.
    That is exemplified in Europe in the Council of Europe 
Convention on Data Protection, which is at the root of all 
European data protection law, including the UK's law. But it 
bears some similarities to the OECD privacy guidelines with 
which you may be familiar.
    But when data protection started, certainly in the UK, it 
was not only about human rights that was behind government 
thinking. It was also about building people's trust in 
business, going back some time in the use of computers at that 
time, but say, ``Here is the law to protect you. You can trust 
businesses that computerize information.'' And that does have 
some relevance in the world of e-commerce that we are now in.
    The EU Data Protection Directive is designed to harmonize 
European laws and to remove barriers to the flow of information 
within Europe. It essentially takes the Council of Europe 
Convention further, makes it a mandatory requirement, and 
modifies it in relation to EU member states.
    In addition to the general Data Protection Directive to 
which the attention is focused on, there is a Data Protection 
Directive specifically focusing on the telecommunications 
section, which adds to the general directive. And there is even 
some suggestion now, although nothing firmly proposed, that 
there will be one relating to the employment sector.
    The UK Act implements the European directive. The Act sets 
out the scope of the law. It applies not only to automated 
computerized records. It also applies to structured manual 
records. It works on the basis of criteria for processing.
    In order to keep--use information about individuals, a 
business has to meet certain criteria, which in general are not 
especially difficult to meet but are more onerous where the 
information falls into the category of sensitive data, into 
particular categories there.
    The law gives individuals rights such as the right of 
access to their information and the right to compensation if 
the information is misused. And it sets out standards that data 
controllers, businesses, must follow called the Data Protection 
Principles, which cover the requirement to fairly process 
information to keep the information secure, and so forth.
    One of those principles relates to international transfers, 
and the testimony I have provided talks about the meaning of 
adequacy in terms of only transferring data to countries 
outside Europe that provide adequate protection.
    What is actually meant by ``adequacy''? It doesn't 
necessarily require data protection law. It does depend on the 
nature of the data that are transferred, codes of practice, 
enforceable codes, and the like, that exist in the country 
involved. The testimony refers to community findings. Professor 
Rodota referred to particular countries where there has been a 
finding of adequacy, and the safe harbor arrangements fall into 
that category.
    As UK Information Commissioner, we are obliged under a 
community finding to accept the safe harbor arrangements as 
providing adequacy to companies that have signed up to it. 
There are exceptions to the requirement for adequacy where 
individuals have given their consent to the transfer of the 
data where the data are necessary for legal proceedings and in 
a number of other areas.
    And I also talk in the testimony about the role of standard 
contracts and the work that is going on to develop those 
contracts to govern the transfer. So a variety of arrangements 
under which adequacy requirements can be satisfied.
    In terms of enforcement, the UK law does not contain much 
in the way of criminal offenses and criminal penalties for 
breach. The one we place most emphasis on is that of obtaining 
information by deception. Essentially, people like private 
investigators who will contact a bank, an insurance company, a 
doctor, and pretend to be someone with authority to acquire 
information, and so, therefore, do so by deception. And we do 
prosecute those, and we regard that as a particularly important 
aspect of our law.
    But generally, we enforce the law through enforcement 
notices which set out requirements that businesses have to 
undertake to comply with the law to delete data to change their 
practices, or whatever. And a failure to comply with the notice 
is then a criminal matter for which we can prosecute. And 
individuals, under the law, have their own right to take action 
through the courts to enforce their rights.
    As Information Commissioner, we see our role, and, indeed, 
the law sets out our role, as not being solely or even 
necessarily primarily about enforcement. We are very keen to 
develop awareness amongst citizens and amongst businesses of 
how the law operates and their rights and responsibilities 
under it.
    We promote good practice which goes wider than simply 
complying with the law, and it covers conduct which is 
consistent with those requirements. And as Professor Rodota 
said, we also put emphasis on the development of codes of 
practice, codes that develop how the law applies in the area of 
particular industry, particular activities, fields such as the 
use of data in employment.
    We deal with requests for assessment from individuals, 
individuals who ask us to assess whether the law has been 
complied with, and we make those assessments. But we have a 
wider strategy, and I will just, in conclusion, spend a moment 
or two on developing our strategy. Because, as I said, we are 
keen to work on the basis of education and encouragement, both 
of individuals and of businesses.
    We take a very strong view that data protection and privacy 
requirements should be built in at the early stage of thinking, 
whether that is the development of new business processes, new 
IT systems, or the development of public policy.
    They should start with data protection in mind, and one 
example of work we are doing in that area is the development of 
guidelines for those involved in the development of IT systems 
on how to incorporate privacy-friendly features into those 
systems, part of our work of encouragement and producing 
guidance.
    We also encourage self-regulation, not necessarily instead 
of statutory regulation but together with it. We see self-
regulation, provided this is effective and gives effective 
remedies to individuals, and there are arrangements to check 
that businesses comply, audit arrangements, and the like, as 
being the best way of providing remedies for individuals and 
enforcing data protection day to day.
    And we are supporting and actively working with the 
development of alternative dispute resolutions as a better 
method than individuals either taking their cases through the 
court or our office necessarily seeking to resolve them for 
them.
    We also promote good business practice. We are encouraged 
by some developments, particularly in the e-commerce field, 
where businesses are increasingly positioning themselves for 
privacy, not necessarily because they see that as a way of 
meeting regulatory requirements, but because it is what they 
see as necessary to attract and retain customers, permission 
marketing, giving the customer choice, and the like.
    And we encourage that, because the more that data 
protection flows out of good businesses practice than is seen 
as a simple additional regulatory burden, the more satisfactory 
and the more effective it will be.
    And, last, we do seek to influence law makers as well in 
the UK and elsewhere to develop better protection for the 
privacy rights of individuals, but to do so without imposing 
disproportionate burdens on businesses.
    So I hope, Chairman, that is an introduction to our work 
and has been useful to you. Thank you for giving me the time. I 
am happy to answer any questions or provide further information 
if that would be helpful.
    [The prepared statement of David Smith follows:]

 PREPARED STATEMENT OF DAVID SMITH, ASSISTANT COMMISSIONER, OFFICE OF 
              THE UNITED KINGDOM INFORMATION COMMISSIONER

                                SUMMARY

    This testimony is intended to be informative. It is submitted on 
behalf of the UK Information Commissioner who is the independent 
supervisory authority appointed under the Data Protection Act 1998. The 
views expressed are those of the Commissioner and do not necessarily 
represent the position of either the European Commission or the UK 
Government.
    The testimony covers:

 The Origins of Data Protection in Europe; The 1981 Council of 
        Europe Convention, the objectives of Data Protection law and 
        the thinking behind the UK's Data Protection Act 1984.
 The EU Data Protection Directives: The reasons for the general 
        Directive, the timescale for its implementation and the related 
        Telecommunications Data Protection Directive.
 The UK Data Protection Act 1998: The scope and application of 
        the law, criteria for processing, sensitive data rules, other 
        general provisions, individual rights and the standards to be 
        followed by data controllers (the Data Protection Principles)
 Transfers of Personal Data to Third Countries: What is meant 
        by an ``adequate level of protection'', Community findings and 
        exceptions to the requirement for adequacy including the role 
        of standard contracts.
 Enforcement: Criminal offences under the Data Protection Act, 
        obtaining personal information by deception, enforcement of the 
        Principles, information notices and the rights of individuals 
        to take proceedings through the courts.
 The Information Commissioner: The Commissioner's functions 
        under the Data Protection Act, the role and development of 
        codes of practice, her duty to make assessments as to whether 
        it is likely or unlikely that the Act's requirements have been 
        met, her strategy in promoting compliance with the Act and more 
        widely promoting respect for privacy and personal information 
        both nationally and internationally, some activities she is 
        involved in and some comments she has made in relation to 
        possible revision of the legal framework.

                       ORIGINS OF DATA PROTECTION

    European Data Protection law has its roots in thinking in the 1970s 
which led to the 1980 OECD Privacy Guidelines 1 and to the 
1981 Council of Europe Data Protection Convention (Convention 108) 
2. It is Convention 108 that formed the basis for the UK and 
many other European Data Protection laws prior to the Directive and 
which is now reflected in the provisions of the Directive itself.
---------------------------------------------------------------------------
    \1\ Organisation for Economic Co-operation and Development, 
Guidelines Governing the Protection of Privacy and Transsborder Flows 
of Personal Data, Paris 1980.
    \2\ Council of Europe Convention for the Protection of Individuals 
with regard to Automatic Processing of Personal Data, European Treaty 
Series 108, Strasbourg 1981.
---------------------------------------------------------------------------
    Article 1 of Convention 108 sets out the objective.
        ``The purpose of this convention is to secure . . . for every 
        individual . . . respect for his rights and fundamental 
        freedoms, and in particular his right to privacy, with regard 
        to automatic processing of personal data relating to him''.
    At its simplest, Data Protection law delivers this objective 
through three strands:

knowledge: The right of the individual to be informed what personal 
        information is kept, by whom and how it is used and the right 
        of access to the information.
control: some control by the individual over what information is kept 
        and how it is used.
safeguards: safeguards to ensure appropriate confidentiality, 
        availability, integrity and security of personal information.
    The human rights approach to Data Protection is clear. It is 
founded in the right to respect for one's private life. However this 
was not the only thinking behind either Convention 108 and the UK's 
Data Protection Act 1984 or the OECD Privacy Guidelines. There were two 
other strands, both of which are particularly relevant in the context 
of the development of electronic commerce and global markets. First 
there was the fear of technology, whether real or imagined. Evidence 
suggested that individuals were reluctant to trust their information to 
computers and there was anxiety that this lack of trust would stifle 
the development of technology in business. Legal protection was seen as 
a way of reassuring individuals.
    Second was the question of transborder data flows. Fears that the 
lack of an international instrument would lead to restrictions on 
transfer by those countries with domestic law were an important factor. 
In the UK, the Government's reasons for promoting Data Protection 
legislation were given by the then Home Secretary in the House of 
Commons on 30th January 1984.
        ``first . . . reassure people that . . . there are special 
        safeguards for individual privacy . . .
        secondly . . . membership of the European Data Protection club 
        . . . a very important commercial interest . . . British firms 
        not placed at a disadvantage . . .''
    Although Data Protection law can be seen as a means to facilitate 
international trade rather than as a trade barrier it has never sought 
to achieve this by allowing an unrestricted flow of personal data from 
those countries that adopt protective measures to those that do not. 
The UK's Data Protection Act 1984 included provision for transfer 
prohibition notices. Although used rarely this enabled the then Data 
Protection Registrar to stop the transfer of personal data to a country 
that was not bound by Convention 108, if the transfer was likely to 
lead to a contravention of the Act.

                   THE EU DATA PROTECTION DIRECTIVES

    Not all member states of the European Union chose to be party to 
Convention 108. Those that did used the freedom it allowed to adopt 
domestic laws that varied significantly. As part of the development of 
an internal market within the European Union and to facilitate what was 
seen as a necessary and substantial increase in cross-border flows of 
personal data, the EU General Data Protection Directive 3 
was adopted on 24 October 1995. Member states have no choice but to 
implement it in their domestic law. There is still scope for variation 
in its interpretation and application but this is much less that is the 
case with Convention 108.
---------------------------------------------------------------------------
    \3\ Directive 95/46/EC of the European Parliament and of the 
Council of 24th October 1995 on the protection of individuals with 
regard to the processing of personal data and on the free movement of 
such data, Official Journal of the European Communities L 281, Vol. 38, 
23rd November 1995, ISSN 0378-6978.
---------------------------------------------------------------------------
    The EU Directive takes familiar themes forward. It clearly states 
as its two objects:

 ``. . . member states shall protect the fundamental rights and 
        freedoms of natural persons, and in particular their right to 
        privacy with respect to the processing of personal data''
 ``. . . member states shall neither restrict nor prohibit the 
        free flow of personal data between member states . . .''
    The Directive took several years to agree. It is necessarily a 
compromise between the cultures, existing laws and aspirations of 
different member states. To comply with the Directive, member states 
should have had domestic law in place within three years of its 
adoption ie, by 24th October 1998. The UK law came into force on 1st 
March 2000. The Directive allows a transitional period for ``processing 
already under way'' at 24th October 1998. For most processing this 
transitional period will run out on 24th October 2001.
    In addition to the general Directive referred to above there is a 
related Directive addressing Data Protection in the Telecommunications 
Sector 4 The intention of this directive is to particularise 
and complement the provisions of the general Directive as they apply in 
the this sector.
---------------------------------------------------------------------------
    \4\ Directive 97/66/EC of the European Parliament and of the 
Council of 15th December 1997. Concerning the Processing of personal 
data and the protection of privacy in the telecommunications sector.
---------------------------------------------------------------------------

                    THE UK DATA PROTECTION ACT 1998

    The general Data Protection Directive is given effect in the UK by 
the Data Protection Act 1998. There are separate provisions 
implementing the Telecommunications Directive.
General Provisions
    Scope: The Act applies to the processing of personal data. 
``Personal data'' is information that relates to a living, identifiable 
individual. It includes information held not only in automated systems 
but also in structured manual records referred to in UK law as a 
``relevant filing system''. ``Processing'' is defined widely and 
includes any operations performed on personal data from collection 
through to deletion.
    Application: The Act regulates the activities of data controllers. 
That is persons who determine the purposes for which and manner in 
which personal data are processed. It applies to data controllers who 
are:

 established in the UK provided the data are processed in the 
        context of the UK establishment even if the processing actually 
        takes place elsewhere.
 not established on the territory of the UK or another member 
        state but make use of equipment in the UK for processing.
    Criteria for Processing: Before personal data can be processed, one 
of the following criteria must be satisfied:

 the data subject has consented;
 the processing is necessary for performance of a contract 
        involving the data subject or for pre-contractual steps;
 the processing is necessary for compliance with a legal 
        obligations;
 the processing is necessary to protect the vital interests of 
        the data subjects;
 the processing is necessarily carried out in the public 
        interest;
 the processing is necessary for legitimate interests pursued 
        by the controller except where these are overridden by the need 
        to protect the rights and freedoms of the data subject.
    The Information Commissioner takes the view that regardless of 
whether any of the other criteria are also satisfied, legitimate 
business activities should generally be able to rely on the last of the 
above.
    Sensitive Data: Where sensitive data are processed, one of an 
additional list of criteria must also be satisfied. Sensitive data are 
defined as those that consist of information as to racial or ethnic 
origin, political opinions, religious or philosophical beliefs, trade 
union membership, health, sex life and criminal offences. The list of 
criteria for processing sensitive data is restrictive. In very many 
cases the data subjects' explicit consent is required before such data 
are processed.
    Notification: Data controllers are required to notify the 
supervisory authority of their processing operations for inclusion in a 
public register. Some exemptions exist. There is a fee for notification 
of 35 (approximately $50) per year. This indirectly funds 
the Information Commissioner's office.
    Supervisory Authority: The Information Commissioner is the 
independent public supervisory authority with appropriate powers of 
investigation and intervention to monitor compliance with the law and 
hear claims lodged by individuals.
    International Co-operation: Arrangements for co-operation between 
supervisory authorities in member states and the EU Commission are 
established. These include a working party of representatives of 
supervisory authorities (Article 29 Working Party).
Individual Rights
    Access: Individuals have a right to know whether or not a data 
controller is processing data about them, a right of access to such 
data and a right to any available information as to their source. There 
are some limited exemptions from this right. A fee of up to 
10 (approximately $15) can be charged and there are up to 
40 days to respond. There is also a right to knowledge of the logic of 
any automated decision taking that the individual is subject to.
    Correction/Deletion: There is a right to rectification, erasure or 
blocking of data which are incomplete or inaccurate.
    Prevent Processing: Individuals have a right to object to the 
processing of personal data about them:

 where the processing causes substantial damage or substantial 
        distress to an individual and that damage or distress in 
        unwarranted or;
 where the processing is for direct marketing.
    This right is further developed in the regulations implementing the 
Telecommunications DP Directive. Data subjects have a right to opt out 
of the receipt of unsolicited marketing calls through the telephone 
preference service and must not be sent marketing faxes without their 
consent
    Automated Decisions: There is a right not to be subject to 
decisions that are taken solely by automated means and have a 
significant effect on the individual, for example in connection with 
assessing creditworthiness. A decision can be taken in the course of 
entering a contract provided there are safeguards such as a right of 
appeal.
    Request Assessment: The supervisory authority is required to hear 
claims lodged by any person concerning the processing of their personal 
data.
    Compensation: Any person who suffers damage and associated distress 
as a result of a breach of the Act is entitled to compensation from the 
data controller. Claims must be pursued through the courts.
Data Protection Principles
    These set out standards to be followed by data controllers in their 
processing of personal data.
    Fair and Lawful Processing: As well as meeting the criteria for 
processing referred to above data controllers must process personal 
data in a way that is fair to individuals and does not lead to breaches 
of the law. In particular, to make processing fair, individuals should 
be made aware who is holding their data, the purposes of the processing 
and any other information necessary to make the processing fair such as 
the recipients or categories of recipients of the data. This obligation 
applies even where the data have not been obtained directly from the 
data subject, for example where they have been obtained from a credit 
bureau, unless providing the information would involve disproportionate 
effort.
    Limitation of Purpose: Personal data must be collected for specific 
and lawful purposes and not processed in a way that is incompatible 
with those purposes.
    Data Quality: Personal data must be:

 adequate, relevant and not excessive for the purpose for which 
        they are collected;
 accurate and, where necessary, kept up to date;
 kept no longer than necessary.
    Security: Data controllers must have appropriate technical and 
organisational measures in place to protect personal data. Where a data 
controller uses a processor to process data on its behalf there must be 
a contract in place tying the processor to only using the data in 
accordance with the controller's instructions and placing security 
obligations on the processor.
    International Transfers: Transfers of personal data to countries 
outside the European Economic Area, so called ``third countries'', are 
only allowed if the country provides an adequate level of protection 
for the data. There are some exemptions that allow transfers to take 
place in circumstances where adequacy is not achieved.

             TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

Adequacy
    Whether a country provides an adequate level of protection for 
personal data does not depend solely on whether the country has a Data 
Protection law. The Act makes it clear that other factors must be taken 
into account including the nature of the data, purposes and duration of 
processing, the legal framework, codes of conduct or other enforceable 
rules and security measures. It is perfectly possible for example that 
a country might be considered adequate for the transfer of names and 
addresses on a mailing list but not for the transfer of medical 
records. The existence and effectiveness of any system of self-
regulation is an important factor in assessing adequacy.
    The Act gives effect to ``Community findings''. These are decisions 
of the European Commission that the level of protection in a third 
country is or is not adequate. There have been Community findings in 
relation to Switzerland and Hungary as well as the US safe habor 
arrangements. Several other countries are under consideration.
Exceptions
    In limited circumstances transfers of personal data to third 
countries can take place even though adequacy has not been established. 
These are where:

 the data subject has consented to the transfer;
 the transfer is necessary for performance of a contract 
        involving the data subject or in the interests of the data 
        subject or for pre-contractual steps;
 the transfer is necessary for the reasons of substantial 
        public interest;
 the transfer is necessary for legal proceedings, obtaining 
        legal advice or otherwise for the establishment, exercise or 
        defence of legal rights;
 the transfer is necessary to protect the vital interests of 
        the data subject;
 the transfer is part of the information in a public register.
    In addition transfers can be made on the basis of a contract 
between a UK data exporter and a data importer in a third country which 
is of a type approved by the Commissioner. The Commissioner also has 
the power to authorise particular transfers on the grounds that they 
are made in such a manner as to ensure adequacy. The Commissioner has 
not yet given approval to any standard contract terms. She is awaiting 
the outcome of work the European Commission is undertaken to develop 
such terms which will then be subject to a Community finding.

                              ENFORCEMENT

    In the UK, breaches of the Data Protection Act 1998 are mostly not 
criminal offences. The criminal offences are largely confined to 
failure to notify the Commissioner of processing operations requiring 
notification and knowingly or recklessly, without the consent of the 
data controller, disclosing or obtaining personal data. Within this the 
Commissioner places particular importance on using her powers to 
prosecute those who seek to obtain personal information, to which they 
are entitled, by deception.
    Where there is a breach of one of the principles, the Commissioner 
can issue an enforcement notice requiring the data controller to take 
action to bring about compliance, for example, to delete data. Failure 
to comply with a notice is then a criminal offence. There is no power 
to ``punish'' a data controller for a breach of principles.
    The Commissioner also has a power to issue an information notice 
requiring a data controller to provide her with information needed to 
determine whether there has been a breach of the Act. There is a right 
of appeal to an independent tribunal against enforcement or information 
notices. Where she has reasonable grounds for suspecting a breach of 
the Act she can apply to a court for a search warrant in order to 
obtain evidence.
    In addition individuals can take their own cases to court. They can 
ask the court to:

 order a data controller to uphold their right of access, right 
        to prevent processing and rights in relation to automated 
        decisions;
 order a data controller to rectify, block, erase or destroy 
        inaccurate data.

                      THE INFORMATION COMMISSIONER

    The former Data Protection Commissioner has recently been renamed 
``Information Commissioner''. This reflects additional responsibilities 
for oversight of the UK's new Freedom of Information Act. This 
testimony only addresses her responsibilities under the Data Protection 
Act 1998. She operates through an office with around 115 staff and a 
budget of 4.5 million ($7 million).

Duties
    In addition to enforcement and maintenance of the public register 
of notifications the Commissioners functions under the Act include:

 promotion of good practice which is such practice in the 
        processing of personal data as appears to the Commissioner to 
        be desirable having regard to the interests of data subjects 
        and others and includes (but is not limited to) compliance with 
        the requirements of the Act;
 dissemination of information and the provision of advice to 
        individuals and data controllers about the operation of the 
        Act, good practice etc;
 assessing, with the consent of the data controller, any 
        processing of personal data for the following of good practice 
        (an audit function).
 presentation of an annual report and, when she sees fit, other 
        reports to Parliament;
 provision of assistance to individuals taking action through 
        the courts in relation to the processing of personal data for 
        journalism or for artistic or literary purposes;
 preparation and dissemination of codes of practice;
 determination of requests for assessment.

Codes of Practice
    The Commissioner is required, after consultation, to prepare and 
disseminate codes of practice for guidance as to good practice either 
where she is directed by the Government to do so or where she considers 
it appropriate. Such codes explain the Commissioner's view of how 
compliance with the requirements of the Act should be achieved in 
practice in a particular field of business or activity. She can also 
encourage trade associations to prepare codes.
    A code of practice has been issued on the use of closed circuit 
television in public places. Consultation has recently been completed 
on the draft of a code on the use of personal data in employer/employee 
relationships. The Commissioner places considerable emphasis on the 
development of codes of practice under the Act. She believes they have 
an important role in translating the necessarily general requirements 
of the Act itself into meaningful standards that can be readily applied 
in the context that they address.

Requests for Assessment
    A request may be made to the Commissioner by a person directly 
affected for an assessment as to whether it is likely or unlikely that 
any processing has been carried out in accordance with the Act. Subject 
to some limitations the Commissioner is required to make an assessment 
and inform the person of the result. This replaces her duty under the 
Act's predecessor to consider complaints. In some cases requests for 
assessment may lead to enforcement action.
    Around 5,000 cases are handled each year. Roughly half of these 
require some form of investigation. The others are dealt with by the 
provision of information or advice. Around 65% of cases reveal a breach 
of the Act. The two largest categories of cases in 1999/2000 were 
consumer credit (including credit reporting)--31% and direct 
marketing--18%.

Strategy
    The Commissioner sees her role as wider than simply undertaking the 
specific functions given to her in the Act. Her mission statement 
commits her to promoting respect for the private lives of individuals 
and in particular for the privacy of their information by:

 implementing the Data Protection Act 1998 and;
 influencing national and international thinking on privacy and 
        personal information.
    She is concerned to ensure that data protection and privacy issues 
are identified and addressed at the inception of new laws, processes 
and systems. It is central to this that;

 those who handle information both in the public sector and in 
        the private sector are aware of their obligations and act 
        accordingly;
 data protection emerges as a feature of good business practice 
        and is seen as a necessity for recruiting and retaining 
        customers rather than as a regulatory burden;
 policy makers, particularly at governmental level give 
        appropriate weight to individuals' privacy rights in the 
        development of new legislation, international instruments, 
        public policy and the delivery of services.
    In addition the Commissioner seeks to develop a climate in which 
individuals are aware of their rights in relation to their information 
and feel confident that these rights are respected and can be 
exercised.
    Some specific activities that the Commissioner is or has recently 
been involved in include:

 implementation of a national advertising campaign related to 
        individuals' rights;
 development of education packs for use in schools;
 supporting the development of data protection qualifications 
        and the incorporation of data protection material in other 
        relevant syllabuses;
 preparation of guidance and materials to assist data 
        controllers with compliance eg a data protection audit manual;
 encouraging the work of national and international standards 
        bodies on data protection;
 development of design notes for systems developers to ensure 
        that privacy protection is incorporated in standard design 
        methodologies;
 promotion of a debate on current data protection and privacy 
        issues through conferences/seminars;
 encouraging effective self regulatory initiatives that can 
        operate within the legislative framework particularly in 
        connection with e-commerce;
 supporting the development and use of alternative dispute 
        resolution procedures for handling data protection complaints.
    Recently the Commissioner has been invited to contribute to the UK 
Government's appraisal of the UK's new data protection regime. This has 
been conducted partly with an eye to the review of the EU Directive due 
by 24th October 2001. Many of the points raised in her submission are 
matters of detail but she draws attention to some areas where, in her 
view, the law imposes burdens on data controllers that are out of 
proportion to the benefit, if any, that they bring to individuals. 
These include:

 the application of the law to situations where a data 
        controller is not established in the UK but nevertheless uses 
        equipment in the UK for processing;
 the concept of special or sensitive categories of data rather 
        a recognition that it is the circumstances in which personal 
        data are processed that make them sensitive;
 the provisions on automated decisions;
 the extent of the notification obligation on data controllers;
 the emphasis placed in the provisions governing transfers to 
        third countries on centralised decision making rather than 
        leaving decisions and arrangements on adequacy to data 
        controllers, in the first instance.
    In addition the Commissioner has commented on some areas in which 
she considers the law could better protect individuals. These include:

 the lack of a right to compensation for distress caused by a 
        breach of the Act when there is no associated damage;
 the restriction on her right to assess a data controller's 
        processing of personal data for the following of good practice 
        which means that she can only do so with their consent;
 the lack of a power to impose a penalty rather than merely 
        ensure compliance where a data controller knowingly or 
        recklessly breaches the Data Protection Principles.

                          FURTHER INFORMATION

    The Commissioner would be pleased to supply further relevant 
information that the Sub-Committee might require.

    Mr. Stearns. Well, I thank you, Mr. Smith.
    I will start with the questions here. Let me say to my 
colleagues, if you have a business in Europe, and you want to 
use the internet to send out information back to the home 
company in the United States, you have an option of complying 
with the European Union's privacy provisions, or you have an 
option of the safe harbor agreement that was worked out between 
the administration and the European Union.
    Only 20 corporations, less than 20 corporations, have 
signed up for the safe harbor agreement, because it doesn't 
appear, at least from an American standpoint, to be practical. 
So a third alternative for you, if you are in Europe and you 
are doing business, and you want to send back information and 
do everything, is what is called a model contract.
    And so the gentleman we have here, my colleagues, is head 
of what is called the Article 29 Working Party, which is all of 
the European Union representatives come together and talk about 
how they are going to develop these model contracts.
    So the first question I would like to have for Professor 
Rodota is, what are the key terms spelled out in these model 
contracts? Do U.S. companies have any room to negotiate the 
provisions? If so, with whom do they negotiate? The company 
wishing to transfer data or a privacy commissioner? Do you 
understand that, or is the question clear?
    I think we need to know for American corporations, what are 
the key terms of the model contracts? Who do they negotiate, 
the company, or do they have to come to you as part of the 
privacy commissioner?
    Mr. Rodota. No. No. The companies does not have to come to 
the Data Protection Authority. Now the standard contractual 
clauses have been approved by our group, and now they are on 
the way to be approved by the Commission.
    So when this kind of model contracts will be approved, both 
parties--the exporter and the importer, the European part and 
the U.S. or the third country part, can pass a contract without 
an intervention of the Data Protection Authority at the 
European level, because it means that they are using a contract 
sealed by the European Commission.
    So if they respect the terms of the contract, they have a 
mechanism, an instrument, giving them the opportunity to comply 
with the adequacy test. This is a traditional contract. Yes, I 
don't know if my answer----
    Mr. Stearns. Can they negotiate terms?
    Mr. Rodota. Partly. Partly.
    Mr. Stearns. Partly.
    Mr. Rodota. You have the model contract, a model contract, 
the possibility to choose some options, yes, especially on the 
side of the enforcement, because you can have the possibility 
of--I have here the text of the--yes, the model contract.
    You have the possibility to, for instance, in the part of 
the obligation, to choose the legislation of reference, the 
different--the mediation and jurisdiction for possibility for 
solving the conflicts. So they are part--they cannot make us 
see it--the part referring to basic principles of the 
directive. And other parts parties can have the possibility to 
choose.
    Mr. Stearns. Mr. Smith, your testimony states that the 
Office of Information Commissioner has ``appropriate powers of 
investigation and intervention to monitor compliance with the 
law.'' Could you explain the limits of those powers? Could you 
please provide us with any examples of the application of said 
powers the Information Commissioner has taken to date for 
possible violation of the law?
    Mr. Smith. Yes, Chairman. There are certain criminal 
offenses, as I mentioned, under the Act--obtaining information 
by deception. We have prosecuted a number of organizations and 
individuals for that. We also prosecute for failing to be 
registered or notified with our authority.
    Where there are more matters that require investigation, 
whether they are criminal matters or breaches of the Data 
Protection Principles, we have powers to obtain search 
warrants, and we go before the court and obtain a search 
warrant to obtain evidence, and we have done that on several 
occasions.
    We also, under the new law, have a power to issue 
information notices which require businesses to answer 
questions which are necessary for our investigation. We have 
yet to use that, because this has only just come into being. 
And our powers then are--for general breaches of the Act are to 
issue enforcement notices, which require a business to change 
its practice to delete data, to provide notice and choice, or 
whatever.
    We have used that on probably about a dozen occasions up to 
now and--those cases, and some of them have gone to an appeal 
tribunal, which has generally found in our favor.
    Mr. Stearns. Thank you. My time has expired.
    Mr. Towns, ranking member?
    Mr. Towns. Thank you very much, Mr. Chairman.
    Mr. Smith, has the EU or any member country taken action 
against a firm for its failure to comply with the requirements 
of the privacy directive? And, if so, has any EU firm been 
forced to seize data operations as a result of the non-
compliance?
    Mr. Smith. I can only answer in relation to the United 
Kingdom. We have taken action--because of the privacy 
directive, the law implementing that has only very recently 
come into force. The action we have taken under that, although 
there have been--we have commenced proceedings, in a number of 
cases is limited, but our old law was very similar and there 
were cases under the old law.
    We have required businesses to stop using information in 
the way that they were using it previously, and in some cases 
they have had to change their practices significantly. One 
recently has been in relation to utility companies, which were 
privatized, and the use of information for marketing purposes 
fall in privatization. And they have had to revise 
significantly their practices as a result of our action.
    There are others I could give, but we have required 
changes, certainly.
    Mr. Towns. Thank you. On that note, well, are the privacy 
contracts that are negotiated with foreign firms reviewed by EU 
officials, or is each country's privacy director responsible 
for determining that the contracts are consistent with the 
privacy directive? I mean, who makes that decision?
    Mr. Smith. Under the UK law, which is not necessarily 
identical to the laws of every member state, there are two 
ways. One is the way Professor Rodota has described, which is 
that there are model contract clauses approved by the 
Commission, and when those are approved UK businesses are 
perfectly entitled, and we would encourage them to use those 
and rely on those.
    There are also arrangements under the law where we, as 
Commissioner, can approve model contracts or individual 
arrangements between one company and another. And at the end of 
the day, the UK law requires adequacy, and it talks about 
adequacy being assessed on the basis of arrangements that apply 
in a particular case, whether--including terms such as codes 
which apply in general or in a particular case.
    And a contract is an enforceable arrangement that applies 
in a particular case. So it is possible for a UK business to 
develop a contract with a U.S. business, which does not 
necessarily follow precisely the model, if it is eventually 
approved by the community, and still ensure adequacy.
    So it is possible for contracts to be developed and to meet 
the requirements of the law.
    Mr. Towns. All right. Go ahead, Professor. Yes?
    Mr. Rodota. Yes. Let me describe very precisely a situation 
that can occur in all member states of the European Union. 
Because until now there are many cases in which the data 
protection authorities were asked by European and U.S. 
companies to agree with their contract.
    They control if they submit to the adequacy test, the 
contract submitted by both parties, and they are mostly in 
Germany. A very important contract passed by U.S. Citibank and 
Deutch--and the Deutch Railway. And in other countries like 
France, Spain, Italy, there are many cases in which until now 
not having some general rules like safe harbor, and not model 
contract approved at the European level, they used the 
possibility to ask in specific cases the data protection 
authorities.
    This is a very well-established procedure. Not easy. Not 
easy.
    Mr. Towns. Right.
    Mr. Rodota. Very, very bad for the data protection 
authorities.
    Mr. Towns. Are these private contracts disclosed publicly?
    Mr. Rodota. Yes. They are always brought to the Data 
Protection Authority.
    Mr. Towns. Well, how could I get one? How do you get a copy 
of them? How do people get copies of them?
    Mr. Stearns. He would like to get a copy himself.
    Mr. Smith. Certainly. The individual contracts would not be 
made publicly available. The only contracts which may be 
publicly available are the model which has been referred to.
    Mr. Towns. So, I mean, that is secret. Okay. Well, anyway, 
let me move on. You have been traveling a great distance.
    Let me just ask one other question, Mr. Chairman.
    There was a survey conducted by the Kearny Management Group 
which was reported in November of last year in the publication 
``Biz Report''--confirms this point. Let me quote, ``E 
retailers worldwide lose $6.1 billion''--that is B as in boy--
``in sales due to an 80 percent failure rate among online 
purchase attempts, and that invasive information requests are 
blamed for 52 percent of sales that fall apart, followed by 
reluctance to enter credit cards, 46 percent.'' Do you agree 
that business is paying a big price for the confidence consumer 
lacks in the privacy security of their online transactions?
    Mr. Smith. Yes, we would agree that there is a real problem 
there and that those businesses that recognize the true 
situation actually build privacy into their practices as a way 
of attracting and recruiting, keeping customers, rather than 
simply as a regulatory requirement.
    Your figures are supported by a whole range of studies, and 
our perception in the UK is the same as yours. Businesses 
increasingly will--not increasingly, but we do find businesses 
that adopt practices online which, in our view, are not 
acceptable and do not necessarily comply with the law, 
particularly excessive information gathering, requiring 
information as a condition of doing business where that is not 
necessary for the transaction, and failing to provide the 
choice that is allowed, and operating in an underhand way, not 
giving notice of information collection practices which are 
taking place through the use of cookies and mechanisms such as 
that.
    Mr. Towns. Thank you, Mr. Smith.
    Thank you, Mr. Chairman, for your generosity.
    Mr. Stearns. The gentleman's time has expired.
    Mr. Shimkus is recognized for 5 minutes.
    Mr. Shimkus. Thank you, Mr. Chairman. Mr. Chairman, I would 
recommend that also the OECD was mentioned in some of the 
opening statements. I had a chance to visit the OECD on the 
NATO trip. A lot of people--we don't--a lot of us don't know 
what that is, but we are a member. And we have an ambassador 
and a staff, and if they are doing issues on privacy we should 
probably call them to see what our response is in that 
organization, and I would be willing to help facilitate that.
    Mr. Stearns. It is a good idea to coordinate with them, 
too. Yes.
    Mr. Shimkus. Because they are working in conjunction with 
our European allies, not just--Mexico is a member, Korea is a 
member. It is a pretty big international grouping of nation 
states.
    Mr. Smith, I would like to--you also mentioned effective 
remedies for individuals, dispute resolution, which implies 
that there will be some information that will be improperly 
used, and that individuals will try to address redress, or get 
redress, which brings up the issue that I would like to ask on 
is the Investigative Powers Act or the RIP Act, which, again, 
based upon my opening statement, privacy is the utmost issue we 
had to debate here in our country on the CARNIVORE issue.
    The fact of being able to gather all of the communications, 
hold them in a bank of information for 7 years, and require 
people who are doing business to do so, I think is really a 
threat on privacy issues for our companies and individuals.
    And I would like to follow up with a question to both of 
you is, Professor Rodota, how does the EU Data Privacy 
Directive affect the RIP Act or similar laws that may pass in 
other EU countries? And how would the EU directive protect non-
EU members from the UK government storing personal information 
about them?
    Mr. Smith. Perhaps if I start, and then Professor Rodota 
can take up the general European situation.
    Mr. Shimkus. Great.
    Mr. Smith. The RIP Act, the Regulation of Investigatory 
Powers Act, doesn't actually include any measures that require 
or necessarily permit businesses to store data solely for--or 
telecommunications providers solely to store data----
    Mr. Shimkus. No. But the government stores it.
    Mr. Smith. Well, no, not under the Regulation of 
Investigatory Powers Act. The Regulation of Investigatory 
Powers Act only gives powers of interception, and we, as 
Commissioner, expressed views which weren't necessarily taken 
into account in the final version.
    You are quite right that there are proposals or suggestions 
to retain data for investigatory purposes. They are not 
actually part of the RIP Act, and they haven't yet been brought 
in. The suggestion of 7 years is merely in a leaked report from 
the National Criminal Intelligence Service and is by no means 
government policy.
    Government policy, as far as we know at the moment, is not 
to legislate in this area and to wait until international 
instruments address the matter and essentially set the 
standard.
    So I think there may be some misunderstanding. There is no 
requirement at the present time to keep traffic data for 
investigatory purposes for 7 years. We would be very much 
against that. If there is to be a period of retention at all, 
it should be very much shorter than that. And as I say, it is a 
matter being addressed by international instruments, which is 
what Professor Rodota----
    Mr. Shimkus. But if I may, before we go to the EU aspect, 
but is there--okay. If it is not a collection, is there a 
review of all data coming in, electronic, internet, or cell, or 
land line review, under the RIP Act?
    Mr. Smith. No, there isn't. I mean, there are arrangements 
whereby interception can take place. Essentially, there are 
provisions. They have to be authorized by--in some cases by the 
Home Secretary, in other cases by a senior police officer or 
equivalent.
    And one of our concerns when the bill was going through 
Parliament was the level of that authorization. We asked for it 
to be higher than it is. But there is an arrangement whereby 
interception does have to be authorized on a case-by-case 
basis.
    Mr. Shimkus. We had this debate on the encryption debate 
and law enforcement. It got very contentious here.
    And I will finish up with, if I may, Mr. Chairman, allowing 
the Professor to finish, and that will end my time.
    Mr. Rodota. I would like only to say that this problem is 
now under discussion in Europe, because the way in which 
traffic data can be collected is under discussion in the 
framework of the Council of Europe Directive on Conventions on 
cyber crime. And also, the U.S. are part in the negotiations.
    Generally speaking, the attitude is different in different 
countries. But the work--the Article 29 Working Party passed 
the resolution last year, very clear on this point, saying, 
first of all, that no interception can be made without an 
authorization by jurisdictions. And no collection, massive kind 
of data collection.
    This is the problem--two very important principles in the 
directive are: first of all, the principle of finality; and, 
second, the principle of proportionality. We were, and we are, 
strongly against any kind of massive collection, without the 
specific and indicated aim. We are asking also for a very short 
period in the duration for this kind of collection of data. 
They are moving in different directions.
    For instance, the Belgium Parliament has passed, for 
security reasons, for the first time, a law saying that data 
can be stored for 1 year, and that they are going beyond the 
indication Article 29, saying they were much more in favor of 
shortest time of conservation.
    Mr. Stearns. The gentleman's time has expired.
    Mr. Gordon, the gentleman from Tennessee, is recognized for 
5 minutes.
    Mr. Gordon. Mr. Shaw, if I could follow up on some comments 
you made earlier. You were talking about how individuals in the 
United Kingdom had the right to go to court, if necessary, to 
protect their rights if--as individuals. Do you have what we 
would call class action lawsuits here? Do they go as an 
individual, or can they bring in large groups of individuals 
that they feel are in that same situation?
    Mr. Smith. No, the UK law, as it stands at the moment, only 
allows individuals to bring cases. And I think it is fair to 
point out that actually the individual's rights are fairly 
limited, and that it only enables them in terms of getting 
redress, to get compensation for damage, which in UK legal 
terms involves some sort of financially quantifiable loss. And 
most of the data protection breaches result in distress to 
individuals, but not necessarily a financially quantifiable 
loss.
    So I think we have been asked, as Commissioner, to express 
our views on the law, and it is one area we feel the law could 
be improved in providing redress for individuals.
    Mr. Gordon. So if you are a U.S. company thinking about 
doing business in Great Britain, I guess my thoughts would be, 
certainly, if I was looking at Europe at large, that although 
United Kingdom has not opted into the Euro, it would--you know, 
certainly, the EU is trying to bring down barriers among their 
own countries and trying to become more productive in terms of 
their commerce there.
    But this is--I guess in Tennessee we would call it a little 
loosey-goosey. I mean, you know, if I am a company, and I am 
trying to do business in Italy and maybe in France, and a 
couple of other countries, under a safe harbor I would be 
somewhat concerned that maybe one country would say okay, 
another country maybe not. You know, it makes you concerned 
there.
    So if you are deemed not properly within the safe harbor, 
what are the penalties? What risk does an American company, Mr. 
Shaw, risk?
    Mr. Smith. If a company is not part of the safe harbor and 
transfers----
    Mr. Gordon. Or tries to be, but deemed not so.
    Mr. Smith. Yes.
    Mr. Gordon. In one--say, potentially, two countries say 
yes, but another country says no.
    Mr. Smith. Yes. I mean, that is not how the safe harbor 
works. It is up to the U.S.--I believe it is through the 
Federal Trade Commission--to take people onto the safe harbor 
list. And if they are taken onto the list, then we and all of 
the other EU member states have to recognize them as providing 
adequate protection. We have no choice in that, and this is a 
common standard.
    The area where penalties would come in is if a U.S. 
business is not in a safe harbor, has made no arrangements for 
adequacy, has no contract or other arrangements, and is 
transferring data in breach of the law. And then our power 
would essentially be to provide them with an order to stop them 
transferring that data. And if they failed to comply with that 
order, then they could be prosecuted for a criminal offense.
    Mr. Gordon. Okay. So if the FTC says that they are in 
compliance with safe harbor, but, again, a country in Europe 
disagrees with that, then does the FTC's position trump it?
    Mr. Rodota. I would like to--also to go back to the first--
the first question you raised. In Italy, we have no class 
actions, but there is the possibility, if the people make this 
kind of decision, to be assisted or to be substituted by a 
tribunal or organization.
    In the situation of a weakness or the part asking for the 
respect of the law, the individual can give the possibility to 
a group to act in--on behalf on its own interest. This is very 
interesting machinery.
    Second, the problem if this--there is the possibility that 
the same request made by a U.S. company in France or in Italy 
have different answers. It is possible that they can escape 
this risk using one or two means. There you have safe harbor or 
standard contractual clauses.
    Third, if there are the possibility--if some data are 
transferred without entering the safe harbor, without having--
using model contract, without previous authorization of the 
national Data Protection Authority, they are in infringement of 
law, surely, for the national authority.
    What happens if there is a discrepancy between what the FTC 
decides and the attitude of the national Data Protection 
Authority? That is a problem. That is a problem because we are 
waiting for the way in which the Federal Trade Commission 
will----
    Mr. Gordon. Excuse me. We have a limited amount of time. 
So, again, so you are saying, then, that there can be a 
situation where the FTC could grant safe harbor, but an 
individual European country could say, ``We don't agree with 
that.'' Is that----
    Mr. Rodota. They don't agree with the safe harbor----
    Mr. Gordon. All right. So, then----
    Mr. Rodota. [continuing] with the FTC decision.
    Mr. Gordon. All right. That is not consistent, then, with 
what Mr. Shaw said, is it? And I am trying to figure out--Mr. 
Shaw, is that----
    Mr. Stearns. Mr. Smith, you mean.
    Mr. Gordon. Mr. Smith. I am sorry. Excuse me. Is that--that 
sounds to be inconsistent there with your statement. Is that 
true or not? I am just trying to--I am not trying to get a 
fight here. I am just trying to find out what is going on, and 
then trying to see what level of risk our countries are taking, 
or our companies are taking.
    Mr. Smith. My understanding is that if a business is on the 
safe harbor list, we, as a supervisory authority in the UK, 
cannot act to stop transfer to that business, unless there is 
some breach of UK law taking place in the UK prior to transfer, 
which, you know, would be the same as if the transfer was to a 
company in France or even to another company in the UK.
    The only area where I believe we could take action is if 
the company has failed to comply, demonstrably failed to comply 
with the safe harbor arrangements, and then the--and no action 
has been taken. But, essentially, if they are on the safe 
harbor list, then they are approved in that sense.
    Mr. Stearns. The gentleman's time has----
    Mr. Gordon. Yes. But you are still the final arbitrator of 
that.
    Mr. Stearns. The gentleman's time has expired.
    Let me just, have you folks finished your answers? Yes.
    The gentleman from New Hampshire, Mr. Bass, is recognized. 
He is not here.
    Then, Mr. Doyle is recognized.
    Mr. Doyle. Thank you, Mr. Chairman.
    You were asked earlier, I believe, by Mr. Towns about the 
privacy contracts and whether they were disclosed publicly, and 
I believe your answer was that they weren't, that they were 
private, is that correct?
    Mr. Smith. Yes.
    Mr. Doyle. So when a company negotiates a private contract 
with the privacy director, that is only known--the details of 
that are known between the company and the privacy director. 
Yet when companies go the safe harbor route, the details of 
that agreement are posted on the internet and are publicly 
disclosed for all to see.
    Do you think maybe that explains why so few companies go 
the safe harbor route? Wouldn't it be smarter for them to make 
their arrangements with the privacy director in private without 
disclosure? How does one police--you know, if the contracts are 
private, you know, how does one know what agreements are being 
made in private between the companies and the privacy director, 
as opposed to companies that go the safe harbor route and 
disclose everything?
    Mr. Rodota. That is a matter of the politics of each 
company. But generally speaking, I think that entering safe 
harbor means the company can transfer data by European partners 
without any specific and case-by-case procedure. Otherwise, in 
any case and for every counterpart you have in Europe you must 
engage a specific procedure before the national Data Protection 
Authority.
    I think that the economy of means may be balanced by the 
limited publicity of----
    Mr. Doyle. So if you are dealing in multiple countries, you 
would have to get a separate contract in each one of these 
countries. And that hassle, or, you know, whatever that would 
entail is outweighed by the disclosure.
    Mr. Smith, do you agree with that?
    Mr. Smith. Yes.
    Mr. Doyle. Let me ask you another question. Do you think 
the European Union privacy directive, do you think it was a 
reactive initiative and measure? That is, that European 
industries weren't practicing self-regulation and the 
government needed to step in and put an extra level of 
protection, or do you simply see it as something that 
complemented what industry in Europe was doing?
    Mr. Smith. Yes. I think the thinking behind the directive 
was from a slightly different perspective. It was essentially 
seen as the development of the single market within Europe. And 
in order to remove the possibility of, say, the UK businesses 
not being allowed to transfer data to France, for example, on 
the basis that there was inadequate protection, the directive 
would bring all countries up to a roughly similar level. So 
there is no basis for restricting the flow of data.
    I think that was the thinking behind it. I mean, in most 
countries, but not all, there was data protection law 
beforehand. There was in the UK. And I think the roots of that 
were primarily in the human rights argument that there needed 
to be a level of protection. We had signed up, as the UK, to 
the Council of Europe Convention and should have had a law, 
then, to implement that.
    But also, as I mentioned earlier, there was a strong lobby 
in the UK from the business community, from the Confederation 
of British Industry, to have data protection law in the UK, 
firstly, to give some reassurance to consumers that they could 
trust companies which computerize their data--was basically the 
position at that time. But also, to bring the UK at that time 
into the European data protection, if you like, club, to enable 
it to participate in the flow of data.
    So I don't think there was a great deal of look at, if you 
like, whether self-regulation was effective or not in terms of 
developing the law. But what we are seeking to do now is very 
much encourage self-regulation and self-regulation to resolve, 
if you like, day-to-day consumers' problems and individuals' 
problems but with a backstop of the law. So if that fails, then 
the law is there to provide the final area.
    Mr. Doyle. Just one last question. To the four countries, 
Professor, that you said were in non-compliance with the 
directive--Germany, France, Ireland, and Luxembourg--are the 
data firms in these countries being forced to enter into 
privacy contracts to continue transfers with other EU members?
    Mr. Rodota. The fact that they have not implemented the 
directive does not mean that they have no data protection. They 
have data protection. France and Germany have very well-
established, since 1978, data protection laws. They have Data 
Protection Authority very, very prominent in France and in 
Germany. In Germany, they have also the Federal level. It means 
that they have data protection authorities in every land. So I 
think that that is not a problem.
    I would add a word on the problem of industry, self-
regulation, and the framework of directive. I think that we are 
now assisting to a very interesting development inside Europe, 
because the codes of conducts are not at all considered as an 
expression of a specific sector. You know that there is an 
article in the directive, the Article 27, implementing the 
codes of conduct.
    This means that the interested sector can submit a draft to 
the workgroup--Article 29 working group--asking for a seal, in 
brackets, for a seal. And it means that this kind of codes of 
conduct comply with the general principles of directive. 
Expression of a representative sector of the industry are 
agreed, and they have not only a moral suasion, much moral 
suasion, but they can better be implemented also at the code 
level. It is very important.
    And, in Italy, we are now developing this experience of 
codes of conduct with different sectors. Media, it is working 
very well; the sector of research, historical statistics; the 
sector of private investigation; banking and insurance now we 
are underway.
    It is very important, because we have a general set of 
legal established principles and a tool, the codes of conduct, 
for making these principles flexible. This is very important. 
But it means that you have at the national level, or the 
European level, one single body giving this kind of seal.
    And if I can express an opinion, it would be very important 
for all of the world if also United States will have an agency, 
a privacy agency, giving this opportunity to the citizens and 
also to the business community.
    Mr. Doyle. Thank you.
    Mr. Stearns. The gentleman's time has expired.
    Mr. Buyer is recognized for 5 minutes.
    Mr. Buyer. I want to thank you, Mr. Chairman, and I want to 
thank the witnesses for coming. I want to make a few comments, 
and then I want to solicit your response to my comments and my 
question.
    I have been upon the European continent. Not only as a 
private citizen, but I have worn the uniform, and as a Member 
of Congress. One thing I enjoy are these discussions, because 
it always reinforces what I believe was good judgment of my 
ancestors to leave the continent.
    Okay? I find myself troubled at the moment. I am troubled 
because, as I watch the European Union sort of try to come 
together, which in world history is amazing. Because you mocked 
us at the creation of our country, as we were called the Grand 
American Experiment. Perhaps we can now look back across the 
ocean and sort of mock you back and say, ``Well, let us see if 
it can succeed.''
    And then, I find myself here in Congress, and say, ``Well, 
I do agree in a quest for economic harmony?'' That is what we 
are trying to do as each of us, as sovereign nations, seek to 
protect our own identity, and how we choose to recognize rights 
and govern. Okay?
    You, meaning the European Union, and those member 
countries, have chosen to give up something for some social 
compact. Am I now here in this country supposed to accept that 
your model should be the standard for the world? I am bothered 
and troubled at the moment.
    I find myself a few years ago having to vote on some 
measures here in Congress that were negotiated with countries 
around the world, or whether we should create the World Trade 
Organization and The General Agreement on Tariffs and Trades. 
It was very difficult to get Europe to agree on certain things. 
So in the end, in order to get signatures, we created carveouts 
and exceptions.
    Now I find myself troubled and ask, are these carveouts and 
exceptions being exploited? We recognize that nations want to 
protect, certain things, whether it is cultural or other types 
of things. Like, are we are not going to let those genetically 
engineered organisms come in upon our continent? My gosh, let 
us just prevent all that U.S. agriculture from coming in. So 
they exploit an exception.
    So I am curious as I sit here, because you are the experts 
now. What protections did the EU nations make to ensure that 
the data protection did not generate a violation of the 
commitments that your nations made to the World Trade 
Organization? Do you believe that it did or did not? I am 
interested in the response from both of you.
    Mr. Rodota. I emphasized at the beginning of my statement 
that there is an important evolution in the European Union, 
giving an important protection to personal data because they 
are considered a very important part of fundamental human 
rights. And if we are living in the information society, 
information about individuals becomes more and more important 
for respecting the individual rights.
    There is not an idea to impose a model to the world or to 
defend a cultural identity. Europe accepted the modern idea of 
privacy protection coming from the United States. That was very 
important for us. We recognized a very important improvement in 
the idea of democratic rights, privacy. We accepted this idea. 
And as a very prominent law philosopher, Ronald Dworkin, 
teaching in the U.S. said, we have taken rights seriously.
    So at this very moment, we are not trying to impose our 
model. We are trying to have a dialog on these very important 
issues with all countries, and we respect the idea and the 
model of U.S. Otherwise, the safe harbor could not be possible.
    But at the same time, we have considered privacy problems 
according to the very, very long American tradition. I am a 
professor of law. I know very well the seminal work of Warren 
Brandeis published in the Harvard Law Review in 19--at the end 
of the 19th century, 1890, in the Harvard Law Review.
    And the idea of privacy was not directly connected with 
economic at first. We must have a balance. This is our 
attitude, and I think that we can have a fruitful dialog on 
these points.
    Mr. Smith. I have nothing to add.
    Mr. Stearns. The gentleman's time has expired.
    Ms. DeGette is recognized for 5 minutes.
    Ms. DeGette. Mr. Chairman, thank you very much. And I 
wasn't here at the beginning of the hearing, I was on the 
floor, and so I would like to ask unanimous consent for myself 
and all other members to submit their opening statements for 
the record, Mr. Chairman.
    Mr. Stearns. Unanimous consent so granted.
    Ms. DeGette. Thank you. And I am sure that my colleagues 
thanked both of you for traveling here to testify today, but I 
would like to add my thanks. I know that the European Union has 
tried very hard to craft a policy directive that will protect 
consumers and at the same time encourage commerce.
    And I, for one, think that it is a noble effort, and I am 
sure that most of the members of this subcommittee would share 
my congratulations. As with the United States, it is an 
evolving effort because of the evolving technologies. And I 
would just like to ask you gentlemen a couple of questions in 
that direction.
    First of all, for clarification, Germany, France, Ireland, 
and Luxembourg, it is not that they are in non-compliance, in 
my understanding, it is that they have not yet adopted the EU 
Data Protection Directive. Would that be correct, Professor?
    Mr. Rodota. Yes.
    Ms. DeGette. And I would assume in those situations that 
would be because they feel that they have their own laws which 
will protect privacy. I think you talked in particular about 
France and perhaps Germany.
    Mr. Rodota. No. I think that the reasons why they have not 
yet implemented the directive are political ones----
    Ms. DeGette. I see.
    Mr. Rodota. [continuing] because they changed their 
majority, and the new government in France started again with--
--
    Ms. DeGette. Okay.
    Mr. Rodota. I think that--and Germany is now trying to have 
a more comprehensive----
    Ms. DeGette. I see.
    Mr. Rodota. [continuing] law than the----
    Ms. DeGette. Then the----
    Mr. Rodota. [continuing] same directive.
    Ms. DeGette. Okay.
    Mr. Rodota. I think that at the end of this year they will 
comply with that.
    Ms. DeGette. They will. Now, I am sure both of you 
gentlemen are familiar with a recent study that was done by 
Consumers International. It was quoted extensively in The Wall 
Street Journal. And in the article, Anna Fiedler, who is the 
Director of Consumers International, said that the evidence 
shows there is a real lack of enforcement by the EU privacy 
regulations. So that even though they are on the books, they 
are rendered useless.
    What is your opinion? Let us start with Mr. Smith, and then 
we will go to you, Professor, on that.
    Mr. Smith. Yes. Thank you. We have some--I mean, I have 
some sympathy with the article, although I think it perhaps 
goes a little too far in saying that enforcement is useless. I 
mean, I have described I hope to the committee some of our 
enforcement action and the powers that we have and that we have 
used them.
    But we have never seen formal enforcement as the primary 
mechanism of achieving data protection compliance. It is rather 
through a process of education, development, and encouragement, 
and developing it into good business practice, self-regulatory 
requirements, that compliance is being delivered.
    Now, there is a long way to go, and the survey relates 
particularly to the world of electronic commerce----
    Ms. DeGette. Right.
    Mr. Smith. [continuing] where there are real challenges.
    Ms. DeGette. Thank you.
    Professor?
    Mr. Rodota. Well, I think that--I know the study. I have 
seen the article in The Wall Street Journal. I am convinced 
that it is a misunderstanding. And they--this research gives a 
false impression of the real situation. They say 60 percent, if 
I remember correctly, of the American websites have----
    Ms. DeGette. Privacy.
    Mr. Rodota. [continuing] privacy problem.
    Ms. DeGette. Right.
    Mr. Rodota. And only 32 percent of the European websites 
have a privacy problem. But, in Europe, even if there is no 
policy indicated by the websites, in any case that is the law.
    Ms. DeGette. Well----
    Mr. Rodota. And the citizens have the opportunity to use 
law without any reference to the politics indicated by the 
websites.
    Ms. DeGette. Yes. But, Professor, what the study said was 
that more than 69 percent of European websites collect 
information by users, but only 32 percent point them to the 
privacy policy. What they pointed out is there is a lack of 
consumer confidence.
    Mr. Rodota. No. But----
    Ms. DeGette. That is not correct?
    Mr. Rodota. This is--that is a problem. Frankly speaking, I 
must say that we are discussing the Article 29 group on the 
basis of a proposal of the French Data Protection Authority. 
The French Data Protection Authority make an inquiry in France 
for having the--for checking the kind of politics of privacy 
politics by the different websites.
    And now we are discussing European level, in order to give 
also a European seal to the websites. But in any case, it does 
not mean that consumers in Europe have not enough protection. 
For instance, in Italy, some consumers ask our Data Protection 
Authority against some collectors of data, and we have the 
means to intervene. We intervened. We are the enquirer. And at 
the end, also we apply the sanction, and there is the 
possibility of an intervention of the judiciary.
    And generally speaking, we have at the European level a 
recommendation of the Article 29 group saying that the 
invisible treatment, for instance through cookies, are in 
Europe completely illegal on the basis of the European 
directive.
    Ms. DeGette. Thank you.
    Mr. Stearns. The gentlelady's time has expired.
    Mr. Walden, the gentleman from Oregon, is recognized for 5 
minutes.
    Mr. Walden. Thank you, Mr. Chairman.
    I appreciate your testimony today and your willingness to 
come here and share your views on the privacy directive and 
help us understand it better.
    I am curious, given what you are trying to do to solve the 
problems within the EU countries, so you have a common 
threshold for privacy protection, when we look at those and say 
we have to comply in order to have commerce, in effect, what do 
we do when Canada or Argentina or somebody comes in with a 
different set of directives?
    How is the EU going to relate to that if Canada, for 
example, has a different requirement than what you have 
negotiated with the EU? Is each country going to negotiate, 
then, separately with Canada or the U.S.? How does that work? 
Can either of you speculate on that?
    Mr. Smith. Yes. The European directive under UK law 
requires adequacy, not equivalence. It doesn't have to be the 
same as the directive.
    Mr. Walden. All right.
    Mr. Smith. And, indeed, the safe harbor arrangements do 
differ from the directive. The Canadian law which is on the way 
to being approved, but has not yet been approved, is also 
significantly different. I mean, I do take your point that, you 
know, where you go to is sort of, when you do these 
comparisons, around the world. But with that approach to 
adequacy rather than equivalence, it shouldn't be too difficult 
to reach that sort of settlement.
    We would also favor--I mean, it is not for us to put it 
forward. We are only the supervisory authority.
    Mr. Walden. Right.
    Mr. Smith. Increasing development of international 
instruments, and the work which has been referred to as the 
OECD is particularly important in this area. And we would very 
much encourage it. I mean, that clearly would be the ideal, an 
international framework which we could all sign up to, which 
will provide the privacy protection effectively, and what is, 
you know, now a global market, where it is difficult to apply 
some of the nationally based regulatory requirements.
    Mr. Walden. Because it seems to me--see if you agree with 
this--that your privacy directive, first of all, has an 
individual right of action. Somebody can sue, correct? And so 
one of the concerns I have, and I think shared by Mr. Buyer and 
others, is how that affects our sovereignty as a nation.
    Because, in effect, you could export an enforceable legal 
right to the United States that could be litigated here by both 
an American and a non-American in our court system, in effect a 
law we have never voted on, enacted, and yet somebody can be 
sued here. Correct? I mean, that is what I am hearing is a 
possibility. Is that----
    Mr. Smith. I am not sure that I am in a position to answer 
that.
    Mr. Walden. Okay.
    Mr. Smith. I think that is a question which really has to 
be directed to the European Commission rather than to----
    Mr. Walden. I see. But do you see where we are headed here? 
Do you share that concern? What if we have one that could be 
litigated in the European Union without you ever having an 
opportunity to weigh in on it, if we pass a directive?
    Mr. Stearns. Just a point of information. I think the 
gentlemen, if they don't sign the safe harbor, they can't be 
prosecuted in the United States. But if they sign the safe 
harbor, and ultimately the model directive, yes, they can be 
sued.
    Mr. Walden. But the impact, though, Mr. Chairman, is if 
they don't sign or don't agree----
    Mr. Stearns. Right.
    Mr. Walden. [continuing] they have been excluded from 
commerce, so by de facto you either are excluded from trade or 
you agree to absorb somebody else's laws and suffer personal 
right of----
    Mr. Smith. I mean, that is certainly not how we as a 
supervisory authority would view it. I mean, those are----
    Mr. Walden. Okay.
    Mr. Smith. [continuing] wide questions. But the simple 
approach that we would take is that if it is data on a UK 
citizen, that ought to be protected. And if that citizen gives 
the data to a business operating in the UK, that person ought 
to have some privacy protection. And if that company simply 
exports the data, not necessarily to the United States, to 
anywhere in the world----
    Mr. Walden. Sure.
    Mr. Smith. [continuing] which doesn't have protection, that 
citizen is at risk, and increasingly so because of global 
markets and the internet and the way in which information can 
be moved around the world so readily. And it is simply a 
question of providing protection.
    I think that does raise questions of the sort that you have 
raised, but those would not be, certainly from our point of 
view, at the top of the list.
    Mr. Walden. Right.
    Mr. Smith. They are consequences rather than intentions.
    Mr. Walden. I guess the problem--my time has expired, but I 
guess the problem I see is that, you know, okay, so we line up 
with the EU, and then, you know, China comes up with a 
different set, and then this is a pretty sticky wicket we are 
headed into. So I--I am out of time. Thank you.
    Mr. Towns. The gentleman's time has expired.
    The gentleman from Georgia, the ranking member, Mr. Nathan 
Deal? Actually, he is the vice chairman of the subcommittee, 
not ranking member, vice chairman.
    Mr. Deal. Thank you, Mr. Chairman.
    And I would like to also express my appreciation to the 
panel members for coming and appearing here today. And even 
though I share with my colleague, Mr. Buyer, the thankfulness 
that my forefathers decided to come to this country and leave 
the continent, my forefathers from the south also went a little 
further and decided they didn't like the United States either 
and tried to secede from that.
    And I must tell you gentlemen that we appreciate your--both 
your English dialect and your Italian dialect, as you speak the 
English language. I must tell you, I hear with a southern 
accent, and I appreciate your efforts, and I will do the best 
to do my part as well.
    In the discussion we have had, it is obvious that one of 
the concerns that we have as a Congress, and I think as 
individuals, is this issue of sovereignty. How do we deal with 
a directive that has now been adopted by 11, as I understand, 
of the European Union nations? And how do we incorporate that 
into what we do legislatively?
    I think I understand the process that you have set up with 
the safe harbor and the contract approach, but I suppose the 
most important question that I would have at this point is our 
most recent attempts to legislate in the area of privacy 
related to financial institutions, commonly referred to--I 
believe we call it the Gramm-Leach-Bliley legislative 
initiative on financial institutions setting standards for 
privacy.
    And I apologize if you have answered this question before I 
arrived. But it is my understanding that there has been a 
determination by the EU that these do not meet the standards of 
adequacy. Is that correct, or has there been any determination 
in that regard?
    Mr. Smith. I will explain my understanding, and Professor 
Rodota can correct me if I get it wrong. My understanding is 
that there has been no determination. That in the course of the 
safe harbor discussions the question of the Gramm-Leach-Bliley 
legislation was put to one side and said we would look at that 
later, but it has not been returned to.
    I am not familiar with all of the detail of it, so I can't 
give an authoritative answer. But I have been asked about it by 
UK financial institutions, and the view that I have expressed 
there is that it is, if you like, very good as far as it goes. 
It does--or it looks on the face of it as though it would 
provide adequacy in terms of notice and possibly choice, and it 
deals with security aspects.
    But there are other issues that arise out of the European 
directive in the UK law to do with information being accurate, 
up to date, not kept for longer than is necessary, which I am 
not sure--and I only say I am not sure--I am not sure that the 
legislation necessarily addresses.
    And, in fact, in terms of international transfers, the area 
it addresses most comprehensively, the notice and choice, is 
not necessarily a very big issue for--as in Europe, because 
essentially we are talking about data that have been collected 
already in Europe. So the notice and choice provisions are 
already there under European and UK law.
    So those are only views off the top of my head from what I 
have looked at. It is not that there is anything wrong with 
what is there. It is not that it doesn't necessarily go as far 
as it should.
    And I think, you know, concerns have been expressed about 
trying to export European requirements. I mean, the safe harbor 
arrangements are viewed as adequate. They are a U.S. approach. 
They are based on your self-regulatory arrangements. They are 
not the same as the European approach, but they have been 
viewed as adequate.
    And although we are not trying to convince you to our 
approach, it is not our job to do that, it is simply to provide 
some information. Some things it is hard to see in any, if you 
like, data protection or privacy system, how you can get away 
from some of the basics which I would hope we would all agree 
on, that information must be kept secure, people should be 
given notice, they should be given choice.
    We might disagree about quite what that choice is and 
whether it is opt-in or opt-out. but for a very large amount of 
what we talked about, we must surely be agreed on what the 
basic principles are.
    Mr. Deal. Just very quickly before my time expires. In our 
dialogs and as go forward with consideration of privacy 
legislation in this country, we are concerned, as Mr. Walden 
has indicated, with the countervailing part, with the rights. 
We are trying to define rights of privacy, but we recognize 
that with every right there also must be a remedy.
    And our concern with the litigation portion of it is we are 
a more litigious society than perhaps your continent is, and we 
are concerned about that and have to be concerned about it. So 
when we express those opinions, it is because of our own 
history with regard to when we define rights, and we provide 
remedies. Sometimes the remedies define the rights.
    Mr. Smith. Yes, we recognize that.
    Mr. Stearns. I thank my colleague. His time has expired.
    We have finished with the first panel. Professor Rodota, we 
thank you very much for participating, and Mr. Smith. We are 
delighted that the two of you took the time, and we hope you 
will stay around and listen to panel No. 2.
    And with that, we are going to proceed forward here for 
another 15 to 20 minutes, and then we are going to break for 
lunch.
    Yes?
    Mr. Markey. Can I ask one question?
    Mr. Stearns. Oh, absolutely. Okay. Mr. Markey is recognized 
for 5 minutes.
    Mr. Markey. Thank you, Mr. Chairman, very much.
    Professor Rodota, Mr. Smith, I note that under the safe 
harbor the EU has negotiated with the U.S. financial data 
regulated under the Gramm-Leach-Bliley Act does not qualify for 
the safe harbor. I believe this was a wise decision on your 
part, since the privacy provisions of that Act are a pathetic 
joke.
    For example, under the Act, a consumer's consent does not 
have to be obtained in order to transfer data between separate 
affiliates. All of these secrets that you have as they all--as 
they merge--insurance and brokerage and banking, as they all 
merge, you don't have any privacy.
    You can't protect the secrets of your health care, of your 
family, from being transferred, between separate affiliates in 
the holding company or with a non-affiliated third party who 
have entered into a joint marketing agreement with a financial 
institution.
    In addition, consumers have no access and correction 
rights. Since the charter of fundamental rights of the European 
Union specifically calls for consent and access and correction 
rights, will the EU continue to resist including this totally 
inadequate Gramm-Leach-Bliley Act within the safe harbor?
    Mr. Rodota. You know why the financial institutions are not 
qualified. Because if you look at the memorandum related to the 
safe harbor enforcement overview, there is a problem because 
FTC has no jurisdiction for this area. And the U.S. Government 
has notified only two bodies for the enforcement--FTC and 
Department of Commerce.
    So you can see that there is a problem for this kind of----
    Mr. Markey. Is it going to continue to be a problem for 
you?
    Mr. Rodota. No. We may have now the possibility to use 
standard contractual clauses. I think that that--now they have 
this opportunity.
    Mr. Markey. So you have an opportunity to lower the privacy 
standards in Europe?
    Mr. Rodota. Too low now.
    Mr. Markey. No.
    Mr. Rodota. No, no.
    Mr. Markey. You won't lower them.
    Mr. Rodota. No, no, no.
    Mr. Markey. Oh, good. That is what----
    Mr. Rodota. That is myself----
    Mr. Markey. Thank you. I see, yes.
    Mr. Rodota. [continuing] negotiating, but the Ambassador I 
don't know, but I am----
    Mr. Markey. Okay.
    Mr. Rodota. [continuing] on this point.
    Mr. Markey. Now, Professor Rodota or Mr. Smith, are you 
aware that last year the Clinton Administration submitted draft 
legislation which Representatives the LaFalce and Dingell and I 
introduced to close these loopholes in the Gramm-Leach-Bliley 
Act.
    Unfortunately, the Republican majority did not take up our 
bill. We are hopeful that the Bush Administration will take a 
far more favorable view. Has the EU asked the administration 
whether it intends to close the loopholes in the Gramm-Leach-
Bliley Act, which make it inconsistent with the EU privacy 
directive?
    Mr. Smith. I mean, I can't really add to the answer I gave, 
I am sorry. I was asked about this by one of your colleagues 
before you----
    Mr. Markey. You can just answer yes or no then. Have you 
asked them to adopt----
    Mr. Smith. No. As far as I know, and I cannot speak on 
behalf of the European Commission, there has been no request 
and there has been no decision in relation to the Gramm-Leach-
Bliley legislation. It was put to one side during the safe 
harbor arrangements and has not been returned to.
    And the answer I gave before, I suggested some reasons why 
there could be difficulties in considering that legislation 
adequate. And you have--and the question added to that 
explanation.
    Mr. Markey. I just wanted you to know, because my time is 
going to expire, that many people in our country say, ``Oh, we 
are not like the Europeans. They like a lot more privacy than 
we like here in the United States.'' But when they poll in the 
United States, 85 percent of Americans want the same privacy 
that you give to your citizens.
    And I think the reason is is that most of our grandparents 
came from your countries, and you can't wash your family values 
out in a generation in the United States. And so the polling is 
identical, and the only way in which we don't adopt your 
standards is that the Republicans won't allow us to have a 
clean vote on the floor of the House of Representatives.
    Because if we did, everyone would be forced to vote for it, 
because 85 percent of the American people want it. So you 
should just understand that the whole process is aimed toward 
not allowing any votes on the floor of the Congress, because 
there would be an overwhelmingly favorable vote to do exactly 
what you have done because we feel exactly like those from 
Ireland and Germany and France and Italy, etcetera, etcetera, 
feel about the very same health and financial services and 
other information issues.
    But there is a large corporate sector here that for some 
reason or another doesn't want to have a fair vote out on the 
House floor, and that is why they are sitting out there behind 
you.
    Okay. Just so you understand that.
    So keep up the good work. Okay?
    Thank you, Mr. Chairman.
    Mr. Stearns. The gentleman has 2 seconds left.
    We thank the gentleman for arriving in time, and we 
appreciate his questions. We assure him that we are going to 
try to develop a bipartisan bill. With his help, we will be 
able to do that.
    Well, we have just finished, as I said earlier, the first 
panel, and we have a vote in place. And we understand it is 
going to be successive votes between 12 and 1. And so we are 
going to motion to adjourn, and I think until 1. I think that 
is what I hear from the House, that we are going to have 
continuing votes here up until 1. So I appreciate that, to 
panel No. 2, have a nice lunch, and we will see everybody back 
here at 1.
    [Brief recess.]
    Mr. Stearns. The Subcommittee on Commerce, Trade, and 
Consumer Protection will reconvene, and I thank panel two for 
waiting. We had a number of votes, and we are going to continue 
on. We know all of you have planes to catch.
    So, panel two, we have Ambassador David Aaron, former 
Undersecretary of Commerce for International Trade, U.S. 
Department of Commerce; Mr. Jonathan Winer, former Deputy 
Assistant Secretary for International Law Enforcement, U.S. 
State Department; Professor Joel Reidenberg, Professor of Law 
at Fordham University School of Law; Mr. Denis Henry, Vice 
President, Regulatory Law, Bell Canada; and Ms. Barbara Lawler, 
Customer Privacy Manager at Hewlett Packard.
    Thank you very much, sincerely, for waiting for us. We are 
very pleased to have your opening testimony, and we will just 
start maybe just from the left and go to the right here, my 
left.
    So we would start, then, with Ambassador Aaron.

  STATEMENTS OF DAVID L. AARON, SENIOR INTERNATIONAL ADVISOR, 
 DORSEY & WHITNEY LLP; JONATHAN M. WINER, COUNSEL, ALSTON AND 
    BYRD LLP; JOEL R. REIDENBERG, PROFESSOR OF LAW, FORDHAM 
   UNIVERSITY SCHOOL OF LAW; DENIS E. HENRY, VICE PRESIDENT, 
   REGULATORY LAW, BELL CANADA; AND BARBARA LAWLER, CUSTOMER 
                PRIVACY MANAGER, HEWLETT PACKARD

    Mr. Aaron. Thank you very much, Mr. Chairman. Let me thank 
you and the committee for inviting me to testify on the 
European Union's Personal Data Protection Directive and its 
implications for U.S. privacy law.
    It is important to recognize that while we and the 
Europeans share many basic values, the EU directive comes from 
a different legal tradition and historical experience, 
including the police states and the holocaust of the last 
century. The EU directive attempts to set up a comprehensive 
personal data protection regime that tries to anticipate every 
problem and answer every question. It is enforced by a system 
of independent data privacy commissioners in each of the member 
states.
    While its goals may be laudable, there are a number of 
fundamental problems with the European directive. First, it was 
conceived over a dozen years ago when there was no World Wide 
Web and information technology was dominated by mainframe 
computers, not distributed information networks, laptops, and 
digital assistants. As a result, the directive is often rigid 
or silent in dealing with privacy issues growing out of new 
technology and new business models. Many European states have 
had great difficulty translating it into national law.
    Second, one can read the European Personal Data Protection 
Directive from end to end and not find the word ``privacy.'' 
Although the Commission--the statement on human rights talks 
about respecting private and family life, the personal data 
protection is an obligation of the states toward its citizens. 
In America, we believe that privacy is a right that inheres in 
the individual.
    We can trade our privacy--our private information for some 
benefit if we choose. In many instances, the Europeans cannot. 
This can have an important implication when it comes to 
electronic commerce. But the most troubling aspect of the 
directive for the United States is the requirement that 
personal data only be transmitted from Europe to countries that 
have ``adequate'' privacy regimes. In effect, the directive 
would embargo European personal data to any country whose 
privacy policies, including the United States, the EU had not 
approved.
    Imagine, no transatlantic bank connections, no 
transatlantic brokerage, no credit card purchases, airline or 
hotel reservations, no internet or catalog sales, no ability of 
U.S. firms to manage their operations in Europe, and vice 
versa. Fortunately, the European Commission recognized that 
this could hurt Europe as much as it would the United States.
    This was the background for the safe harbor negotiations 
which lasted more than 2 years. Let me briefly describe how the 
safe harbor emerged and what it is and what it is not.
    The first thing we established was that the United States 
was not going to negotiate a treaty or an executive agreement 
that would apply the EU directive in the United States. What we 
were prepared to do was issue guidance to the American business 
community on how to conduct commercial relations with Europe.
    This comes under the existing authority of the Commerce 
Department. In the past, we have provided such guidance to help 
protect U.S. firms doing business in places like the Soviet 
Union, China, and elsewhere.
    The second thing we made clear is that we were not going to 
accept the jurisdiction of European law in the United States. 
Indeed, we agreed that the safe harbor would be silent on the 
issue of jurisdiction. We were prepared to have voluntary self-
regulation within the framework of existing U.S. law. We were 
not going to pass new legislation.
    Third, the Europeans had to recognize that we were trying 
to adapt the directive to the most advanced information economy 
on earth. Accordingly, the actual provisions of the safe harbor 
had to be more flexible and address real-world information 
practices on a reasonable basis. Fortunately, we had the 
precedent of the privacy principles that we and the Europeans 
had agreed upon in the OECD many years ago, and this became a 
touchstone of the discussions.
    The European Commission accepted these points but had a 
bottom line of their own. They insisted on what they considered 
a high level of privacy protections for European personal data 
as provided by their directive. It was their information. They 
had the right to control its dissemination from their point of 
view.
    The result was the safe harbor accord of last year. The 
Commerce Department promulgated a set of privacy principles for 
handling European data in the United States. The EU Commission, 
over the reluctance of many European data protection 
authorities, and the outright opposition of the European 
Parliament, held that the safe harbor principles provided 
adequate privacy protections. Companies that signed up to the 
safe harbor could receive personal data from Europe without 
hindrance.
    I won't take the committee's time to review the safe harbor 
principles, but I would like to comment on what aspects of the 
directive or the safe harbor might be instructive in developing 
U.S. privacy laws. In doing so, I am drawing on my most recent 
experience at Dorsey and Whitney where we provide privacy 
advice to a wide variety of clients as well as my negotiations 
with the European Union.
    First, there is the concept of national privacy standards. 
The EU developed its directive as part of the effort to create 
a single market; that is, in order to avoid the complex and 
burden of having 15 different national privacy laws. I believe 
that we face a similar risk in the United States, only instead 
of 15 national laws we could have 50 State laws.
    But I have one important caveat. Any Federal privacy 
legislation preempting State law would have to provide high 
standards. We need the highest common denominator, not the 
lowest. If the Federal rule is a minimum standard, for example, 
that companies merely must have a privacy policy and tell their 
customers what it is, I think it would be difficult to justify 
preempting the states.
    My second observation draws upon the safe harbor. The 
essence of that deal was that we accepted high standards and 
they accepted self-regulation. Any Federal standard should 
rely, to the extent possible, on self-regulation. That, in my 
experience, is the best way to avoid high standards from 
becoming a straitjacket that could smother the information 
economy.
    Thank you very much, Mr. Chairman.
    [The prepared statement of David L. Aaron follows:]

  PREPARED STATEMENT OF DAVID L. AARON, SENIOR INTERNATIONAL ADVISOR, 
                          DORSEY & WHITNEY LLP

    Mr. Chairman, let me thank you and the Committee for inviting me to 
testify on the European Union Personal Data Protection Directive and 
its implications for US privacy law.
    It is important to recognize that while we and the Europeans share 
many basic values, the EU Directive comes from a different legal 
tradition and historical experience--including the police states and 
holocaust of the last century. The EU Directive attempts to set up a 
comprehensive personal data protection regime that tries to anticipate 
every problem and answer every question. It is enforced by a system of 
independent Data Privacy Commissioners in each of the member states.
    While its goals may be laudable, there are a number of fundamental 
problems with the European Directive. First, it was conceived over a 
dozen years ago when there was no World Wide Web and information 
technology was dominated by mainframe computers not distributed 
information networks, laptops, and digital assistants. As a result, the 
Directive is often rigid or silent in dealing with privacy issues 
growing out of new technology and business models. Many European States 
have had great difficulty translating it into domestic law.
    Second, one can read the European Personal Data Protection 
Directive from end to end and not find the word ``privacy''. Personal 
data protection is an obligation of the State toward its citizens. In 
America we believe that privacy is a right that inheres in the 
individual. We can trade our private information for some benefit. In 
many instances Europeans cannot. This can have important implications 
when it comes to e-commerce.
    But the most troubling aspect of the Directive for the United 
States is the requirement that personal data only be transmitted from 
Europe to countries that have ``adequate's privacy regimes. In effect, 
the Directive would embargo European personal data to any country who's 
privacy policies the EU had not approved.
    Imagine. No transatlantic bank transactions, credit card purchases, 
airline and hotel reservations, no internet or catalogue sales, no 
ability of US firms to manage personnel in their European operations, 
and visa versa. Fortunately, the European Commission recognized that 
this could hurt Europe as much as the United States.
    This was the background for the Safe Harbor negotiations that 
lasted more than two years. Let me briefly describe how the Safe Harbor 
Accord emerged and what it is and is not.
    The first thing we established was that the United States was not 
going to negotiate a Treaty or an Executive Agreement that would apply 
the EU Directive in the U.S. What we were prepared to do was issue 
guidance to the American business community on how to conduct 
commercial relations with other countries. This comes under the 
existing authority of the Department of Commerce. In the past we have 
provided such guidance to help protect US firms doing business in 
places like the Soviet Union, China and elsewhere.
    The second thing we made clear is that we were not going to accept 
the jurisdiction of European law in the United States. Indeed we agreed 
that the Safe Harbor would be silent on jurisdiction. We were prepared 
to have voluntary, self regulation within the framework of existing US 
law. We were not going to pass new legislation.
    Third, the Europeans had to recognize that were trying to adopt the 
Directive to the most advanced information economy on earth. 
Accordingly the actual provisions of the Safe Harbor had to be more 
flexible and address real world information practices on a reasonable 
basis. Fortunately, we had the precedent of privacy principles that we 
and the Europeans had agreed upon in the OECD many years ago. This 
became a touchstone of the discussions.
    The European Commission accepted these points but had a bottom line 
of their own. They insisted on what they considered a high level of 
privacy protections for European personal data as provided by their 
Directive. It was their information; they had the right to control its 
dissemination.The result was the Safe Harbor accord of last year. The 
Commerce Department promulgated a set of privacy principles for 
handling European Data sent to the U.S. The principles cover notice, 
choice, transfers to third parties, access, security, data integrity 
and enforcement. These are accompanied by 15 frequently asked questions 
that spell out some of the points in detail.
    The EU Commission, over the reluctance of many European Data 
Protection Authorities and the opposition of the European Parliament, 
held that the Safe Harbor principles provided ``adequate's privacy 
protections. Companies that signed up to the Safe Harbor could receive 
personal data from Europe without hindrance.
    Alternatively, US companies can negotiate contracts with European 
data suppliers that would follow the Safe Harbor principles but also 
contain other provisions called for by individual Data Protection 
Authorities who have to bless the contracts. One US multinational 
company told me that if they took that route, they would have to 
negotiate over thousands such contracts.
    I won't take the Committee's time to review the Safe Harbor 
principles, but I would like to comment on what aspects of the 
Directive or the Safe Harbor might be instructive in developing US 
privacy laws.
    First, the Directive falls short of US privacy expectations in some 
respects. For example, it provides no special safeguards for protecting 
children on-line as COPPA does. It also does not protect credit 
information the same way. As a result, experts have calculated that 
Europeans pay at least 500 basis point more for consumer credit.
    It also goes much further than many Americans might consider 
reasonable. For example, if a person orders a kosher meal on a flight, 
the airline cannot store this information for future reference unless 
the individual explicitly agrees. Why is this considered sensitive 
information? Because it might reveal the passengers religion or 
ethnicity.
    With these cautionary examples in mind let me suggest how some 
aspects of the Directive and Safe Harbor could prove useful to any 
legislative effort. In doing so, I am also drawing on my most recent 
experience at Dorsey & Whitney where we provide privacy advice to a 
wide variety of clients.
    First there is the concept of national privacy standards. The EU 
developed its Directive as part of the effort to create a single 
market--that is in order to avoid the conflicts and burden of having 15 
different national privacy laws. I believe that we face a similar risk 
in the United States, only instead of 15 national laws we could have 50 
state laws. But I have one important caveat: any Federal privacy 
legislation preempting state law would have to provide high standards. 
We need the highest common denominator not the lowest. If the Federal 
rule is a minimum standard--for example that companies merely must have 
a privacy policy and tell their customer what it is--I think it would 
be difficult to justify preempting the States.
    My second observation draws upon the Safe Harbor. The essence of 
that deal was that we accepted high standards and they accepted self 
regulation. Any Federal standard should rely to the extent possible on 
self-regulation. That, in my experience, is the best way to avoid high 
standards from becoming a straight-jacket that could smother the 
information economy.
    Is Federal privacy legislation timely? In my experience, the answer 
is clearly yes.
    Trust is a continuing issue in e-commerce. Experts estimated last 
year that the lack of consumer trust cost e-businesses $16 billion in 
lost sales. More and more companies are seeing the competitive value of 
providing good privacy practices for their customers. The States are 
already riding off in different directions on privacy. If high 
standards can be adopted at the Federal level this will provide 
American companies with a predictable framework to conduct their 
business. Even more important, it can provide the American people with 
greater confidence that their rights will be protected both on-line and 
off-line to the benefit not only to our economy but to our democracy.
    Thank you Mr. Chairman.

    Mr. Stearns. Mr. Winer?

                 STATEMENT OF JONATHAN M. WINER

    Mr. Winer. Thank you, Mr. Chairman. Thank you for the 
opportunity to testify here today.
    I wish to make 10 points about the EU privacy directive. 
First, it has extraterritorial impact. With the privacy 
directive, the EU is regulating cyber space and much offline 
activity as well. E-commerce is, by its nature, global. Thus, 
national laws regulating it tend also to quickly become global.
    Following the EU's lead, other countries are adopting 
privacy laws, some of which, including Canada's, have 
substantial potential extraterritorial impact. These new laws 
are global but inconsistent. As we are finding out in the 
United States, there are many different ideas about how best to 
regulate privacy. Internationally, we are now facing a maze of 
conflicting provisions----
    Mr. Stearns. Mr. Winer, could you bring the microphone just 
a little closer for yourself?
    Mr. Winer. Yes, sir.
    Mr. Stearns. Okay. Good.
    Mr. Winer. I didn't want to be too loud. Let us try it 
again.
    Internationally, we are now facing a maze of conflicting 
provisions that create a complex, perilous, and potentially 
non-navigable environment for the many firms that process 
personal data which crosses borders. Many of the new foreign 
privacy laws differ from existing U.S. law, yet because of the 
transborder nature of many global information flows these laws 
may, in practice, regulate substantial amounts of data 
processing within the United States.
    If the U.S. is not vigilant, such laws potentially place at 
risk U.S. competitiveness, U.S. trade, and fundamental U.S. 
values, including rights protected under the First Amendment as 
you heard last week.
    Second, the privacy directive terms, to the rest of the 
world, are tantamount to extortion. The EU is requiring that 
all other countries adopt the EU's privacy laws or risk having 
data flows to them cutoff by all of the EU's member states. As 
it has been said, the EU judges which countries in the world 
have adequate privacy laws. The EU says you don't. EU member 
states are required by the privacy directive to shut off data 
flows to that country.
    Transatlantic trade and information includes billions of 
bytes of data each day, and hundreds of billions of dollars in 
commercial activity a year. The sanction of cutting off such 
flows is one that cannot be easily activated without 
threatening fundamental damage to the global economy. The EU 
has stated it won't implement sanctions if it can find any 
other way to enforce the privacy directive.
    The EU has agreed to a stand-still in enforcement against 
U.S. firms through at least July 2001. At some point, however, 
that stand-still will end, and we could have a serious problem.
    Third, the safe harbor, unfortunately, is inadequate. 
Undersecretary of Commerce Aaron negotiated it to secure 
recognition by the EU that the U.S. system for protecting 
privacy was adequate, but he was not able to convince the EU to 
accept that U.S. Federal laws governing privacy in the 
financial services sector are adequate.
    The EU agreed to accept the U.S. system only to the extent 
that the Federal Trade Commission--and, for a small number of 
companies, the Department of Transportation--could sue U.S. 
companies who violate an agreement to live up to principles 
based upon the requirements of the directive.
    This was a very unfortunate outcome. Unlike the EU's lax 
enforcement of its privacy directive, the U.S. systematically 
enforces its privacy laws. The U.S. also has a high level of 
self-regulation. U.S. regulators have issued detailed 
regulations governing privacy in the financial services sector, 
and they examined financial institutions for compliance with 
U.S. privacy laws.
    According to a recent study sponsored by some 200 consumer 
groups, the U.S. system already protects online privacy better 
than the EU system. The EU should deem the whole U.S. system 
adequate and end the threat of cutting off data flows to the 
United States.
    Fourth, the safe harbor is unpopular. The safe harbor has 
attracted very few takers so far. Only 26 companies have 
entered as of this week, one of which is here with us today. 
The tiny number of companies signing up for safe harbor means 
the vast preponderance of all U.S. companies remains subject to 
being treated by the EU as inadequately protecting privacy.
    Fifth, as was said this morning, the privacy directive 
threatens national sovereignty. The EU is insisting that it be 
treated as the de facto global standard for privacy. After July 
1st, or whenever the enforcement stand-still ends, all EU 
member states are supposed to shut down data flows to any 
company located in any jurisdiction deemed to have inadequate 
privacy protection.
    That is true unless the company subjects itself to EU 
jurisdiction, EU rules, EU regulations, EU standards, EU 
courts, and liability to every individual whose information 
passes to the non-EU company from the territory, physical or 
electronic, of the EU.
    In early 1996, following the shoot-down of an unarmed 
civilian planes and the murder of U.S. citizens by Cuban MiGs, 
Congress passed and the President signed the Litertad Act, 
known by the name of its primary sponsors as Helms-Burton. The 
Act sought to protect the property rights of thousands of 
American citizens whose property was confiscated without 
compensation by the Castro regime, by imposing sanctions on 
those who profited off that stolen property.
    After the U.S. enacted Helms-Burton, the EU issued the 
following statement. ``The European Union is opposed to the use 
of extraterritorial legislation, both on legal and policy 
grounds. In the last few years there has been a surge of U.S. 
extraterritorial sanctions legislation. Such laws represent an 
unwarranted interference by the U.S. with the sovereign rights 
of the EU to legislate over its own citizens and companies, and 
are, in the opinion of the EU, contrary to international law.''
    In a wired world, literally millions of communications 
containing personal information go back and forth between the 
U.S. and the EU every day. A standard that insists that these 
and other cross-border information flows adhere to an EU 
privacy regime is in the regime that imposes EU law on the 
entire world.
    And last week I participated in a telephone conversation 
with an EU official who said, specifically, ``Yes. The rules we 
are applying are going to have global application. You bet.''
    The privacy directive may fairly be termed the EU's Helms-
Burton Act. It seeks to protect a class of property rights by 
demanding extraterritorial enforcement of those asserted 
property rights----
    Mr. Stearns. Mr. Winer, we just need you to wrap up.
    Mr. Winer. Yes, sir.
    Mr. Stearns. Under the 5-minute rule.
    Mr. Winer. My company is based all over the world.
    Sixth, the privacy directive is burdensome. My testimony 
goes into that.
    Seventh, it is not a good way of protecting privacy. The 
principles may look good, but in practice many of them are not 
workable.
    Eighth, do as I say not as I do. The EU is not 
systematically enforcing it. There is massive non-compliance in 
the EU.
    Ninth, like the privacy directive, the model contracts 
potentially threaten U.S. competitiveness. They would create 
causes of action for data subjects who would be third-party 
beneficiaries of those contracts.
    And, tenth, we have the power to protect ourselves from 
this foreign threat to U.S interest and U.S. economic security. 
There are a number of options the Congress has in front of it 
that could help protect us, and I urge you to consider them.
    I am happy to respond to any of your questions. Thank you, 
sir.
    [The prepared statement of Jonathan M. Winer follows:]

       PREPARED STATEMENT OF JONATHAN M. WINER, ALSTON & BIRD LLP

    Mr. Chairman and distinguished members of this Committee: My name 
is Jonathan Winer. I am an attorney practicing law with the firm of 
Alston & Bird LLP in Washington, D.C. Previously, I served from 1994 
through 1999 as Deputy Assistant United States Secretary of State for 
International Enforcement matters, where my responsibilities included 
undertaking negotiations and discussions with the European Union, and 
its executive implementing body, the European Commission, on a range of 
Trans-Atlantic matters. Prior to that, I served in the Senate for many 
years as counsel to U.S. Senator John Kerry (D-Mass.), during which 
time I worked on international, banking, and legal matters before the 
Foreign Relations, Banking, Commerce, and Judiciary Committees. 
Currently, I spend much of my time writing, lecturing, and counseling 
U.S. companies about privacy issues, including the EU Privacy Directive 
that is the subject of this hearing.
    Privacy is a fascinating and rapidly growing area of the law, and 
the issue is an exceptionally complex one. I commend this Committee for 
recognizing its importance and for initiating this set of hearings, and 
am grateful for the opportunity to testify before you.

           1. THE EU IS WRITING RULES REGULATING CYBERSPACE.

    If there is anything that is growing at an even more exponential 
rate than e-commerce, it is laws that purport to govern e-commerce, and 
in particular, laws governing privacy. Since e-commerce is by its very 
nature global, national laws regulating it tend also to quickly (and 
sometimes unintentionally) become global, raising from the beginning 
the question of whose law will wind up writing the rules by which e-
commerce and the World Wide Web operate. While some may want cyberspace 
to remain a lawyer-free zone, an ever-thickening web of laws is already 
purporting to determine what activities are permitted, and what 
activities are prohibited on-line. The vast preponderance of these laws 
are arising in the European Union, and the most important of them to 
date is the EU's Directive on Data Protection, known as the ``Privacy 
Directive.'' 1 Significantly, while many of these laws have 
been stimulated by consumer and business issues highlighted by new 
technologies, they would often regulate a far broader swath of 
activity. In the case of the EU privacy directive, the regulated 
``industry'' would extend to everyone who does business by 
communicating information about people. Under the Directive, government 
would regulate and determine what is permitted and what is prohibited 
communications about all personal data, at least in a commercial 
context.
---------------------------------------------------------------------------
    \1\ ``Data Protection Directive, 95/46/EC.'' Other EU laws that 
purport to regulate various aspects of cyberspace and the world-wide 
net include, but are not limited to, the EU Directive on E-Commerce 
(2000), which mandates particular labeling requirements, the Brussels 
Regulation, which governs consumer rights to sue in their own 
jurisdiction regardless of contractual terms to the contrary, laws on 
Access to Justice, Comparative and Misleading Advertising, Consumer 
Credit and Education, Dangerous Imitations, Long Distance Selling, 
Information Society, Package Travel, Product Liability, Product Safety, 
Time Sharing, and Unfair Contract Terms. As a senior European 
Commission official stated to the author recently, ``if it moves, we 
regulate it.''
---------------------------------------------------------------------------
    Since the passage in 1995 of the Privacy Directive, which became 
effective in 1998, there has been an explosion of new national privacy 
laws governing the off-line, as well as the on-line uses of personal 
data. Within the past twelve months alone, we have seen new data 
protection laws emerge in Argentina, Australia, Canada, Chile, and 
Paraguay, following earlier privacy laws in Hong Kong, Hungary, New 
Zealand, and Switzerland, in addition to the 15 member states of the 
European Union. Each of these laws is well-intentioned, and addresses 
what for many is becoming the assertion of a fundamental right--the 
right of private citizens to own their own personal information. Many 
of these laws have extra-territorial impact, and some, such as the 
Privacy Directive, are literally global in their application. Of 
particular interest is Canada's law, which requires all exporters of 
Canadian personal data to insure that U.S. companies importing the data 
agree to apply Canada's laws to the data so long as they retain it, 
thereby exporting Canada's laws to the U.S. in an almost EU-like 
fashion. Canada's privacy law could have a profound impact on North 
American data flows, and on NAFTA, but being only in effect for some 
two months, its impact remains difficult to measure. 2
---------------------------------------------------------------------------
    \2\ Canada's law has only been in effect since January 1, 2001, and 
currently only applies to transborder movements of data that is sold in 
the commercial context, and not mere processing of personal data. The 
latter is to be fully covered under Canadian law by January 1, 2004. 
Interestingly, despite the breadth of Canadian law, the EU has yet to 
find it to be fully ``adequate'' under the EU Data Protection standard. 
To date, only the privacy laws of Hungary and Switzerland, which mirror 
the EU's, and other states in the EU's economic area have been deemed 
adequate by the EU.
---------------------------------------------------------------------------
    Unfortunately, the laws are not just global, but inconsistent. Like 
the state legislatures in the U.S., each nation that has looked at 
privacy has come up with its own constructions for how to protect it. 
Accordingly, national privacy laws differ from one another on matters 
of definition, scope, terminology, and application, creating a maze of 
often conflicting provisions and a potential compliance nightmare for 
not just for e-commerce, but for any company doing business across 
borders with individual consumers.
    For the United States, the new web of privacy requirements creates 
some very serious potential problems for our economy and our legal 
system. Many of the new national privacy laws coming into effect 
outside the U.S. differ from existing U.S. law, and yet will have the 
impact of regulating substantial amounts of data processing within the 
United States. Indeed, in some cases, including the Privacy Directive, 
the results of the foreign laws will in practice be to create new 
enforceable legal rights that can be litigated within U.S. courts by 
Americans and non-Americans alike, regardless of whether Congress, the 
Executive Branch, or the states have decided that this is a good idea.
    The result, for the U.S., is the renewed reminder that foreign 
countries can enact laws with extra-territorial application. If the 
U.S. is not vigilant, such laws potentially place at risk U.S. 
competitiveness, U.S. trade, and fundamental U.S. values, including 
protected rights under the First Amendment. Each of these areas will be 
put at great risk by the Privacy Directive in the months ahead, as the 
EU body responsible for securing its enforcement by the 15 EU Member 
States, the European Commission, works to insure that its provisions 
are adhered to by every nation in the world.

2. UNDER THE PRIVACY DIRECTIVE, THE EU DECIDES WHETHER EACH COUNTRY IN 
      THE WORLD'S PRIVACY LAWS ARE ``ADEQUATE'' OR ``INADEQUATE.''

    Under the Privacy Directive, the EU has decided that privacy is 
such a fundamental human right that it will permit no one to export 
personal data from the EU under circumstances that differ substantially 
from the privacy rules the EU has adopted for itself. Jurisdictions 
deemed by the EU to have ``inadequate'' protection of personal data are 
supposed to be cut off from all the EU's personal data. As Trans-
Atlantic trade in information amounts to billions of bytes of 
information a day, and hundreds of billions of dollars of commercial 
activity a year, the sanction is one that cannot be easily activated 
without threatening fundamental damage to the global economy. The EU 
has recognized this, and has stated that it has no intention of 
shutting down data flows if it can find any other reasonable solution 
that adequately protects personal data. A fair amount of forbearance 
has already been shown by the EU in this regard: although its own 15 
member states have been required to be in compliance with the Directive 
since October, 1998, and several have been taken to court for non-
compliance by the European Commission, no country has actually been 
sanctioned for non-compliance with the Directive to date. Regarding the 
U.S., the European Commission has agreed to an semi-official stand-
still on enforcement against U.S. firms through at least July 1, 2001.

3. THE US-EU PRIVACY SAFE HARBOR: A HOPED-FOR ALTERNATIVE TO A PRIVACY 
                               TRADE WAR.

    Neither the U.S. nor the EU sought a trade war over privacy. During 
the Clinton Administration, the U.S., led by Under Secretary of 
Commerce David Aaron, negotiated in good faith with the EU seeking its 
recognition that the U.S. system for protecting privacy was adequate. 
Ultimately, the EU agreed to accept the U.S. system as adequate to the 
extent that the Federal Trade Commission (``FTC'') could sue U.S. 
companies that agreed live up to a series of principles based upon the 
Privacy Directive's requirements, and then failed to do so. Such 
companies could sign up to the EU's privacy standards, and thereby 
receive a ``Safe Harbor'' from the sanctions imposed by the EU on firms 
based in jurisdictions deemed by the EU to have inadequate protection.
    Notably, however, Ambassador Aaron was not able to convince the EU 
to accept that U.S. federal laws governing financial services, 
including the Fair Credit Reporting Act and the Financial Services 
Modernization Act of 1999 (``Gramm-Leach-Bliley,'' or ``GLB''), 
adequately protect privacy, despite clear evidence that these laws are 
being systematically enforced by U.S. regulators, evidence lacking to 
date in many cases in the enforcement of EU Member States of the 
Privacy Directive. Because the EU hasn't found these laws adequate, 
companies regulated by those laws cannot rely on them for protection 
against sanctions by EU member states, even if they are in complete 
compliance with U.S. federal privacy laws.
    As a result, the Safe Harbor negotiated by Under Secretary Aaron 
wound up excluding some of the most important sectors of the U.S. 
economy, including telecommunications as well as financial services and 
dramatically limiting its immediate utility.

          4. SUPPOSE THEY GAVE A SAFE HARBOR, AND NO ONE CAME?

    Notably, in the more than four months since U.S. companies have 
been able to sign up for Safe Harbor only 26 have chosen to do so as of 
March 5, 2001. A small number of these are major business-to-business 
companies, such as Dun & Bradstreet and Hewlett Packard, who have 
comparatively limited needs for processing personal information by 
comparison to the many companies whose business are centered on 
business-to-consumer transactions. Others are self-regulatory 
organizations such as TRUSTe, the Entertainment Software Rating Board, 
and the UserTrust Network, for which privacy is the line of business, 
rather than a requirement of business. The tiny number of companies 
signing up for the Safe Harbor indicates that the vast preponderance of 
all U.S. companies remain subject to being treated by the EU as having 
inadequate protection of privacy.

            5. THE PRIVACY DIRECTIVE: THE EU'S HELMS-BURTON?

    Under the Privacy Directive, the consequences for having inadequate 
protection of personal data are simple. Once the current standstill on 
international enforcement is over--currently set to expire July 1, 
2001--all EU member states are supposed (eventually) to shut down the 
flows of data to any company located in such a jurisdiction, unless 
that company contractually subjects itself to EU jurisdiction, EU 
rules, EU regulations, EU standards, EU courts, and liability to every 
individual whose information passes to the non-EU company from the 
territory, physical or electronic, of the EU.
    In an era of globalized information, the threat to shut down data 
flows is a remarkable one, but it is the heart of the Privacy 
Directive. The issue is not one of privacy, but of national 
sovereignty: should any nation, or group of nations, at this stage of 
the information economy be threatening to halt data flows to any other 
nation? In the EU, that is in fact the law imposed by the Privacy 
Directive, to those who do not provide what the EU deems to be 
``adequate protection'' to personal data.
    In early 1996, following the shootdown of unarmed civilian planes 
and the murder of U.S. citizens by Cuban MIGs in broad daylight and 
without justification, Congress passed and the President signed the 
Libertad Act, known by the name of its primary sponsors as ``Helms-
Burton.'' The Act sought to promote democracy in Cuba and to protect 
the property rights of thousands of American citizens whose property 
was confiscated without compensation by the Castro regime, by imposing 
sanctions on those who profited off that stolen property.
    After the U.S. enacted the Helms-Burton Act, the European Union 
issued the following statement:
        ``The European Union is opposed to the use of extraterritorial 
        legislation, both on legal and policy grounds. In the last few 
        years, there has been a surge of US extraterritorial sanctions 
        legislation both at federal and sub-federal level . . . Such 
        laws represent an unwarranted interference by the U.S. with the 
        sovereign rights of the EU to legislate over its own citizens 
        and companies, and are, in the opinion of the EU, contrary to 
        international law.''
    The EU complained that it was a violation of international law that 
the Helms-Burton Act empowered individuals to file private lawsuits 
against EU companies who were acting in compliance with the terms of 
their domestic laws.
    Accordingly, the EU demanded that the US suspend the right of 
anyone to sue an EU company under Helms-Burton.
    The EU also filed suit in the World Trade Organization against the 
U.S., seeking a ruling that Helms-Burton violated international trade 
laws. Eventually, the matter was resolved through a remarkable 
diplomatic effort undertaken by then Under Secretary of State Stuart 
Eizenstat, which enabled all the parties to back off from turning a 
disagreement over policy and property rights into a trade battle.
    While Helms-Burton only affected issues pertaining to property in 
Cuba, one country among some 180 UN member states, the Privacy 
Directive is global in its application to data that flows out of the 
EU's borders, and governs not merely real estate or business property 
but all personal data, except that deemed public under the laws of 
individual countries. As a result, the Privacy Directive has the 
consequence of turning the processing of information by anyone, 
anywhere, at least in a business context, into a regulated industry. 
The EU's contention that the Privacy Directive only affects information 
that is exported from the EU and is not extra-territorial makes a 
debating point, but one that is at odds with the plain facts. In a 
wired world, literally millions of communications containing personal 
information go back and forth between the U.S. and the EU every day. A 
standard that insists that all such information flows adhere to an EU 
privacy regime is a standard that imposes EU law on the entire world.
    It is not unfair to characterize the Privacy Directive as the 
``EU's Helms-Burton Act,'' except perhaps to the authors of Helms-
Burton, who never dreamed of defining property rights so globally and 
so extraterritorially.
    Indeed, last week, I participated in a conversation with a senior 
official from the European Commission who explicitly acknowledged this 
fact in connection with the issuance of new ``model contracts'' to 
enable foreign companies to come into compliance with the Directive. 
She said that the new model contracts soon to be issued by the EU as a 
base-line for the handling of data from the EU to other countries would 
have ``world-wide application.''
    The Privacy Directive goes beyond anything contemplated by Helms-
Burton in providing for extraterritorial impact on U.S. companies, 
interference with the sovereign rights of the U.S. to legislate over 
its own citizens and companies, and permitting EU citizens--and indeed, 
under certain circumstances--U.S. citizens, to sue U.S. companies for 
actions that would be legal under domestic U.S. law in connection with 
the processing of personal data by giving the EU's citizens a global 
property right in all of their personal information.3
---------------------------------------------------------------------------
    \3\ Elsewhere, I have expressed concerns about the risk to the 
public space caused by turning personal information into a property 
right. If every fact about every person, beginning with his or her name 
and address, becomes private data that he or she controls, what space 
is left for public communication about public matters? This is a very 
serious political and policy issue which assumes Constitutional 
dimensions in the United States, given our history of support for free 
expression about all matters--including other people--as set forth I 
the First Amendment. See e.g. ``Regulating the Free Flow of 
Information: A Privacy Czar as the Ultimate Big Brother?'', Jonathan M. 
Winer, The John Marshall Journal of Computer & Information Law, 
December 2000.
---------------------------------------------------------------------------
6. THE OBLIGATIONS IMPOSED BY THE PRIVACY DIRECTIVE AS IT IS NOW BEING 
    INTERPRETED ARE POTENTIALLY VERY BURDENSOME, ESPECIALLY FOR B2C 
                              BUSINESSES.

    It can be difficult to make sweeping statements about the meaning 
the Privacy Directive because different EU entities and persons have 
interpreted the Directive differently at different times. At one point, 
for example, the European Commission issued a statement reporting that 
the Directive protected solely the data of European citizens or 
residents. Later, this was judged to be incorrect, and the EU made it 
clear that it applied to all personal data that was being processed 
within the EU. Moreover, the guardians of privacy within the EU, 
represented by the EU's ``Article 29'' Committee, have issued an ever 
accreting set of standards, guidance, and opinions, with the professed 
intention of systematically strengthening privacy protection. The 
result is that the obligations for companies under the Directive are to 
some considerable extent a moving target.
    The ultimate level and vigor of the enforcement of the Privacy 
Directive by EU Member States remains uncertain, and a number of 
matters of detail pertaining to privacy are still under development by 
the European Commission. Nevertheless, the parameters of the possible 
obligations of companies based in the U.S. and other countries whose 
national laws have not been deemed to be adequate by the EU, currently 
appear to include:

 Agreeing to submit all of their data processing facilities, 
        files and documents to audit by companies in the EU who are 
        sending them data, and by each of the Data Protection 
        Authorities established in the EU.
 Promising ahead of time to cooperate with each of the EU's 
        privacy czars on any inquiry they may make regarding data 
        processing and to abide by any order the privacy czar chooses 
        to give, regardless of whether the U.S. company considers the 
        order proper, lawful, or practical, and regardless of cost.
 Limiting the use of data only to the purposes for which the 
        data has been transferred.
 Storing the data only as needed to carry out the purposes for 
        which the data has been transferred, and then destroying it.
 Promising not to retransfer the data to an entity in a 
        jurisdiction whose laws are not deemed to offer adequate 
        protection unless the data subject has opted in to such 
        transfer in the case of sensitive data, or has been given an 
        opt-out opportunity in all other cases
 Providing the data subject access to all data relating to him 
        or her being processed in the U.S.
 Allowing the data subject the right to correct or delete data 
        that has become inaccurate.
 Allowing the data subject the right to object to the 
        processing of his or her data on compelling grounds based upon 
        his or her particular situation.
 Naming a privacy officer to handle inquiries from the EU.
 Agreeing to allow anyone whose personal data is transferred 
        from the EU to a firm located in the U.S. to sue as a ``third 
        party beneficiary'' for violation of any of the above 
        provisions under any contract that permits a U.S. company to 
        import their data. This right to sue would appear to include 
        not just European citizens, but any U.S. citizen whose data has 
        been moved through the EU back to the U.S. Since the right to 
        sue would be a contractual one, in theory that right might well 
        be enforceable by U.S. citizens against U.S. companies in U.S. 
        courts.4
---------------------------------------------------------------------------
    \4\ Some of the above provisions can probably be avoided by a U.S. 
company that enters the Safe Harbor, but only to the extent that the 
data flows go from the EU to the U.S. and do not also include, for 
example, another country such as India or Mexico.
---------------------------------------------------------------------------

 7. SOME OF THE BROAD PRIVACY PRINCIPLES LOOK GOOD IN THEORY, BUT MAY 
             NOT BE SMART (OR PROTECT PRIVACY) IN PRACTICE.

    Whether the obligations in the Privacy Directive are a good or a 
bad idea, they are not today the law in the U.S. Indeed, the U.S. 
Congress has to date declined to make them the law of the U.S. 
Important arguments can be advanced by reasonable people in favor of 
and against all of the EU obligations, many of which prove as complex 
to operate in practice as they are simple to articulate in principle.
    For example, the right of access, mandated by the Privacy 
Directive, states in essence that every person should have to review 
and correct all the data that is held by any company about them. Stated 
simply, the right sounds unobjectionable. But many, perhaps most 
companies around the world, especially large ones, do not centralize 
their data bases on individuals. Rather, bits and pieces of information 
about individuals may be contained in many locations at a company. For 
example, in a Congressional office, each staffer of each Congressman 
may have their own personal contact directories set up, or case files 
pertaining to handling the needs of constituents. While some 
Congressional offices might centralize such data, most would not, and 
might even view such centralization of data as a potential threat to 
the privacy of the constituents. To implement a right of access, a 
company would need to be able to assemble all of its personal data 
about people easily into one place, for the review of the data subject. 
The process of assembling and centralizing that data carries with it 
real risks to privacy, especially if such data can be subpoenaed in 
civil cases or criminal investigations, both of which are permitted 
under the Directive. The problem becomes especially severe with large 
companies which have many different consumer divisions that handle 
personal information. Is it really good privacy policy to require such 
companies to centralize all of the data they may possess on all data 
subjects in order to permit them to easily provide consumers a right of 
access and correction? In the case of an internet service provider, 
would that include all identifiable references to these persons on the 
e-mail traffic processed by the company? Certainly, there are fair 
arguments to suggest that such centralization may in fact threaten, 
rather than protect, privacy.
    These issues become even more complex when they are taken beyond 
the context of mainframe computers--the technology that was the main 
concern at the time the Directive was conceived--to intranets, 
extranets, e-mails, telecopies, the World Wide Web, lap top computers, 
smart phones, and hand-held wireless communicators, all of which are 
theoretically fully subject to the Privacy Directive's requirements for 
consent, notice, access, uses limited to consent, right to correct, and 
so on.
    Other privacy rights guaranteed in the Directive may prove to of 
equal simplicity in statement, and equal complexity in practice. As 
former Clinton Administration privacy czar Peter P. Swire and Brookings 
Professor Robert E. Litan have written about the Directive, in their 
book ``None of Your Business,'':
        ``Under the European Directive, many routine and desirable 
        transfers of information would apparently be restricted. For 
        instance, as written, the Directive would appear to hinder 
        pharmaceutical research, could post a major obstacle to 
        investment banks' collection of important information about 
        companies, and would call into doubt many mainframe and 
        intranet applications that involve processing data in the 
        United States or other third countries.'' 5
---------------------------------------------------------------------------
    \5\ Swire and Litan, ``None of Your Business,'' Brooking 
Institution, 1998, p. 153. The complexity of the compliance issued 
raised by the Privacy Directive is illustrated by Swire and Litan in 
Appendix B to their book, which consists of a 12 page chart summarizing 
some of the potential effects and coverage of the Directive. Among the 
areas Swire and Litan list as affected by the Directive as mainframes, 
client-server systems, intranets, extranets, e-mail, telecopies, the 
World Wide Web, laptop computers and personal organizers, human 
resources records, auditing and accounting functions, business 
consulting, calling centers and other worldwide customer service, 
payment systems for financial services, sale of financial services to 
individuals, investment banking and market analysis, investment banking 
``hostile takeovers,'' which Swire and Litan believe become barred by 
the Directive; investment banking due diligence, investment banking 
private placements, mandatory securities and accounting disclosures, 
individual credit histories, corporate credit histories, the press, 
nonprofit organizations generally, international educational 
organizations, international conferences, non-European governments, 
pharmaceutical and medical device research and marketing, business and 
leisure travel reservation systems, business and leisure travel 
frequent flyer and other affinity programs, internet service providers, 
traditional direct marketing, and direct marketing over the Internet. 
Id. pps. 248-260.
---------------------------------------------------------------------------
     8. NON-COMPLIANCE WITH THE DIRECTIVE WITHIN THE EU IS MASSIVE.

    Professors Swire and Litan go on to note that EU officials tell the 
U.S. not worry about the Directive, that the EU will proceed with 
implementing the Directive sensibly and incrementally, by encouraging 
good privacy practices and imposing few penalties on individual 
organizations. The problem with these assurances, as Swire and Litan 
state explicitly is that:
        ``Europe cannot strictly enforce the letter of the Directive 
        and at the same time announce that organizations can routinely 
        ignore it. It violates the rule of law and fundamental fairness 
        to enforce a law strictly against some while allowing others to 
        violate the same law in the same way . . . An often expressed 
        concern of U.S.-based firms is that they might be targeted for 
        enforcement, even when they follow the same privacy practices 
        as their Europe-based competitors. This targeting may fit the 
        perception that American companies are less careful on privacy 
        issues, and the focus may be politically popular in Europe.'' 
        6
---------------------------------------------------------------------------
    \6\ Id at p. 155.
---------------------------------------------------------------------------
    This anxiety is not one that is without merit. Some five years 
after the passage of the Privacy Directive, the European Commission 
continues to maintain court action against four of its member states, 
France, Germany, Ireland, and Luxembourg, for their non-compliance with 
the Directive. Perhaps more to the point, there is substantial 
practical evidence that non-compliance with the Directive is widespread 
throughout the European Union.
    Lawyers who practice commercial law involving international 
businesses see this every day. A few months ago, I was asked by an 
American company to look at the privacy policies and practices of an EU 
company that it was purchasing, as part of due diligence, in order to 
assess the potential risks of liability for the U.S. firm in connection 
with the purchase. The EU company was in a consumer business that 
caused it to acquire, process, and manipulate sensitive consumer 
personal data hundreds or thousands of times every day of the kind 
theoretically protected by the Privacy Directive. The EU company had no 
on-line privacy policy. It also turned out to have no off-line privacy 
policy. In fact, it had no privacy policy at all, and after due 
diligence, we found no evidence that the EU company, had ever 
undertaken steps to comply with the Directive. Ultimately, we advised 
the U.S. company, which has comprehensive privacy policies in place, to 
seek indemnifications from the EU company in case the EU privacy 
regulator decided to sanction it. The EU company was happy to do so: it 
advised the U.S. company that in this EU country at least, the actual 
issuance of penalties for non-compliance with the Privacy Directive and 
with national privacy laws, was almost unknown.
    Thus, it is not surprising that EU consumers groups recently found 
that Internet users' privacy is better protected in the U.S. than in 
Europe, despite the Directive and all of the EU's tough national 
privacy laws. As Consumers International, a UK-based federation of 263 
consumer organizations, with members in 100 countries, found in a 
report released January 25, 2001, assessing 750 top world-wide web 
sites:

 Despite tight EU privacy legislation, researchers did not find 
        that sites based in the EU gave better information or a higher 
        degree of choice to their users than sites based in the US. 
        Indeed, U.S.-based sites tended to set the standard for decent 
        privacy policies.
 Many EU sites are failing to comply with EU rules that state 
        that they must provide the data subject with the opportunity to 
        opt out if their data is to be used for direct marketing 
        purposes.
 The most popular U.S. sites were more likely than the EU ones 
        to give users a choice about being on the company's mailing 
        list or having their name passed on, despite the existence of 
        legislation which obliges EU-based sites to provide users with 
        a choice.7
---------------------------------------------------------------------------
    \7\ [email protected], An international comparative study of consumer 
privacy on the internet, January, 2001, published by Consumers 
International, and available at www.consumers
international.org.
---------------------------------------------------------------------------
    In short, the ongoing efforts by the EU to require other countries 
to adopt the EU's standards for the protection of privacy is preceding, 
rather than following, the EU effectively securing enforcement of its 
laws within the borders of its Internal Market. The EU is demanding 
that companies based overseas comply with a Directive that is subject 
to massive non-compliance within the EU itself.

    9. THE FURTHER THREAT POSED BY THE EU'S NEW ``MODEL CONTRACTS.''

    There is little reason for the Congress to delay in considering 
these kinds of options. The current stand-still on enforcement by the 
EU is currently due to end on July 1, 2001, at which time U.S. firms 
who have not entered the Safe Harbor, or who like financial 
institutions are not eligible for the Safe Harbor, are potentially at 
risk from EU sanctions. The EU has not stood still while the Safe 
Harbor process has continued, but has developed as an alternative to 
Safe Harbor the approach of Model Contracts. These amount to contracts 
of adhesion whereby non-EU data importers must agree to the 
jurisdiction, choice of law, substantive law, authority, regulation and 
oversight by EU data exporters and the EU's privacy czars. These model 
contracts, discussed in greater depth below, have many risky elements 
for U.S. firms. Among the most troubling are the requirement in these 
Model Contracts for joint and several liability for U.S. firms with 
their EU counterparts for any alleged violation of anyone's privacy; 
the requirement that data subjects be given the right to sue the U.S. 
firms for any alleged violation of their privacy; and the requirement 
that U.S. firms pre-emptively capitulate to whatever the EU chooses to 
order them to do in the event any EU entity judges them to have 
violated someone's privacy.
    The EU is currently planning to adopt these Model Contracts as a 
recommended minimum floor of data protection to be enforced by each of 
the EU's privacy czars as early as this July. In the future, these 
Model Contracts, or provisions similar to them, or based upon them, 
could become the de facto minimum standard for the processing of all 
data by the private sector regarding persons that leaves the EU (other 
than limited categories of public data.) Their potential risks for U.S. 
competitiveness, and the risks they pose of creating an unfair burden 
on non-EU entities throughout the world, can hardly be overstated. Just 
last week, a senior European Commission official acknowledged that most 
countries' privacy laws would never be found to be ``adequate'' under 
the Directive, and that the Model Contracts would therefore have global 
application.
    It is very important to the components of U.S. industry that are 
outside the Safe Harbor, including financial services, that the Model 
Contracts not be used as a mechanism to force them into undertaking 
obligations that vastly exceed the obligations undertaken by companies 
permitted to enter the Safe Harbor. It is also important that the Model 
Contract process not be permitted to overtake, and overwhelm, the 
ongoing talks between the US and the EU on obtaining a finding of 
adequacy for the Gramm-Leach-Bliley Act and the Fair Credit Reporting 
Act, with their detailed regulations, under the Directive. The EU needs 
to understand that U.S. laws, too, need to be respected, just as the 
laws of its Member States must be.

          10. OPTIONS FOR U.S. POLICY MAKERS AND THE CONGRESS.

    In light of the potential impact of the Privacy Directive on U.S. 
trade, the exercise of First Amendment rights, and U.S. 
competitiveness, the U.S. Congress should take a careful look at its 
range of options. These could include the following, which offered as 
an illustrative, and incomplete list of possibilities:

 Enacting U.S. federal laws that mimic those of the European 
        Union, granting every person whose information is processed in 
        the United States the right to sue anyone who has used that 
        information for any purpose without their consent. This option 
        risk running into substantial First Amendment and other 
        Constitutional limitations, for the reasons expressed in great 
        detail by Professor Volokh in his testimony before this 
        Committee last week. Exercising this option would also turn 
        every processor of information in the private sector into a 
        member of a regulated industry, requiring a dramatic expansion 
        of government control of the U.S. private sector, providing new 
        opportunities for crowding U.S. courts with allegations of 
        privacy torts, by Americans and overseas persons 
        alike.8
---------------------------------------------------------------------------
    \8\ See also Swire and Litan, id, at p. 122. ``A strict 
interpretation of the Directive could ban a great many practices by the 
press. The tension between the press and privacy laws is clear enough: 
an important responsibility of the press is to publicize personally 
identifiable information. In reporting on politics, business, 
entertainment, and sports, journalists routinely discuss named 
individuals. Often the reporting is done without the consent of the 
subject . . . Under Article 9 of the Directive, member states can make 
exemptions for the press, but the exemptions must be `solely for 
journalistic purposes' and `only if they are necessary to reconcile the 
right to privacy with the rules governing freedom of expression.' This 
language seems to emphasize privacy rights and give relatively little 
scope to protecting free expression. As governed by Article 9, the 
press will face compliance difficulties when it transfers personal 
information out of Europe.''
---------------------------------------------------------------------------
 Pressing the EU to recognize, as international consumer groups 
        have, that the U.S. system for protecting privacy is in 
        practice at least as effective as that of the EU, and therefore 
        constitutes adequate protection, eliminating the risk of the 
        disruption of data flows.
 Doing as the EU did in response to Helms-Burton, and treating 
        any efforts by the EU to enforce its Privacy Directive against 
        U.S. companies in a fashion that is extraterritorial as an 
        improper restraint of trade suitable for resolution by the 
        World Trade Organization.
 Doing as Canada did in response to Helms-Burton, and imposing 
        a blocking statute that in effect, prohibits firms from 
        complying with the Directive to the extent that it is 
        inconsistent with U.S. law, and allowing U.S. firms to ``claw 
        back'' damages from any EU counterparts caused by their use of 
        the Privacy Directive to the injury of the U.S. firm.
 Creating a ``Safe Harbor'' for U.S. firms that adhere to U.S. 
        federal privacy laws, by making compliance with such a laws a 
        ``per se'' defense to any private cause of action for alleged 
        breach of privacy or related claims in any court based in the 
        U.S.
 Further developing a regime of informed consent, under which 
        companies that provided mechanisms for consumers to exercise 
        informed consent were given a safe harbor against privacy 
        claims in U.S. courts, so long as they lived up to their 
        contractual obligations to data subjects.
 Asking the U.S. Trade Representative to consider recommending 
        to the President the use of appropriate sanctions under Super 
        301 or other trade authorities to insure adequate protection of 
        U.S. firms through proportionate measures to respond to any 
        injuries to U.S. companies by the EU.
    The Congress has some less dramatic additional interim options 
which could do much both to protect privacy, the First Amendment, and 
to simultaneously protect American competitiveness and trade. These 
include:

 Asking the Executive Branch to secure from the EU a detailed 
        assessment of the existing compliance with the Privacy 
        Directive by firms based in the EU, prior to negotiating 
        further obligations for U.S. firms to comply with the 
        Directive.
 Seeking and obtaining assurances from the EU that no action 
        will be taken against U.S.-based firms for alleged violations 
        of the Directive, until the EU can provide evidence that most 
        EU-based firms have come into compliance with the Directive.
 Seeking and obtaining assurances from the EU that no action 
        will be taken against U.S.-based firms for alleged violations 
        of the Directive until the EU can demonstrate that it has 
        effective mechanisms in place to prevent similar alleged 
        violations by other countries around the world that process 
        substantial amounts of personal data from the EU, including 
        Brazil, China, Egypt, India, Indonesia, Israel, Japan, 
        Malaysia, Russia, South Africa, South Korea, Sri Lanka, Taiwan, 
        Thailand, among others.
 Insuring that EU Member States do not in practice force U.S. 
        firms to enter into ``Model Contracts'' in order to import 
        personal data from the EU that would create contractual rights 
        for data subjects that would enable them to fill U.S. courts 
        with privacy litigation, including class actions.
 Asking the GAO to determine the regulatory capacity of the 
        U.S. to enforce the existing Safe Harbor and/or the broader 
        parameters of the Privacy Directive were it applied to all 
        processing of personal data by U.S. companies, and to estimate 
        the potential cost of developing the regulatory capacity to 
        administer the equivalent of the Directive in the U.S.
 Asking the Department of Commerce and the Office of the Trade 
        Representative to develop a menu of possible options to respond 
        to any cut-offs of data flows from the EU to the United States 
        and to provide a report to Congress specifying these options.
 Asking the Office of the Trade Representative to review 
        whether data protection laws at the national or EU level may 
        violate the free trade rules administered by the World Trade 
        Organization, a recommendation advocated for consideration 
        several years ago by Professors Litan and Swire, and to develop 
        the analytic and factual basis for making such a case in the 
        event that the EU improperly imposed sanctions on U.S.-based 
        firms.
 Asking the Department of Commerce to catalogue the benefits of 
        maintaining the existing data flows, and to assess the damage 
        that might be done were they to be impeded by enforcement 
        action by the EU under the Privacy Directive,

                          11. FINAL THOUGHTS.

    In conclusion, your Committee has taken on an enormous issue in 
focusing on the impact of the Privacy Directive on the U.S. The 
Directive is not, unfortunately, a unique provision. Bit by bit, in its 
effort to harmonize its own laws for its internal market, the EU is 
developing other Directives that will come to have an increasingly 
global impact in setting standards for the whole world. Some of these 
Directives will surely contain sensible and useful elements. Others may 
reflect mistaken choices in policy. In either case, the U.S. needs to 
develop mechanisms to provide early warning on the impact of such 
Directives on the U.S., on U.S. competitiveness, and on U.S. 
Constitutional and policy values. The U.S. and the EU come from 
different histories, and in some areas, such as the area of what is 
appropriate governmental regulation, from different philosophies. The 
U.S. economy has been the strongest in the world throughout the years 
of the ongoing information revolution and the development of the 
world's new economy. It would be a tragedy if the laws and rules of 
other jurisdictions were permitted to put our economy at risk, and to 
threaten the free flow of information so necessary to the world's 
further economic development, however noble the intentions or lofty the 
goals.
    With your permission, I would like to include with this testimony 
more detailed analyses of the major provisions of the Privacy Directive 
and the US-EU Safe Harbor, and of the new Model Contracts being 
proposed by the EU for adoption and application world-wide later this 
year.
    Thank you. I look forward to responding to any questions, and to 
providing the Committee with any form of assistance you may request.
                            *      *      *
        Analysis of the EU Privacy Directive and the Safe Harbor

                      A. THE EU PRIVACY DIRECTIVE.

    The European Union's Privacy Directive became effective on October 
25, 1998. The Directive:

 Embraces individual privacy as a fundamental human right;
 Applies to the processing and transfer of personal data 
        concerning EU residents;
 Requires the EU individual's consent for gathering and 
        dissemination of personal information;
 Applies to all entities that gather, store or use personal 
        data concerning EU residents, including those in the U.S. and 
        every other country;
 Covers personal data transfers not only among affiliates, but 
        even within a single corporate entity if the data is exported 
        beyond the EU;
 Includes all data, electronic and non-electronic;
 Demands that data must be destroyed when no longer needed for 
        the original purpose;
 Is enforced in each EU Member State by the Data Protection 
        Authority, which operates independently of the government;
 Provides for civil suits with damages; and
 Provides extraterritorial protections that restrict the 
        transfer of covered personal data to only those non-EU 
        countries that provide an ``adequate'' level of privacy 
        protection.

                     B. THE SAFE HARBOR AGREEMENT.

    The Safe Harbor Privacy Principles, negotiated between the U.S. 
Department of Commerce and the European Union and agreed to in July 
2000, grant U.S. companies who are subject to the jurisdiction of the 
FTC or the Department of Transportation a presumption of ``adequacy'' 
of protecting personal data for purposes of the Directive, thereby 
allowing data transfers from the EU to continue to that company. U.S. 
organizations that choose not to qualify for the Safe Harbor will only 
be able to transfer data from the EU under one of the allowed 
exceptions or with an alternative safeguard, such as an EC-approved 
contract with the EU entity transferring the data--an approach 
permitted in theory but not yet available due to the European 
Commission's failure thus far to adopt model contract provisions. In 
the meantime, the negotiations over treatment of financial services 
companies have not been completed, leaving banks, savings and loans, 
and credit unions, other than their affiliates under certain 
conditions, outside the Safe Harbor.
    Briefly, the Safe Harbor:

 Consists of the seven principles of notice, choice, onward 
        transfer, security, data integrity, access, and enforcement;
 Is voluntary;
 Applies forever to all EU personal data received during the 
        company's participation, even if the company later leaves the 
        Safe Harbor;
 Has been available since November 1, 2000 to U.S. 
        organizations through two qualifying options: (1) joining a 
        self-regulatory organization; or (2) implementing appropriate 
        self-regulatory privacy policies;
 Offers protection against direct enforcement by EU Data 
        Protection Authorities (``DPAs''), although if an individual 
        DPA working in conjunction with the FTC finds a violation or 
        ``substantial likelihood'' of a violation, it will be permitted 
        to bring enforcement against a U.S. company; and
 Does not protect U.S. organizations against private rights of 
        action by EU residents, who may initiate privacy actions under 
        their respective national laws.

1. Signing Up for the Safe Harbor Program.
    The U.S. Department of Commerce has had the Safe Harbor program in 
place and available for participation by U.S. companies on November 1, 
2000. As of March 5, 2001, 26 U.S. companies had signed up for the Safe 
Harbor. There is as yet no fixed date by which U.S. organizations must 
either join the Safe Harbor or risk disruptions in the transfer of 
information from EU Member States. The current stand-still on 
enforcement by the EU runs out on July 1, 2001, although EU officials 
have privately told U.S. officials that they anticipate extending the 
standstill for a further period as they continue to efforts to secure 
compliance with the Directive within the EU's Internal Market..
    Safe Harbor members remain subject to the substantive requirements 
of the Directive and open to private rights of action by EU residents.

2. Qualifying for the Safe Harbor.
    There are several methods by which organizations may qualify for 
the Safe Harbor. An organization may self-certify to the Department of 
Commerce that:

 It has joined a self-regulatory organization that adheres to 
        the Principles;
 It has implemented privacy policies that conform with the 
        privacy principles of the Directive; or
 It is subject to a statutory, regulatory, administrative or 
        other body of law that effectively protects personal privacy 
        consistent with the Directive. (Note: To date, the EU has not 
        accepted that any U.S. law meets this standard, so this option 
        is not currently available to U.S. companies.)
    Alternatively, an organization may enter into EU-approved contracts 
directly with the entities in the EU that transfer data to the U.S. 
(Note: This option is also not yet available in practice, as such 
contracts must follow forms approved by the European Commission, which 
has not yet issued such forms. However, the Model Contracts are nearing 
the completion phase, and are due to be recommended by the relevant 
committee overseeing the Directive, the so-called ``Article 31'' 
Committee, in late March, 2001. Further discussion of the Model 
Contracts is set forth below.)
    Organizations that rely on self-regulation and self-certification 
are subject to FTC enforcement for unfair or deceptive trade practices 
with respect to any misrepresentations concerning their adherence to 
the Principles. Companies that choose to self-regulate and self-certify 
must provide the Department of Commerce a self-certification letter on 
an annual basis. The Department of Commerce has agreed to establish and 
maintain a publicly available list of companies adhering to the 
Principles. An organization that fails to submit an annual self-
certification letter will be removed from the list and Safe Harbor 
benefits will no longer be assured via this mechanism. Safe Harbor 
benefits begin on the date an organization self-certifies to the 
Department of Commerce. Once an organization joins the Safe Harbor, it 
must apply the Principles to covered data for as long as it stores, 
uses or discloses the data, even if it subsequently leaves the Safe 
Harbor.

3. Applying the Safe Harbor's Seven Privacy Principles (Building a 
        Privacy Program).
    The Principles are comprised of the basic concepts of notice, 
choice, onward transfer, security, data integrity, access, and 
enforcement. Any organization qualifying for the Safe Harbor program 
must develop a privacy policy that complies with these seven basic 
principles.
    a) Notice. The U.S. organization must provide EU individuals with 
clear and conspicuous notice regarding the purposes for which it 
collects and uses their personal information; how to contact the 
organization with inquiries or complaints; the types of third parties 
to which it discloses the information; and the choices and methods 
available to the individual for limiting its use and disclosure (the 
Notice). Personal data and information are defined in the Principles as 
``data about an identified or identifiable individual that are within 
the scope of the Directive, received by a U.S. organization from the 
European Union, and recorded in any form.''
    The organization must supply the Notice when individuals are first 
asked to provide personal information or as soon thereafter as 
practicable, but prior to disclosing the information to a third party 
or using it for any purpose other than that for which it was originally 
collected. When disclosing information to a third party that is 
operating as an agent (such as an outsourcer or other third party 
service provider), the organization is not required to provide Notice.
    b) Choice. A qualifying organization must allow individuals to opt 
out of: (a) disclosing their information to a third party; and (b) 
using their information for a purpose other than that for which it was 
originally collected. The Principles do not define the term 
``organization,'' leaving unanswered the question of whether an 
organization may share data with its affiliates without a formal opt-
out procedure.
    Individuals must affirmatively consent (opt in) to an 
organization's disclosure of sensitive personal information to a third 
party or using it for a purpose other than that for which the 
information was originally collected. Sensitive information includes 
personal information specifying medical or health conditions, racial or 
ethnic origin, political opinions, religious beliefs, trade union 
memberships, information specifying the sex life of the individual, and 
any information submitted by a third party as sensitive information. 
There are limited exceptions; for instance, opt-in approval is not 
required when the sensitive information is necessary to carry out the 
organization's employment obligations.9
---------------------------------------------------------------------------
    \9\ See Draft, Frequently Asked Questions (FAQs) FAQ 1--Sensitive 
Data (all FAQs are accessible from http://www.ita.doc.gov/td/ecom/
menu.html; hereinafter referenced as ``FAQ ____'').
---------------------------------------------------------------------------
    c) Onward Transfer. Organizations may only disclose personal 
information to third parties consistent with the principles of notice 
and choice. With respect to transfers of personal data to a third party 
acting as an agent, an organization must determine either that the 
Agent subscribes to the Principles or is subject to the Directive, 
before transferring the data. If the agent does not meet one of these 
requirements, the contract between the organization and the agent must 
obligate the agent to provide at least the same level of privacy 
protection as required under the Principles. If an organization 
complies with this requirement, it will not be held responsible for an 
agent's improper processing of the personal data, unless it knew or 
should have known that the third party would process the information 
improperly.
    d) Security. Organizations that collect, maintain, use or disclose 
personal information must take reasonable precautions to protect such 
personal information from loss, misuse and unauthorized access, 
disclosure, alteration and destruction.
    e) Data Integrity. Organizations may collect only that personal 
information relevant to the purpose for which it will be used and must 
take reasonable steps to ensure that such personal data is not only 
reliable for its intended use, but is also accurate, complete and 
current. If an organization is serving merely as a conduit for personal 
data transmitted by third parties (e.g., ISPs, telecommunications 
carriers, or others that merely transmit, route, switch or cache 
information) and does not determine the purposes and means of 
processing such data, it will not be held responsible for any violation 
of the Principles by the third parties transmitting such 
data.10
---------------------------------------------------------------------------
    \10\ See FAQ 3.
---------------------------------------------------------------------------
    f) Access. The right of access is considered fundamental to the 
Principles, but it is not absolute. Organizations must give individuals 
access to their personal information and the ability to correct, amend 
or delete inaccurate information, except where the burden or expense of 
providing access is disproportionate to the individual's privacy rights 
at issue or where the rights of persons other than the requesting 
individual would be violated.11 Individuals are not 
obligated to justify any request for access to their own personal data 
and organizations are permitted to charge a reasonable fee for such 
access. If an organization decides to deny access, it must be for a 
specific reason and the organization must provide an explanation of its 
decision to the requesting individual.12
---------------------------------------------------------------------------
    \11\ See FAQ 8.
    \12\ See FAQ 8 for a detailed explanation of the access principle.
---------------------------------------------------------------------------
    g) Enforcement. Safe Harbor organizations must implement compliance 
procedures or mechanisms. At a minimum, this must include: (a) readily 
available and affordable independent recourse mechanisms by which an 
individual's complaints are investigated and resolved and damages 
awarded as provided under applicable law or private sector initiatives; 
(b) follow-up procedures for verifying that the assertions businesses 
make about their privacy practices are true and have been implemented 
as presented; and (c) obligations to remedy problems arising out of 
failure to comply with the Principles and consequence for violators.
    An organization may satisfy the dispute resolution requirements set 
forth in (a) and (c) above by: (1) agreeing to cooperate with DPAs 
located in the European Union; (2) complying with private sector-
developed privacy programs that incorporate the Principles into their 
rules and that include effective enforcement mechanisms of the type 
described in the enforcement principle; (3) complying with legal or 
regulatory supervisory authorities that provide for the handling of 
individual complaints and dispute resolution; or, (4) any other 
mechanism devised by the private sector that meets the requirements of 
the enforcement principle.
    An organization may fulfill the verification requirement of (b) of 
the enforcement principle either through self-assessment or outside 
compliance reviews. Under the self-assessment approach, an organization 
must issue an annual written verification statement, signed by a 
corporate officer or other authorized representative and made available 
upon request. 13 Under the outside compliance approach, 
reviews should be conducted at least once a year and should demonstrate 
that an organization's privacy policy conforms to the Principles, and 
that the organization is in compliance.14
---------------------------------------------------------------------------
    \13\ See FAQ 7.
    \14\ See FAQ 7.
---------------------------------------------------------------------------

4. How Violations May Be Enforced .
    Violations of the Safe Harbor Privacy Principles may be enforced in 
several ways. An organization that chooses to subject itself to DPA 
enforcement must agree to: (a) cooperate with the DPAs in the 
investigation and resolution of complaints brought under the Safe 
Harbor; (b) comply with any advice given by the DPAs, including 
remedial or compensatory measures; and (c) provide the DPAs with 
written confirmation that such action has been taken. Organizations 
must comply with the advice of the DPAs within 25 days. If the 
organization has not complied, or proffered a satisfactory explanation 
for its non-compliance, the DPA will submit the matter to the FTC or 
other U.S. federal or state body with statutory powers to take 
enforcement action. Any failure to cooperate with the DPAs or to comply 
with the Principles will be actionable as a deceptive practice under 
Section 5 of the FTC Act.15
---------------------------------------------------------------------------
    \15\ See FAQ 5.
---------------------------------------------------------------------------
    The FTC has agreed to review on a priority basis any complaints of 
Safe Harbor violations referred by privacy self-regulatory 
organizations (such as TRUSTe and BBBOnline) or EU member nations. If 
the FTC finds a violation, it may seek an administrative cease and 
desist order (with potential civil penalties) or file a complaint in a 
federal district court (with potential civil or criminal contempt 
charges). If an organization persistently fails to comply with the 
Principles, it will be denied the benefits of the Safe Harbor.

5. Exceptions to the Principles.
    The Principles provide for exceptions in certain limited 
circumstances. These include: (a) where necessary to meet national 
security, public interest or law enforcement requirements; (b) where 
statutes, government regulations or case law create conflicting 
obligations or explicit authorizations, provided an organization can 
demonstrate that its non-compliance is limited to the extent necessary 
to meet the overriding legitimate interests furthered by such 
authorization; or (c) where the effect of the Directive or a Member 
State's law is to allow exceptions, provided they are applied in 
comparable contexts.

6. Current Data Transfers Protected for the Time Being.
    Pursuant to Article 26 of the Directive, Member States may permit a 
transfer or a set of transfers of personal data to a third country that 
does not ensure an adequate level of protection if: (a) the data 
subject has given his consent unambiguously to the proposed transfer; 
(b) the transfer is necessary for the performance of a contract between 
the data subject and the controller or the implementation of pre-
contractual measures taken in response to the data subject's request; 
(c) the transfer is necessary for the conclusion or performance of a 
contract in the interest of a data subject between the controller and a 
third party; (d) the transfer is necessary or legally required on 
important public interest grounds; (e) the transfer is necessary to 
protect the vital interests of the data subject; or (f) the transfer is 
made from a register which, according to laws or regulations, is 
intended to provide information to the public and which is open to 
public consultation.

7. Effectiveness to Be Evaluated in 2001, 2003.
    The Commission will review the initial progress of the Safe Harbor 
program in mid-2001. This interim evaluation will be conducted by the 
Department of Commerce and the Commission to determine whether any 
organizations have joined the Safe Harbor and whether their privacy 
programs have been successful. If U.S. organizations are either not 
participating in the Safe Harbor, or are not complying with the Safe 
Harbor requirements, the Department of Commerce and the Commission will 
re-evaluate the Safe Harbor and may at that time set a date by which 
U.S. organizations must comply or risk disruptions in data transfers 
from Member States. The Commission will then conduct a more formal 
review of its decision and the effectiveness of the Safe Harbor in 
2003.

8. Timing of Safe Harbor Decision.
    For most U.S. companies, there have been three natural 
opportunities to make judgments about whether to enter the Safe Harbor: 
(1) the initial period after November 1; (2) the spring of 2001, 
following the formation of a new Administration and the resumption of 
U.S. and EU negotiations over financial services; and (3) June, 2001, 
before the current enforcement stand-still is theoretically due to 
expire. As set forth above, very few U.S. companies took advantage of 
the initial period, nor does their currently appear to be a rush to 
sign up. Most companies have been well-advised to defer their decisions 
until close to the deadline for the end of the stand-still, when it may 
become easier to assess actual EU enforcement intentions.

9. Safe Harbor Intended to Provide Predictability and Harmonization.
    The Department of Commerce has described the Safe Harbor as 
providing ``predictability and continuity for U.S. and EU companies 
that are sending and receiving personal information from Europe.'' 
16 The principal benefit ascribed to the Safe Harbor is that 
it makes automatic the approval by all EU Member States of data 
transfers to participating U.S. companies, giving a presumptive finding 
of adequacy for any company that has signed up, articulated its 
commitment to the Principles, and specified its agreement to an 
enforcement mechanism. In addition, the Directive is designed to be 
implemented by laws in each of the fifteen countries that are members 
of the EU. These laws vary significantly. By providing a single set of 
data protection rules, the Safe Harbor may offer advantages for 
companies that operate in more than one EU country.
---------------------------------------------------------------------------
    \16\ The Safe Harbor Privacy Principles, Frequently Asked Questions 
and other supporting final documents, including further information on 
the Safe Harbor list and European Commission supporting documents, are 
available from the DOC at: http://www.ita.doc.gov. Organizations will 
also be able to sign up for the Safe Harbor list at this Web site.
---------------------------------------------------------------------------
    At the same time, these benefits come at a significant cost. 
Participation requires U.S. companies to undertake substantive privacy 
obligations that go far beyond those required under current U.S. law. 
The Principles require not merely notice and choice for consumers, but 
a commitment by the Safe Harbor participant not to transfer personal 
data to any third party unless the Safe Harbor participant is assured 
that the third party also adheres to the Principles. Participating 
companies must also provide access for each individual to all of their 
personal information held by the organization, and the right to 
correct, amend or delete inaccurate information. In general, U.S. 
companies that sign on to the Safe Harbor automatically submit 
themselves to the jurisdiction of the Federal Trade Commission (FTC), 
which will have the authority to enforce the Safe Harbor by treating 
failures to comply with posted privacy policies as unfair or deceptive 
trade or business practices. Companies that do not abide by their Safe 
Harbor commitments may also be subject to civil actions for damages 
brought directly by individual European citizens.

10. Key Terms Still Ambiguous.
    Applying the Safe Harbor could be especially complex for U.S. 
companies whose structure includes multiple corporate units handling 
different kinds of personal information for different purposes. Key 
terms used in the Principles, such as ``organization'' and ``third 
party,'' remain intentionally undefined because of differences between 
the U.S. and the EU over the meaning of the terms. These ambiguities 
make it difficult to determine whether a transfer of personal 
information is within the ``organization'' and permissible or to a 
``third party,'' requiring consumer consent. Differing interpretations 
of the law by the individual EU Privacy Commissioners raise other 
uncertainties, as does the mix of enforcement mechanisms in the U.S. 
and in the EU.

11. Status of U.S. Financial Institutions Remains To Be Negotiated.
    Financial institutions, as broadly defined under the Financial 
Services Modernization Act of 1999 (the ``Gramm-Leach-Bliley'' bill or 
``GLB,'') face separate issues. The U.S. and the European Commission 
were unable to reach agreement that GLB adequately protects privacy, in 
large part because GLB permits the sharing of personally identifiable 
information among affiliates. As a result, compliance with GLB for 
financial institutions is not at this time deemed by the EU to 
constitute compliance with either the Directive or the Safe Harbor. 
Because the FTC's underlying authority excludes banks, savings and 
loans and credit unions from FTC jurisdiction, these financial 
institutions may not participate directly in the Safe 
Harbor.17 The Department of Commerce has advised that 
applications from such institutions for the Safe Harbor will not be 
accepted, because of the absence of FTC jurisdiction.
---------------------------------------------------------------------------
    \17\ See 15 U.S. C. Sec. 45(a)(2) and Sec. 45(a)(f)(1), for a 
description of the FTC's jurisdictional limits.
---------------------------------------------------------------------------
    The U.S. and the European Commission have agreed in principle to 
renew talks in an effort to secure an agreement covering financial 
services, but these negotiations have yet to move forward in a 
substantive fashion. In the meantime, the EU stand-still for financial 
services is expected to remain in place until at least July 1, 2001, 
and from then, until some agreement is reached between the U.S. and the 
EU on an enforcement mechanism to permit their participation in the 
Safe Harbor or compliance with the Directive through other means.

12. How Safe Harbor Works.
    When a company signs up for the Safe Harbor, it is obligated to 
apply the Principles to all data transferred after the date it enters 
the Safe Harbor, except data that is manually processed. That 
obligation remains regarding that data forever, even if the company 
later withdraws from the Safe Harbor. To qualify, a company must also 
specify to which enforcement agency's jurisdiction it is submitting. At 
this time, only two U.S. agencies have been granted recognition by the 
EU for this purpose: (1) the Department of Transportation, for airline 
carriers, computer reservation systems and other entities it regulates; 
and (2) the FTC for all other U.S. businesses (except as noted above).

13. Qualifying for the Safe Harbor.
    The DOC is administering the Safe Harbor and has posted rules for 
signing up.18 The rules include:

    \18\ See http://www.ita.doc.gov.
---------------------------------------------------------------------------
 Notification to the DOC by a corporate officer by mail or 
        through www.ita.doc.gov/ecom that the organization adheres to 
        the Principles;
 A request to be put on the Safe Harbor List;
 Public declaration by the organization that it adheres to the 
        Principles and the inclusion of this statement in a published 
        privacy policy; and
 Specification that it is subject to the jurisdiction of the 
        FTC or the Department of Transportation, and further 
        specification of any self-regulatory body, such as TRUSTe or 
        BBBOnline, whose rules it is applying as a means to adhere to 
        the Principles.

 C. ANALYSIS OF THE NEW EU MODEL CONTRACT FOR PERSONAL DATA TO COMPLY 
                     WITH THE EU PRIVACY DIRECTIVE

    As part of securing global compliance with its Directive on Data 
Protection (the Directive), the European Union is nearing adoption of 
``Model Contracts'' to govern the transfer of personal data from the EU 
to the United States. New draft Model Contracts are currently under 
review at the European Commission in Brussels, and final action could 
come as soon as June, 2001. To date, the U.S. government has not taken 
a position on the Model Contracts, despite their broad potential impact 
on U.S. companies.
    The new Model Contracts obligate U.S. importers of data to comply 
with substantive EU data privacy law containing requirements far more 
onerous than those applicable in the United States. Compliance with the 
legal obligations embodied in the Model Contracts could create very 
substantial costs for U.S. companies and impact the U.S. and global 
economies.
    Once approved by the EU, the Model Contracts would permit an EU 
entity to send personal data to a company located in a country, such as 
the U.S., that the EU has not yet deemed to have ``adequate 
protection'' in place for personal data. The Directive indicates that 
adoption of a Model Contract is one means of achieving adequate 
protection. Under the terms of the U.S.-EU Safe Harbor agreement on 
data privacy made in July, 2000, entry by a U.S. company into the Safe 
Harbor is another means of achieving adequacy of protection. However, 
the Safe Harbor is not available to certain types of companies such as 
financial institutions and telecommunications companies, leaving them 
potentially no alternative to the Model Contracts. Furthermore, recent 
comments by EU officials may cast doubt upon the Safe Harbor as a fully 
sufficient means of satisfying EU regulatory requirements. As no other 
means of providing adequacy of protection has been approved by the EU, 
Model Contracts may come to be required for many U.S. companies 
receiving personal data from the EU.19 Notably, the EU 
intends to create an exception to this requirement for a non-EU company 
that is merely processing data on behalf of an EU company and that 
exercises no control over the data.
---------------------------------------------------------------------------
    \19\ It is not yet clear the extent to which existing contracts 
between EU and US firms governing the processing of personal data from 
controller to controller will be grandfathered and renewable. The 
European Commission has informally stated that it anticipates existing 
contracts will remain lawful, but that the Data Protection Authorities 
will have the discretion to require tougher privacy obligations as such 
contracts are renegotiated.
---------------------------------------------------------------------------
    The Model Contracts raise questions of U.S. sovereignty. Under the 
Model Contracts, U.S. firms would be required to apply EU substantive 
privacy law to their operations extraterritorially and to submit to EU 
jurisdiction and auditing of their facilities. They also would have to 
accept joint and several liability, as well as the right of all data 
subjects whose data is exported from the EU to sue for alleged 
violations. U.S. parties to the Model Contracts would have to provide 
all EU data subjects the right to access and correct all of their 
personal data, and the right to stop its use for any purpose beyond the 
original consent.
    The Model Contracts have come in ``under the radar'' while 
attention was focused on the Safe Harbor, negotiated last year between 
the U.S. and the European Union.20 The Safe Harbor provides 
U.S. firms who sign up to it a finding of ``adequacy'' under the 
Directive, thus protecting them from possible disruptions in data flows 
by EU Member States. But to date, only a handful of U.S. firms have 
signed up to the Safe Harbor. As such, the EU's drive to create the 
Model Contracts and its apparent move to require them for transactions 
not covered by the Safe Harbor appears to be an attempt to fill the 
wide gap left by the narrow impact of the Safe Harbor.
---------------------------------------------------------------------------
    \20\ See Alston & Bird LLP Electronic Commerce and International 
Regulatory Advisory, ``The EU Safe Harbor--Should Your Company Sign on 
Now?,'' dated October 30, 2000 and located at: http://www.alston.com/
docs/Advisories/199709/The__EU__Safe__Harbor.pdf.
---------------------------------------------------------------------------
    The EU has advised that it intends to move forward with the 
adoption of the Model Contracts sending them to the European Parliament 
for consideration, over the course of the spring. The Commission has 
advised that the Model Contracts could enter into force as early as 
July 1, 2001, the end of the current standstill for enforcement of the 
Directive against U.S. firms. In practice, this deadline, like any 
political timetable, remains subject to change. Significantly, July 1, 
2001 is also the deadline for compliance by U.S. financial institutions 
with the privacy provisions of the Gramm-Leach-Bliley Act.

               U.S. ADMINISTRATION CONSIDERING RESPONSE.

    The Bush Administration is currently in the process of considering 
responses to EU queries regarding the Model Contracts. Newly arrived 
policymakers at the Departments of Commerce and Treasury are now 
considering whether to act to slow the EU's adoption of the Model 
Contracts, given their potential impact on substantial sectors of the 
U.S. economy and on trans-Atlantic data flows.
    If the Model Contracts are adopted, and the U.S. government does 
not object, U.S. firms who control personal data that comes from the 
EU, and are not part of the Safe Harbor, will, in essence, be forced to 
rapidly adopt new information management practices required by EU 
regulations. Such companies may wish to examine their current 
information management practices against the emerging laws, 
regulations, codes, and guidelines in the EU, to determine the 
feasibility and costs of compliance.
    For now, U.S. companies concerned about the potential impact of the 
Model Contracts may wish to express their views to the key players in 
the Bush Administration, which, in addition to the Departments of 
Commerce and Treasury, include the Office of the Trade Representative, 
the National Economic Council, and the U.S. Department of State.

                  AN OVERVIEW OF THE MODEL CONTRACTS.

What Are the Model Contracts?
    Under the Directive, the EU has the right to develop Model 
Contracts that can be used as mechanisms to ensure that EU Data 
Exporters (Data Exporters) have secured adequate assurances from non-EU 
Data Importers (Data Importers). The Directive does not, however, 
specify what elements need to be in the Model Contracts. The EU first 
promulgated possible text of the Model Contracts on September 29, 2000, 
providing a two-week window for comment. In mid-January, EU 
representatives advised the U.S. Department of Commerce of the EU's 
likely adoption of the Model Contracts in February or March. At the 
same time, the EU group given the responsibility of developing the 
Model Contracts by the Directive (known as the ``Article 29'' 
Committee), suggested that all data flows from the EU to any non-EU 
entity would have to be governed by either the Model Contracts or more 
stringent measures that might be enacted by individual EU Member States 
who choose to provide even higher levels of protection.

Relationship of Model Contracts to Safe Harbor.
    In the past, the EU characterized the Model Contracts as a possible 
alternative to the Safe Harbor for U.S. firms, and the fundamental 
alternative for U.S. entities such as financial institutions and 
telecommunications firms that could not participate in the Safe Harbor. 
This position finds direct support in the language of the EU-US Safe 
Harbor agreement. Now, however, comments by EU officials in the 
``Article 29'' Committee that has endorsed the contracts, have advised 
that the Model Contracts should be viewed as a mandatory ``floor'' of 
protections for personal data being exported from the EU. As a result, 
according to the ``Article 29'' Committee, the provisions of the Model 
Contract, or other contracts providing equivalent or greater 
protections, must be agreed to by any non-EU entity from a country that 
is deemed to have inadequate privacy laws. For the U.S., the provisions 
of the Model Contracts would therefore presumably apply to all U.S. 
firms importing personal data from the EU over which they exercise 
control, other than U.S. firms that have actually entered the Safe 
Harbor.21
---------------------------------------------------------------------------
    \21\ As set forth in footnote 18, one likely near term exception 
would grandfather existing contracts already approved by EU data 
protection authorities for the export of data. Whether or not these 
contracts could be renewed with their existing provisions if they 
failed to contain such provisions as guaranteeing data subjects the 
right to sue as third party beneficiaries, and joint and several 
liability, is not certain. The Article 29 Committee's statements 
suggest that such provisions will be mandatory. However, to a 
considerable extent the Member States will remain free to determine how 
to use the Model Contracts as they apply the domestic laws in 
conformity with the requirements of the Directive.
---------------------------------------------------------------------------

Who Would Be Covered by Model Contracts?
    If the new EU position is adopted unhindered, sectoral coverage 
under the Model Contracts would be extremely broad, reaching most 
Trans-Atlantic flows of personal data. The EU would require the Model 
Contracts to be used whenever there was a transfer of personal data 
within an international or multinational group of companies, within a 
consortium of independent organizations set up to process international 
transactions, between independent entities where both companies 
exercise control over the data, between providers of professional 
services (such as lawyers, accountants, financial advisers, 
stockbrokers, and surveyors), or for direct marketing, and insolvency 
and bankruptcy sales.

Required Elements of Model Contracts.
    In the current draft of the Model Contracts, contracts entered into 
between Data Exporters and Data Importers must create an adequate level 
of protection for personal data transferred to the non-EU country. The 
contracts must be entered into for the explicit ``benefit of Data 
Subjects,'' which would create a private cause of action for anyone who 
deemed themselves injured by an infringement of their data rights. 
Under the Model Contracts, the data subjects would have the explicit 
right to enforce the terms of the contracts as third party 
beneficiaries. In this instance, the data subject would be free to 
choose dispute resolution in the forum of his or her choice, including 
mediation, the courts of the exporting Member State, a forum for 
disputes provided by the DPA in the exporting Member State, or an 
arbitration body chosen by the data subject. Although the Model 
Contracts do not explicitly address the issue of the enforcement of 
contract rights outside the EU, in theory, a U.S. person whose data is 
exported from the EU to the US in alleged violation of a provision of a 
Model Contract would also be a third party beneficiary to the contract, 
with the right to sue under the contract in the courts of their 
domicile, such as in the U.S.

Obligations of the Data Exporter.
    The draft Model Contracts would require all Data Exporters to 
warrant that: they have met the Directive's obligations in collecting 
and processing personal data; they have, before any data is 
transferred, explicitly informed data subjects that their data could be 
transferred to a third country if the importing entity entered into a 
contract containing protective clauses provided by law for this 
purpose; and they will make the protective clauses available upon the 
request of any data subject.

Obligations of the Data Importer.
    Under the proposed Model Contracts, Data Importers will essentially 
be required to meet the full obligations of EU entities in handling 
data. Indeed, in some respects, the Model Contracts go beyond the 
literal requirements of the Directive itself, and in pursuit of the 
ostensible goals of the Directive, would impose entirely new 
obligations on Data Importers. Among their most significant 
obligations, the Model Contracts would require Data Importers to:

 Agree to submit all of their data processing facilities, files 
        and documents to audit by the Data Exporter and the DPAs in the 
        EU.
 Cooperate with the DPA in any inquiries regarding data 
        processing and abide by the advice of the DPA if given.
 Process data in accordance with a body of laws approved by the 
        EU as offering adequate protection, which may include, at the 
        Data Exporter's option, the laws of the exporting EU country, a 
        set of newly-promulgated Mandatory Data Protection Principles, 
        or the laws of the country where the Data Importer is based if 
        found by the EU to offer adequate protection (but only if the 
        importer is not already subject to such laws). Any of these 
        alternatives may include more stringent requirements than the 
        Directive itself.
 Use the data only for the purposes for which the data has been 
        transferred.
 Store data only as needed to carry out the purposes for which 
        the data has been transferred.
 Not retransfer the data to an entity in a jurisdiction whose 
        laws are not deemed to offer adequate protection unless the 
        data subject has opted in to such transfer in the case of 
        sensitive data, or has been given an opt-out opportunity in all 
        other cases. Alternatively, the Data Importer may put a Model 
        Contract in place with its intended transferee.
 Allow the data subject access to all data relating to him or 
        her being processed in the U.S.
 Allow the data subject the right to correct or delete data 
        which has become inaccurate.
 Allow the data subject the right to object to the processing 
        of his or her data on compelling grounds based upon his or her 
        particular situation.
 Name a privacy officer to handle inquiries from Data Exporters 
        and the DPAs.

EU Laws Would Govern Liability for U.S. Firms.
    The Model Contract process would not permit U.S. Data Importers 
freedom of contract with Data Exporters with respect to liability 
issues. Rather, it would automatically require all Data Exporters and 
Data Importers to agree to be held jointly liable for damages to data 
subjects resulting from any unlawful processing or act incompatible 
with the national laws adopted pursuant to the Directive. The parties 
remain free to provide for mutual indemnification by contract, but the 
risk of insolvency in the Data Exporter is thus passed on to the U.S. 
Data Importer, leaving the data subject protected with the U.S. Data 
Importer's assets for breaches by either party. Although the U.S. Data 
Importer may be exempt from liability if it can prove that the Data 
Exporter is solely responsible for the violation, the burden of proof 
is shifted onto the U.S. Data Importer in such cases.

Non-EU Firm Must Agree To Abide By EU Decisions Over Privacy 
        Violations.
    To import personal data from the EU, Data Importers from countries 
deemed to have inadequate personal data protections, would be required 
to abide by the data subject's choice for a dispute resolution forum, 
in the event that the data subject is a party to the dispute. 
Permissible choices include a mediation forum, the EU court in the 
Member State where the Data Exporter is established, a body for dispute 
resolution provided by the DPA in the Member State where the Data 
Exporter is established, or an arbitration forum in a country which is 
party to the conventions on enforcement of arbitration awards. Note 
that the Data Importer must also agree in advance to abide by the 
decisions of the DPAs in the EU as if it were a party to the 
proceedings, even if it has not actually participated in them.

             COST AND FEASIBILITY OF COMPLIANCE UNCERTAIN.

    This summer, the EU plans to review the effectiveness of the 
Directive in meeting its goals. As it does, the EU will face the 
reality that compliance with the Directive is spotty. In some EU 
countries, such as Spain and the United Kingdom, DPAs have begun to 
initiate enforcement actions and require privacy violators to pay 
substantial fines. In other EU countries, including France and Germany, 
the European Commission is still taking legal action to force the 
Member State to enact required privacy laws.
    In the meantime, neither the European Commission nor any EU country 
has yet to conduct any published study that would provide guidance as 
to either how costly compliance might be, or whether complete 
compliance with the Directive is actually possible, either for larger 
firms with complex corporate structures, or for smaller and medium-
sized enterprises that have limited resources for information 
management. On the other hand, pressed by the threat of information 
cut-offs, a number of other countries, including Argentina, Australia, 
22 Canada, 23 Hong Kong, Hungary, New Zealand, 
and Switzerland have now passed data protection laws similar to those 
of the EU. The tension between the growing web of international data 
protection laws, and the very limited history of the enforcement of 
these laws, creates an uncertain and potentially difficult business, 
information management, and legal environment for many companies who 
process personal data across national borders.
---------------------------------------------------------------------------
    \22\ See Alston & Bird LLP Electronic Commerce and International 
Regulatory Advisory, ``Foreign Privacy Laws Proliferate: New Laws in 
Argentina and Australia Have Extraterritorial Application,'' dated 
December 19, 2000, and located at: http://www.alston.com/docs/
Advisories/199709/Foreign__Privacy__Laws.pdf.
    \23\ See Alston & Bird LLP Electronic Commerce and Financial 
Services Advisory, ``New Canadian Privacy Law Now in Effect; Potential 
Impact on U.S. Firms Obtaining Personal Information from Canada,'' 
dated January 23, 2001, and located at http://www.alston.com/docs/
Advisories/199709/new__canadian__privacy.pdf.
---------------------------------------------------------------------------

                             IMPLICATIONS.

    The new EU Model Contracts have the potential to go well beyond the 
Safe Harbor to impact information practices of U.S. firms. The EU's 
Article 29 Committee has suggested that it intends to encourage the 
Member State's DPAs to apply the Model Contracts to most international 
data flows involving countries that it has not deemed to have adequate 
personal data protections. Although existing contracts governing data 
protection would likely be grandfathered for the near term, over time, 
the DPAs would use the Model Contracts, or their functional 
equivalents, to ensure that EU jurisdiction, choice of law, regulation, 
and sanctions govern all data that leaves Europe to such places as the 
U.S. This approach would deprive non-EU entities of independent 
recourse in disputes, requiring them to submit to and abide by whatever 
the data subjects or DPAs decide. In short, it would subject the Data 
Importer to the full power of the European Union's national authorities 
and laws, regardless of where the Data Importer is located.

                            RECOMMENDATIONS.

    Any U.S. company that receives customer or employee personal data 
from the EU should review its existing information management systems, 
human resources practices, information collection practices, and 
information dissemination practices against the requirements of the 
Model Contracts to determine the extent to which existing systems and 
practices are in compliance. An assessment should be made of compliance 
costs for meeting the Model Contracts requirements, including the 
provisions regarding access rights for data subjects. In light of the 
fact that the EU Model Contracts have yet to be promulgated, 
potentially affected firms may wish to consider providing their views 
on the Model Contracts to relevant policymakers in both the EU and the 
United States.

    Mr. Stearns. Thank you.
    Professor Reidenberg?

                 STATEMENT OF JOEL R. REIDENBERG

    Mr. Reidenberg. Thank you very much, Mr. Chairman, members. 
I would also like to commend you for holding today's hearing to 
explore and understand the international dimensions of the 
global information marketplace.
    As background to the hearing today, I have authored--co-
authored two books related specifically to the subjects that we 
are talking about, and over the last decade have served an 
expert advisor both to the Congress at the Office of Technology 
Assessment, the Federal Trade Commission, and to the European 
Commission. I am here today, though, as a scholar on data 
protection law and policy.
    I prepared a written statement that I ask you to include in 
the record.
    Mr. Stearns. By unanimous consent, all of the written 
statements will be made part of the record.
    Mr. Reidenberg. Thank you. And would like to highlight in 
these remarks three areas from that statement.
    The first are the implications of the EU directive here in 
the United States. From the business perspective, the directive 
I think has both positive and negative trade effects. On the 
positive side, which we have not really heard about in today's 
hearing, the directive harmonizes in the EU marketplace for the 
15 member states privacy standards, and establishes their 
single market for flows of information.
    I think that is something that is very important. That is a 
benefit for American businesses. It means that they operate 
with one more or less uniform set of standards as opposed to 15 
radically different country laws.
    On the negative side, the directive will force intense 
scrutiny and limits on international data flows. This--I would 
disagree with the assessments that this is an extraterritorial 
application of European law, because I think that it is the 
European Union saying, ``If it is European origin data, we want 
to be sure that our local privacy rules are not circumvented 
overseas.''
    For U.S. citizens, the directive I think highlights that 
American citizens are becoming second-class citizens in the 
privacy world, the global level. Why? American law has simply 
not kept up with the technology. The directive is being 
followed around the world. Countries prefer the European 
approach to the United States treatment of personal 
information.
    And the consequence for that is that citizens outside the 
United States will have better legal protection for their 
privacy in the global marketplace than those citizens within 
the United States.
    The second point that I would like to highlight in my 
testimony is that the safe harbor solution to assure 
international data flows I believe is completely illusory. Safe 
harbor is not going to be a satisfactory way of rectifying the 
serious weaknesses in American law.
    The legal basis for safe harbor in the United States I 
think is very questionable. The safe harbor is predicated on 
Federal Trade Commission enforcement under Section 5 and the 
availability of legal recourse in the United States.
    And if we look at the Federal Trade Commission statutory 
authority, I do not believe that the Federal Trade Commission 
has the authority to protect foreign consumers under the unfair 
and deceptive practices jurisdiction in order to advance U.S. 
business interests. And, in fact, the Supreme Court has 
interpreted the FTC's authority rather narrowly, and Congress 
has yet to specifically authorize the FTC to protect foreign 
consumers.
    The proposed recourse I think is rather meaningless. The 
memorandum that was submitted to the European Commission and 
approved as part of the package refers, for instance, to tort 
rights that are available under American law. Well, they don't 
exist yet. We do not have cases in the United States where 
court have enforced tort rights for data privacy cases.
    The Seal Organizations that are also touted under the safe 
harbor--and when we look at the membership lists, I think we 
find it a who's who of privacy scandal-plagued companies. And I 
think that is very troubling.
    If you look at the scope of safe harbor, it is extremely 
narrow. Most of e-commerce will be outside the scope of the 
safe harbor because of the choice of law provisions that one 
finds in the directive. I think that we are going to see the 
national supervisory authorities within Europe very reluctant 
to follow safe harbor, and at the same time, as a result, 
increase the risk for non-safe harbor companies that their data 
flows will be suspended.
    The third and last area I want to focus on are a couple of 
recommendations, two in particular. The first is that I think 
the best approach for the U.S. Congress is to establish clear 
legal privacy rights in the United States. The United States is 
very rapidly becoming a rogue country when we look at the 
information marketplace and a haven for unfair treatment of 
personal information. I think that is something we have to 
rectify as a matter of good, domestic public policy.
    At the international level, I think that it will be 
particularly important for us to push toward an international 
treaty to deal with privacy. Privacy implicates core democratic 
values and markets, market issues, and I think only a treaty 
will enable us to resolve many of the conflicts that will go--
that we will see in the future. That I believe to be the best 
way to solve some of the problems we have on the horizon with 
the European Union.
    With that, I would like to conclude, and thank you very 
much for this opportunity.
    [The prepared statement of Joel R. Reidenberg follows:]

PREPARED STATEMENT OF JOEL R. REIDENBERG, PROFESSOR OF LAW AND DIRECTOR 
       OF THE GRADUATE PROGRAM, FORDHAM UNIVERSITY SCHOOL OF LAW

    Mr. Chairman and Members of the Committee, I would like to thank 
you for the invitation to testify and to commend you for convening this 
hearing on the European Union's Data Privacy Directive. My name is Joel 
Reidenberg. I am a Professor of Law and the Director of the Graduate 
Program at Fordham University School of Law. As an academic, I have 
written and lectured extensively on data privacy issues and have co-
authored two books related to today's hearing.1 I am a 
former chair of the Association of American Law School's Section on 
Defamation and Privacy and have also served as an expert advisor on 
data privacy issues for the European Commission, the U.S. Federal Trade 
Commission and, during the 103rd and 104th U.S. Congresses, the Office 
of Technology Assessment. I appear today as a scholar on data privacy 
law and policy and do not represent the views of any organization with 
which I have had affiliations.
---------------------------------------------------------------------------
    \1\ Paul Schwartz and Joel R. Reidenberg, Data Privacy Law: A Study 
of US Data Protection Law and Practice (Michie: 1996); Joel R. 
Reidenberg and Paul M. Schwartz, Online Services and Data Protection 
and Privacy: Regulatory Responses (Eur-OP: 1998). These books were 
prepared with funding from the European Commission for DG XIII and 
DGXV, respectively.
---------------------------------------------------------------------------
    My testimony will focus on four points: (1) the philosophy and 
content of the EU Data Protection Directive, (2) the implications of 
the European Directive for US privacy policy, (3) the false hope of the 
US-EU safe harbor agreement, and (4) recommendations for Congressional 
action.2
---------------------------------------------------------------------------
    \2\ Parts of this testimony are based on excerpts from three 
articles that I have published: Resolving Conflicting International 
Data Privacy Rules in Cyberspace, 52 STANFORD L. REV. 1315 (2000); A 
Movement toward Obligatory Standards for Fair Information Practices in 
the United States, in VISIONS FOR PRIVACY IN THE 21st CENTURY, Colin 
Bennet & Rebecca Grant, eds., (Univ. of Toronto Press: 1999); Restoring 
Americans' Privacy in Electronic Commerce, 14 BERKELEY TECH. L. J. 771 
(1999)
---------------------------------------------------------------------------

                  1. THE EU DATA PROTECTION DIRECTIVE

a) Background and Underlying Philosophy of European Data Protection
    While there is a consensus among democratic states that information 
privacy is a critical element of civil society, the United States has, 
in recent years, left the protection of privacy to markets rather than 
law. In contrast, Europe treats privacy as a political imperative 
anchored in fundamental human rights. European democracies approach 
information privacy from the perspective of social protection. In 
European democracies, public liberty derives from the community of 
individuals and law is the fundamental basis to pursue norms of social 
and citizen protection. This vision of governance generally regards the 
state as the necessary player to frame the social community in which 
individuals develop and information practices must serve individual 
identity. Citizen autonomy, in this view, effectively depends on a 
backdrop of legal rights. Law, thus, enshrines prophylactic protection 
through comprehensive rights and responsibilities. Indeed, citizens 
trust government more than the private sector with personal 
information.
    In this context, European democracies approach data protection as 
an element of public law. Since the 1970s, European countries have 
enacted comprehensive data privacy statutes. Under the European 
approach, cross-sectoral legislation guarantees a broad set of rights 
to assure the fair treatment of personal information and the protection 
of citizens. In general, European data protection laws define each 
citizen's basic legal right to ``information self-determination.'' This 
European premise of self-determination puts the citizen in control of 
the collection and use of personal information. The approach imposes 
responsibilities on data processors in connection with the acquisition, 
storage, use and disclosure of personal information and, at the same 
time, accords citizens the right to consent to the processing of their 
personal information and the right to access stored personal data and 
have errors corrected. Rather than accord pre-eminence to business 
interests, the European approach seeks to strike a balance and provide 
for a high level of protection for citizens.

b) Adoption of the Directive
    As data protection laws proliferated across Europe during the 
1980s, there were significant divergences among those laws and 
harmonization became an important goal for Europe.3 In 1995, 
following the Maastricht Treaty of European Union, the European Union 
adopted Directive 95/46/EC of the European Parliament and of the 
Council of 24 Oct. 1995 on the protection of individuals with regard to 
the processing of personal data and on the free movement of such data 
4 [the ``European Directive''] to harmonize the existing 
national laws within the European Union. The European Directive sought 
to assure that all Member States provided satisfactory privacy 
protection and to assure the free flow of personal information across 
Europe through the respect of basic, standardized protections.
---------------------------------------------------------------------------
    \3\ For a discussion of divergences in Member State law related 
specifically to online services, see Reidenberg & Schwartz, supra note 
1.
    \4\ 1995 O.J. (L281) 31 (Nov. 23, 1995)
---------------------------------------------------------------------------
    Under European Union law, a ``directive'' creates an obligation on 
each Member State to enact national legislation implementing standards 
that conform to those defined in the directive. The European Directive 
requires that national law protect all information about an identified 
or identifiable individual whether or not the data is publicly 
available. The European Directive requires that an individual's consent 
be obtained prior to processing personal information for purposes other 
than those contemplated by the original data collection. The European 
Directive allows Member States to further restrict the processing of 
defined ``sensitive'' data such as health information.5 The 
European Directive restricts the collection and use of personal 
information not relevant for the stated purpose of processing. The 
processing of personal information must be transparent with notice 
provided to individuals for the treatment of their personal 
information. Organizations processing personal information must provide 
the data subjects with access to their personal information and must 
correct errors. The European Directive further requires that 
organizations maintain appropriate security for the processing of 
personal information.
---------------------------------------------------------------------------
    \5\ For insightful discussions of the flaws in consent as a model 
of privacy protection, see the series of articles written by Paul 
Schwartz: Beyond Lessig's Code for Internet Privacy: Cyberspace 
Filters, Privacy Control and Fair Information Practices, 2000 Wisc. L. 
Rev. 743; Internet Privacy and the State, 33 Conn. L. Rev. 815 (2000); 
Privacy and Democracy in Cyberspace, 52 Vanderbilt L. Rev. 1609 (1999)
---------------------------------------------------------------------------
    For global information networks and electronic commerce, the 
comprehensive approach inevitably invokes some tension. Without the 
statutory authority to restrict transborder data flows, the balance of 
citizens' rights in Europe could easily be compromised by the 
circumvention of Europe for processing activities. Consequently, the 
European Directive includes two provisions to assure that personal 
information of European origin will be treated with European standards. 
A choice of law clause in the European Directive assures that the 
standards of the local state applies to activities within its 
jurisdiction and a transborder data flow provision prohibits the 
transfer of personal information to countries that do not have 
``adequate'' privacy protection.6
---------------------------------------------------------------------------
    \6\ See European Directive 95/46/EC, at Art. 4 (choice of law) and 
Art. 25 (export prohibition).
---------------------------------------------------------------------------
    In terms of enforcement, each Member State must maintain an 
independent, national supervisory authority for oversight and 
enforcement of these privacy protections.7 Significantly, 
the European Directive also mandates that Member State law require any 
person processing personal information to notify the national 
supervisory authority and the supervisory authority must keep a public 
register of data processors.8
---------------------------------------------------------------------------
    \7\ European Directive 95/46/EC, art. 28.
    \8\ Id., art. 18-19.
---------------------------------------------------------------------------

c) Implementation Issues
    The European Directive provided a transition period through October 
1998 for Member States to transpose the standards into national law. 
However, as is not uncommon in the European system, nine Member States 
failed to comply strictly with the deadline. By January 2000, the 
European Commission began proceedings before the European Court of 
Justice against France, Germany, Ireland, Luxembourg, and the 
Netherlands for their delays in transposition. Although each of these 
countries had strong, existing data protection statutes, the European 
Commission argued that not all of the standards contained in the 
European Directive were satisfactorily addressed in the national laws. 
At present, proceedings before the European Court of Justice continue 
against France, Germany, and Luxembourg.
    Notwithstanding the transposition delays, the harmonization 
achieved by the European Directive is significant, but does not remove 
all divergences and ambiguities in the European national 
laws..9 By and large, the European Directive creates a 
strong baseline of protection across Europe. But, small divergences and 
ambiguity will inevitably exist where the principles must be 
interpreted by different supervisory agencies in each of the Member 
States. These remaining divergences in standards can pose significant 
obstacles for the complex information processing arrangements typical 
in electronic commerce. For example, the European Directive requires 
that privacy rights attach to information about any ``identifiable 
person''.10 Yet, the scope of this definition is not the 
same across the Member States; what some Member States consider 
``identifiable'' others do not.11 Similarly, the disclosures 
that must be made to individuals prior to data collection may still 
vary within Europe.12 These differences can distort the 
ability and desirability of performing processing operations in various 
Member States since potentially conflicting requirements might apply to 
cross-border processing of personal information.
---------------------------------------------------------------------------
    \9\ For an analysis of these divergences, see Reidenberg & 
Schwartz, supra note 1; Peter Swire & Robert Litan, None Of Your 
Business: World Data Flows, Electronic Commerce, And The European 
Privacy Directive 188-196 (1998)
    \10\ European Directive 95/46/EC, at art. 2(a).
    \11\ See Reidenberg & Schwartz, supra note 1, at 124-126.
    \12\ Reidenberg & Schwartz, supra note 1, at 133-34.
---------------------------------------------------------------------------
    The effect of this challenge to comprehensive standards is, 
however, mitigated by consensus building options and extra-legal policy 
instruments that are available in the European system. The European 
Directive creates a ``working party'' of the Member States' national 
supervisory authorities.13 The Working Party offers a formal 
channel for data protection officials to consult each other and to 
reach consensus on critical interpretive questions.
---------------------------------------------------------------------------
    \13\ European Directive 95/46/EC, art. 29.
---------------------------------------------------------------------------
    Compliance with the national laws has also been an issue in Europe. 
The notice and registration requirements, in particular, appear to have 
a spotty reception. One study conducted for the European Commission 
questioned whether data processors were adequately notifying their 
treatment of personal information to the national supervisory 
authorities 14 and a recent study by Consumers International 
found that European web sites were not routinely informing web users of 
their use of personal information.15 Nonetheless, the 
existence of the national laws and the penalties do allow for 
enforcement actions to be taken in these cases of non-compliance.
---------------------------------------------------------------------------
    \14\ Douwe Korff (ed.), Existing case-law on compliance with data 
protection laws and principles in the Member States of the European 
Union, Annex to the Annual Report 1998 of the Working Party Established 
by Article 29 of Directive 95/46/EC (Eur. Comm: 1998).
    \15\ Consumers Intenrational, [email protected]: An International 
Comparative Study of Consumer Privacy on the Internet (Jan. 2001).
---------------------------------------------------------------------------

                 2. IMPLICATIONS FOR THE UNITED STATES

    The European Directive exerts significant pressure on U.S. 
information rights, practices and policies. The Directive facilitates a 
single information market place within Europe through a harmonized set 
of rules, but also forces scrutiny of US data privacy. In this context, 
the lack of legal protection for privacy in the United States threatens 
the flow of personal information from Europe to the United States. At 
the same time, the EU Directive is having an important influence on 
privacy protection around the world and leaves Americans with legal 
protections as second class citizens in the global marketplace.

a) The Harmonized European Market Place
    Despite implementation divergences, the overall harmonization 
effect of the European Directive creates a common set of rules for the 
information market place in Europe. Companies operating within the 
European Union have the benefit of common standards across the Member 
States rather than 15 diverse sets of conflicting national rules. This 
creates a large, level playing field for the treatment of personal 
information in Europe. With a high level of legal protection available 
on a cross-sectoral basis, Europeans do not face the same privacy 
obstacles for ecommerce that currently threaten the American 
experience. The culture of legal protection in Europe provides European 
companies with a competitive privacy advantage doing business in Europe 
over the many American companies that are unaccustomed to applying fair 
information practices to personal information.

b) Scrutiny of US Data Privacy and European Export Prohibitions
    The European Directive requires the national supervisory 
authorities in each of the Member States and the European Commission to 
make comparisons between European data protection principles and 
foreign standards of fair information practice.16 The 
European Directive further requires that foreign standards of fair 
information practice be ``adequate'' in order to permit transfers of 
personal information to the foreign destination.17
---------------------------------------------------------------------------
    \16\ European Directive 95/46/EC, art. 25
    \17\ Id.
---------------------------------------------------------------------------
    For the United States, this means that both national supervisory 
authorities and the European Commission must assess the level of 
protection offered in the United States to data of European origin. 
Because the United States lacks directly comparable, comprehensive data 
protection legislation, the assessment of ``adequacy'' is necessarily 
complex. The European Commission and national supervisory authorities 
recognize that the context of information processing must be considered 
to make any determination of ``adequacy.''
    Under the European Directive, the national data protection 
supervisory authorities and the European Commission must report to each 
other the non-European countries that do not provide adequate 
protection. This bifurcated assessment of foreign standards means that 
intra-European politics can play a significant role in the evaluation 
of US data practices. While a European level decision is supposed to 
apply in each Member State, the national supervisory authorities are 
independent agencies and will still have a degree of interpretive power 
over any individual case.
    The end result for the United States and for American companies is 
that US corporate information practices are under scrutiny in Europe 
and under threat of disruption when fair information processing 
standards are not applied to protect European data. Some commentators 
have predicted that any European export prohibition might spark a trade 
war that Europe could lose before the new World Trade 
Organization.18 While, in theory, such a situation is 
possible, an adverse WTO ruling is unlikely.19
---------------------------------------------------------------------------
    \18\ See Peter Swire & Robert Litan, None Of Your Business: World 
Data Flows, Electronic Commerce, And The European Privacy Directive 
188-196 (1998)
    \19\ See e.g. Gregory Shaffer, Globalization and Social Protection: 
The Impact of EU and International Rules in Ratcheting Up of U.S. 
Privacy Standards, 25 Yale J. Int'l L. 1, 50 (2000).
---------------------------------------------------------------------------

c) International Influence of the EU Directive
    Even with the difficulties of the European approach, countries 
elsewhere are looking at the European Directive as the basic model for 
information privacy, and significant legislative movements toward 
European-style data protection exist in Canada, South America, and 
Eastern Europe.20 This movement can be attributed partly to 
the pressure from Europe arising from scrutiny of the adequacy of 
foreign privacy rights, but is also due in part to the conceptual 
appeal of a comprehensive set of data protection standards. In effect, 
Europe through the European Directive has displaced the role that the 
United States held since the famous Warren and Brandeis article 
21 in setting the global privacy agenda.
---------------------------------------------------------------------------
    \20\ See, e.g., Council of Europe, Chart of Signatories and 
Ratifications (visited March 31, 
1999) (listing countries that have ratified the treaty on data 
privacy); Industry Canada, Task Force on Electronic Commerce: The 
International Evolution of Data Protection (Oct. 1, 1998) (visited on 
March 31, 1999)  
(justifying the Canadian proposal for a comprehensive privacy law by 
reference to the European initiative); Hong Kong, Personal Data 
(Privacy) Ordinance, Chap. 486 (Hong Kong statute following European comprehensive 
model); Hungarian Republic, The First Three Years of the Parliamentary 
Commissioner for Data Protection and Freedom of Information 68-72 
(1998)(discussing the influence of the European Directive for Hungarian 
data protection law); Pablo Palazzi, Data Protection Materials in Latin 
American Countries (Dec. 2000) (http://www.ulpiano.com/DataProtection-
LA-links.htm) (detailing the emergence of data protection legislation 
in Latin America.)
    \21\ See Samuel Warren & Louis Brandeis, The Right of Privacy, 4 
Harv. L. Rev. 193 (1890)
---------------------------------------------------------------------------

d) Second Class Privacy for US Citizens
    With the imposition by the European Directive both of harmonized 
European legal requirements for the fair treatment of personal 
information and of limitations on transborder data flows outside of 
Europe, U.S. companies recognize that they will have to respect 
European legal mandates. Unless American companies doing business in 
Europe chose to flout European law, US multinational businesses must 
provide stringent privacy protections to data of European origin when 
processing that data in Europe or in the United States.
    Concurrently, American law and practice allows those same companies 
to provide far less protection, if any, to data about American 
citizens. This is a particularly troubling aspect of US opposition to 
the European Directive's standards. American companies will either 
provide Europeans with better protection than they provide to Americans 
or they will treat Americans in accordance with the higher foreign 
standards and disadvantages those citizens doing business with local US 
companies.
    In effect, the proliferation of European style data protection 
measures around the world means increasingly that American citizens 
will be left with second class privacy in the United States and 
afforded greater privacy protection against American companies outside 
US borders.

         3. THE FALSE HOPES OF THE US-EU SAFE HARBOR AGREEMENT

    In response to the risk that Europe would block data flows to the 
United States, the Department of Commerce entered into negotiations 
with the European Commission to create a ``safe harbor'' agreement that 
would assure Europe of the adequacy of protection for data processed by 
US businesses. In the absence of statutory protection in the United 
States, the concept was that the European Commission would endorse a 
voluntary code of conduct that would meet the ``adequacy'' standard. 
American businesses could then publicly commit to adhere to this code 
for the treatment of European origin data and be assured of 
uninterrupted data flows from Europe.
    The lengthy and troubled negotiations on the code began in 1998 
between the Department of Commerce and the European Commission. Toward 
the end of the negotiations, several of the particularly difficult 
issues were the existence of a public commitment for companies adhering 
to the code, the access rights and enforcement in the United States. A 
final set of documents including an exchange of letters, the Safe 
Harbor Privacy Principles, Frequently Asked Questions setting out 
interpretative understandings of the principles, and various annexes 
and representations made to the European Commission by the Department 
of Commerce and the Federal Trade Commission (collectively the ``Safe 
Harbor'') was released in July 2000 22 and approved by the 
European Commission.23
---------------------------------------------------------------------------
    \22\ Dept. of Commerce, Int'l Trade Adm, Notice: Issuance of Safe 
Harbor Principles and Transmission to European Commission, 65 Fed. Reg. 
45665-45686 (July 24, 2000)
    \23\ Commission Decision of 26 July 2000, Eur. Comm. Doc. 00/520/
EC, O.J. L 215 (25/8/2000)
---------------------------------------------------------------------------
    While the approval was an important short-term political victory 
for both the US and the European Commission, the safe harbor agreement 
is unworkable for both sides and will not alleviate the issues of weak 
American privacy protection.

a) The Political Dimension
    For the European side, the United States posed a major problem. 
American law did not provide comparable protections to European 
standards and fair information practices in the United States were 
rather spotty. Yet, European regulators did not want to cause a 
disruption in international data flows. The prospect of change in US 
law seemed remote and the European Commission would have serious 
political difficulty insisting on an enforcement action against data 
processing in the United States prior to the full implementation of the 
European Directive within the European Union. Similarly, an aggressive 
enforcement strategy by a national supervisory authority while 
transposition remained incomplete could have hampered the national 
legislative debates on transposition. The Safe Harbor offered a 
mechanism to delay facing tough decisions about international privacy 
and, in the meantime, hopefully advance US privacy protections for 
European data.
    On the US side, the Department of Commerce faced strong pressure 
from the American business community to block the European Directive. 
The United States was not prepared to respond to the Directive with new 
privacy rights and the United States wanted to prevent interruptions in 
transborder data flows. The Safe Harbor became a mechanism to avoid a 
showdown judgment on the status of American law and defer action 
against any American companies.
    As such, the acceptance in July 2000 of the Safe Harbor by the 
European Union was a transitory political success.

b) The Dubious Legality of Safe Harbor
    In the United States, however, the Safe Harbor faces a serious 
jurisdictional obstacle to its enforcement--one of the key European 
criteria for acceptance. The Department of Commerce issued the Safe 
Harbor documents ``to foster, promote, and develop international 
commerce.'' 24 The agreement is predicated on the 
enforcement powers of the Federal Trade Commission under Section 5 of 
the Federal Trade Commission Act.25 Indeed, as part of the 
negotiations, the Federal Trade Commission represented to the European 
Commission that it ``will give priority to referrals of non-compliance 
with safe harbor principles from EU member states.'' 26 Yet, 
the underlying legal authority of the FTC to enforce the Safe Harbor is 
questionable.
---------------------------------------------------------------------------
    \24\ Letter, dated July 21, 2000, from Robert S. LaRussa, Acting 
Under Secretary for International Trade Administration, U.S. Department 
of Commerce to John Mogg, Director, DGXV, European Commission 
    \25\ 15 U.S.C. Sec. 45(a)
    \26\ Letter, dated July 14, 2000, from Robert Pitofsky, Chairman, 
Federal Trade Commission to John Mogg, Director, DGXV, European 
Commission.
---------------------------------------------------------------------------
    As originally enacted by the Federal Trade Commission Act in 1914, 
Section 5 applied only to unfair methods of competition.27 
Jurisdiction over any ``unfair or deceptive act or practice'' was 
extended to the FTC by the Wheeler-Lea Act of 1938.28 The 
stated Congressional purpose was to enable the FTC to ``restrain unfair 
and deceptive acts and practices which deceive and defraud the public 
generally.'' 29 Indeed, contrary to the purpose of the Safe 
Harbor that protects US business interests in international trade, the 
Wheeler-Lea Act amendments sought to protect the general public from 
unscrupulous business practices. In fact, at the time of the enactment, 
the FTC's jurisdiction expressly excluded foreign commerce not to 
mention the protection of foreign consumers as envisioned by Safe 
Harbor.
---------------------------------------------------------------------------
    \27\ 15 U.S.C. 45
    \28\ Ch. 49, 52 Stat. 111 (Mar. 21, 1938)
    \29\ S. 1077: Report of the Senate Committee on Interstate 
Commerce, S. Rep. No. 221, 75th Cong., 1st Sess. (March 19, 1937).
---------------------------------------------------------------------------
    While the McGuire Resale Price Maintenance Act of 1952 
30 expanded FTC jurisdiction into foreign commerce with 
respect to monopolistic pricing, the U.S. Supreme Court had 
specifically held that only Congressional amendments could expand the 
scope of the FTC's authority under Section 5.31 In Bunte 
Bros. v. FTC, the Commission unsuccessfully sought an expansion of its 
interstate commerce authority in the context of anti-trust 
enforcement.32 Congress eventually responded with the 
Magnuson-Moss Warranty--Federal Trade Commission Improvement Act of 
1975 33 that was, according to the Senate Conference Report, 
designed ``to improve [the FTC's] consumer protection activities.'' 
34 The 1975 amendments extended the jurisdiction to acts and 
practices ``in or affecting commerce,'' but at no time contemplated 
protecting American business interests or foreign consumers.
---------------------------------------------------------------------------
    \30\ Ch. 745, 66 Stat. 632 (July 14, 1952)
    \31\ Bunte Bros. v. F.T.C., 312 U.S. 349 (1941).
    \32\ Id.
    \33\ Pub. L. 93-637, 88 Stat. 2193, Sec. 201, 15 U.S.C. Sec. 45 
(1970 ed., Supp. IV)
    \34\ Magnuson-Moss-Warranty-Federal Trade Commission Improvement 
Act, Pub. L. No. 93-637, Senate Conf. Report No. 93-1408 (Dec. 18, 
1974)
---------------------------------------------------------------------------
    Hence, the assertion by the Department of Commerce and the FTC that 
the Safe Harbor comes within the Section 5 jurisdiction is a radical 
departure from the stated legislative purposes of the statute and in 
direct opposition to the Supreme Court's restrictive interpretation of 
Section 5 authority.
    Within Europe, the legality of Safe Harbor is also open to 
question. Under the European Directive, ``adequacy'' must be assesed in 
light of the prevailing ``rules of law, both general and sectoral, in 
force in the third country in question and the professional rules and 
security measures which are complied with in that country.'' 
35 However, the Safe Harbor was not yet in existence at the 
time of the approval by the European Commission. The European 
Parliament specifically noted this problem shortly before the approval 
by the European Commission.36 Similarly, according to the 
European Directive, the European Commission only has authority to enter 
into negotiations to remedy the absence of ``adequate'' protection 
after a formal finding that the non-European country fails to provide 
``adequate'' protection.37 Yet, in the context of the Safe 
Harbor negotiations, the European Commission never made a formal 
finding.38 These would appear to be significant 
administrative law defects. Although the European Commission maintains 
that the European Parliament did not say that the Commission acted 
outside its powers and the Member States voted unanimously in the 
political committee to accept the Safe Harbor, 39 this 
administrative process problem remains an open question that only the 
European Court of Justice can resolve and gives the independent 
national supervisory authorities grounds to vitiate Safe Harbor through 
strict interpretations of the European Commission's ruling.
---------------------------------------------------------------------------
    \35\ European Directive 95/46/EC, art. 25(2)
    \36\ European Parliament Resolution A5-0177/2000 on the Draft 
Commission Decision on the adequacy of the protection provided by the 
Safe Harbour Privacy Principles and related Frequently Asked Questions 
issued by the US Department of Commerce (C5-0280/2000-2000/2144(COS)) 
(July 5, 2000)
    \37\ European Directive 95/46/EC, art. 25(5).
    \38\ The procedure for a formal finding is established in European 
Directive 95/46/EC, art. 25(4).
    \39\ See Eur. Comm. Press Release: Frits Bolkestein tells 
Parliament Committee he intends to formally approve ``safe harbor'' 
arrangement with US on data protection, July 13, 2000 
---------------------------------------------------------------------------
    In addition, the European Parliament pointed out:
        ``the risk that the exchange of letters between the Commission 
        and the US Department of Commerce on the implementation of the 
        'safe harbour' principles could be interpreted by the European 
        and/or United States judicial authorities as having the 
        substance of an international agreement adopted in breach of 
        Article 300 of the Treaty establishing the European Community 
        and the requirement to seek Parliament's assent (Judgment of 
        the Court of Justice of 9 August 1994: French Republic v. the 
        Commission--Agreement between the Commission and the United 
        States regarding the application of their competition laws 
        (Case C-327/91))'' 40
---------------------------------------------------------------------------
    \40\ European Parliament Resolution A5-0177/2000 on the Draft 
Commission Decision on the adequacy of the protection provided by the 
Safe Harbour Privacy Principles and related Frequently Asked Questions 
issued by the US Department of Commerce (C5-0280/2000-2000/2144(COS)) 
(July 5, 2000), Sec. E(2).
---------------------------------------------------------------------------

b) The Limited Applicability
    Notwithstanding the validity in either legal system, the scope of 
the Safe Harbor is very narrow. First, Safe Harbor by its terms can 
only apply to activities and U.S. organizations that fall within the 
regulatory jurisdiction of the FTC and the Department of 
Transportation. As a result, many companies and sectors will be 
ineligible for Safe Harbor including particularly the banking, 
telecommunications and employment sectors that are expressly excluded 
from the FTC's jurisdiction.41 Second, the Safe Harbor will 
not apply to most organizations collecting data directly in Europe. 
Article 4 of the European Directive provides that if a data controller 
is located outside of the European Union, but uses equipment within the 
European Union, the law of the place where the equipment is located 
will be applicable. This provision establishes a choice of law rule 
that greatly reduces the availability of the Safe Harbor to 
international business. This provision of the Directive is especially 
significant in the context of web based businesses where interactive 
computing means that a European user will always make use of computing 
resources at the user's location. The courts of Member States, such as 
France, have shown in other areas a clear willingness to apply the 
substantive law of the place where an Internet user is 
located.42 Hence, in many cases, particularly in the context 
of ecommerce, the substantive law of a Member State will apply rather 
than the Safe Harbor.
---------------------------------------------------------------------------
    \41\ 15 U.S.C. Sec. 45(a)(2)
    \42\ See e.g. UEJF c. Yahoo!, TGI de Paris, Ord. en refere du 22 
nov. 2000.
---------------------------------------------------------------------------
c) Increased Risk to Non-Safe Harbor Transfers
    By implication, the Safe Harbor raises the risks for data transfers 
by companies that do not subscribe to the code. The approval by the 
European Commission of Safe Harbor as an ``adequate'' basis to transfer 
personal information to the United States implicitly acknowledges that 
transfers outside the scope of the Safe Harbor will not be adequately 
protected. Consequently, non-Safe Harbor transfers must be covered by 
one of the other exceptions to the transborder data flow rules, such as 
a transfer pursuant to a contractual arrangement.43
---------------------------------------------------------------------------
    \43\ European Directive 95/46/EC, art. 26.
---------------------------------------------------------------------------
    Ironically, Safe Harbor simplifies the task for national 
supervisory authorities to block data flows to the United States. The 
national agencies will readily be able to identify those US companies 
that do not subscribe to Safe Harbor and have not presented a data 
protection contract for approval under the European Directive's Article 
26 exceptions. In such cases, the presumption must be that the 
protection is ``inadequate'' and the data flow must, under European 
law, be prohibited.
    For the United States, the Safe Harbor approach might, thus, 
compromise many US businesses in a way that a legislative solution 
would not.
d) Weakening of European Standards and Illusory Enforcement Mechanisms
    For the national supervisory authorities in Europe, the Safe Harbor 
poses a weakening of European standards.44 In particular, 
the permissible derogations from Safe Harbor without a loss of coverage 
are significant. The Safe Harbor exempts public record information 
despite its ordinary protection under European law. Similarly, the Safe 
Harbor exempts any processing pursuant to any ``conflicting 
obligation'' or ``explicit authorization'' in US law whether or not 
such processing would be permissible under European standards. The 
access standard set out in the Safe Harbor and FAQs also includes 
derogations that do not exist in European law.
---------------------------------------------------------------------------
    \44\ See Working Party: Opinion 4/2000 on the level of protection 
provided by the ``Safe Harbor Principles'', Opinion 4/2000, Eur. Comm. 
Doc. DG MARKT CA07/434/00 WP 32 (16 May 2000)
---------------------------------------------------------------------------
    Most importantly, however, the Safe Harbor weakens European 
standards for redress of data privacy violations. Under the European 
Directive, victims must be able to seek legal recourse and have a 
damage remedy.45 The Department of Commerce assured the 
European Commission that Safe Harbor and the US legal system provided 
remedies for individual European victims of Safe Harbor violations. The 
European Commission expressly relied on representations made by the 
Department of Commerce concerning available damages in American 
law.46 The memorandum presented by the Department of 
Commerce to the European Commission, however, made misleading 
statements of US law.47 For example, the memorandum provides 
a lengthy discussion of the privacy torts and indicates that the torts 
would be available. The memorandum failed to note that the 
applicability of these tort actions to data processing and information 
privacy has never been established by US courts and is, at present, 
purely theoretical. Indeed, the memorandum cites the tort for 
misappropriation of a name or likeness as a viable damage remedy, yet 
all three of the state courts that have addressed this tort in the 
context of data privacy have rejected it.48 The Safe Harbor 
is also predicated on dispute resolution through seal organizations 
such as Truste. Yet, only one seal organization, the Entertainment 
Software Rating Board, proposes any direct remedy to the victim of a 
breach of a privacy policy and other organizations' membership lists 
look like a ``Who's Who'' of privacy scandal plagued companies.
---------------------------------------------------------------------------
    \45\ European Directive 95/46/EC, art. 22-23
    \46\ Commission Decision of 26 July 2000, Eur. Comm. Doc. 00/520/
EC, O.J. L 215 (25/8/2000), Art. 1(b)
    \47\ U.S. Dept. of Commerce, Damages for Breaches of Privacy, Legal 
Authorizations and Mergers and Takeovers in U.S. Law (July 14, 2000)
    \48\ See Shibley v. Time 45 Ohio App. 2d 69 (1975); Dwyer v. 
American Express 273 Ill. App. 3d 742 (1995); Avrahami v. U.S. News & 
World Report, 1996 Va. Cir. LEXIS 518 (1996).
---------------------------------------------------------------------------
    Lastly, the enforcement provisions of the Safe Harbor rely on the 
FTC. Even if the FTC has jurisdiction to enforce the Safe Harbor, the 
assertion that the FTC will give priority to European enforcement 
actions is hard to believe. First, although the FTC has become active 
in privacy issues recently, the agency's record enforcing the Fair 
Credit Reporting Act, one of the country's most important fair 
information practices statutes, is less than aggressive. Second, were 
the FTC to devote its limited resources to the protection of Europeans' 
privacy, Americans should and will be offended that a US government 
agency charged with protecting American consumers has chosen to commit 
its energies and US taxpayer money to the protection of European 
privacy in the United States against US businesses at a higher level 
than the FTC asserts for the protection of Americans' privacy.
    Sadly, though, for many American companies, even these weakened 
European standards impose substantially greater obligations than US 
law. In particular, the notice, choice, access and correction 
requirements are only sporadically found in US law. As a result, 
pitifully few American companies have subscribed to Safe Harbor; 
indeed, as of March 7, 2000 fewer than 30 companies have signed 
up.49
---------------------------------------------------------------------------
    \49\ U.S. Dept. of Commerce, Safe Harbor List, http://
web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list 
(reflecting only 27 certifications)
---------------------------------------------------------------------------
    The upshot of these sui generis standards, unenthusiastic reception 
and enforcement weaknesses is a likelihood that the national 
supervisory agencies will be dissatisfied with the Safe Harbor and that 
the Member States will face great political pressure to suspend the 
Safe Harbor once transposition is completed.

                           4. RECOMMENDATIONS

    The United States is rapidly on the path to becoming the world's 
leading privacy rogue nation. Just a cursory examination of the data 
scandals over the last year and consumer privacy concerns for ecommerce 
suggest that our national policy of self-regulation will not work to 
assure public confidence and trust in the treatment of personal 
information, cannot work to guarantee citizens their political right to 
freedom of association and privacy, and will leave American businesses 
at a competitive disadvantage in the global information market place. 
At a time when Internet growth rates are greater outside the United 
States and non-US web content is becoming an absolute majority of 
available Internet content, United States interests are ill-served by 
avoiding the creation of clear legal privacy rights.
    Congress needs to act to establish a basic set of legal protections 
for privacy in the United States. Any such regulation must recognize 
that technologies will be essential to assure privacy protections in 
the global environment across divergent sets of rules. In fact, 
technical decisions are not policy neutral. Technical decisions make 
privacy rules and, more often than not, these rules in the United 
States are privacy invasive. For technology to provide effective 
privacy protection, three conditions must be met: (a) technology 
respecting fair information practices must exist; (b) these 
technologies must be deployed; and (c) the implementation of these 
technologies must have a privacy protecting default configuration. 
Legal rights in the United States should provide an incentive structure 
that encourages these developments.
    In conjunction with the establishment of a legal baseline in the 
United States, Congress should promote the negotiation of a ``General 
Agreement on Information Privacy'' within the World Trade Organization 
framework.50 Whether desired or not by various interest 
groups and countries, the WTO will be unable to avoid confronting 
international privacy issues as a result of the biennial ministerial 
conferences and the inevitable trade-in-services agenda. Many of the 
core differences among nations on the implementation of privacy 
principles touch upon fundamental governance and sovereignty questions. 
These types of problems will only be resolved at an international 
treaty level like the WTO.
---------------------------------------------------------------------------
    \50\ See Joel R. Reidenberg, Resolving Conflicting International 
Privacy Rules in Cyberspace, 52 Stanford L. Rev. 1315, 1359-1362 (2000)

    Mr. Stearns. Thank you.
    Ms. Lawler, your opening statement, please? Thank you.

                   STATEMENT OF BARBARA LAWLER

    Ms. Lawler. Yes. Thank you, and thank you for having me 
here today. Mr. Chairman, members of the subcommittee, thank 
you for the invitation to appear today to discuss the EU Data 
Protection Directive.
    My name is Barbara Lawler, and as Customer Privacy Manager 
for Hewlett Packard I have global responsibility for HP privacy 
policy management, implementation, compliance, education, and 
communication, in both the online and offline worlds.
    As you, Mr. Chairman, stated in calling for this hearing, 
the European privacy directive has implications for how we in 
the United States conduct and address our domestic privacy 
issues. I am pleased, therefore, to have this opportunity to 
talk about HP's participation in the safe harbor agreement, 
which provides legal protection and a framework for allowing 
the safe transfer of personal information from the EU countries 
to the U.S.
    I am pleased to say that HP is the first major technology 
company to join the safe harbor. But, first, let me start by 
giving you an overall picture of how we manage privacy at 
Hewlett Packard.
    HP applies a universal, global privacy policy built on the 
fair information practices. Notice, choice, accuracy and 
access, security and oversight. Whether in English, French, or 
Spanish, the core commitments are the same with very minimal 
localization required to reflect local country laws.
    Key elements of our policy include no selling of customer 
data, no sharing of data outside HP without permission, 
customer access to core contact data, and a customer feedback 
mechanism. The policy can be viewed in online form in the lower 
left-hand corner of every HP.com web page.
    The guiding principles that we operate under for managing 
privacy are customers control their personal information. We 
give choices that enhance trust, and, therefore, enhance our 
business. We put the customer in the lead to determine their 
relationship with HP and to have the highest integrity and 
practices, responses, and partners.
    A sample of some of our current global efforts in privacy 
management include moving to opt-in for marketing content, 
especially e-mail, company-wide training on new privacy 
standards, new application development and business rules for 
company-wide multiple customer data base consolidation, and 
platform for privacy preferences implementation for our most 
active websites.
    I want to underscore some important distinctions around the 
opt-in discussion and hopefully add some clarity. As I 
mentioned, it is HP policy never to sell or lease our customer 
data. We have many business relationships with other companies, 
companies that act as suppliers and service providers. Those 
companies are required under contract and through non-
disclosure agreements to abide by our privacy policy.
    A different class of business relationships are our 
strategic partners and co-marketing partnerships. As stated 
earlier, it has always been HP policy that there is no sharing 
of customer data outside HP without permission from the 
customer. This is an opt-in policy for data-sharing with third 
parties.
    Applying the opt-in standard for marketing contact with HP 
is another order of magnitude more difficult, and let me tell 
you why. We are committed, because this is absolutely the right 
thing to do for our customers. What it requires us to do is to 
evaluate all customer data bases, our customer privacy data 
choice elements, the data itself, reengineer those data 
structures, the systems, and all of the associated business 
processes, change the format of the privacy question we ask our 
customers, and then develop implementation guides and tools and 
communicate that new standard HP-wide.
    Some of the challenges we are facing is managing 
conflicting customer choices and a large volume of unknown 
privacy data choice.
    We do conduct a substantial amount of cross-border 
commercial and consumer business activity between the U.S. and 
EU, which require direct communications between EU country-
based HP offices, independent suppliers and customers, and 
involves the movement of personal information on a regular 
basis.
    In order to have HP's European offices come into compliance 
with the EU privacy directive, a multi-country assessment of 
data collection use, storage, and movement was conducted out of 
which we identified compliance matches and gaps. Some of our 
current HP specific efforts in Europe include consolidating our 
customer e-mail response process and customizing privacy 
implementation guides for marketing by country.
    On January 29 of this year, HP became the first high-tech 
company to certify under the safe harbor. This demonstrates our 
continued leadership to strong privacy practices in the U.S., 
and we believe it is important because it offers consistency 
and continuity for business operations connected between HP 
sites located in the U.S. and the EU--critical for a global 
enterprise.
    We believe that consumer confidence will be enhanced by 
ensuring privacy rights on and offline in a global commerce 
environment through the safe harbor. E-commerce will grow 
faster if consumer confidence is reinformed by company efforts 
to ensure consumers have an effective recourse for privacy 
complaints through agreements like safe harbor.
    Our privacy policy has always been consistent with the safe 
harbor principles, and we found it consistent with our long-
term membership with the BBB Online Privacy Seal Program. We 
view safe harbor compliance as really the ultimate self-
regulatory approach and the next logical commitment in our step 
to privacy.
    And, finally, let me put this into perspective with the 
larger transborder privacy issue and consumer confidence in the 
global marketplace, because we know consumers not only are 
concerned about their privacy but they are also concerned about 
whether their credit cards are safe online, and if they order a 
blue vase from a website in Paris that they will get what they 
ordered.
    HP is working with 70 businesses from around the world 
through the global business dialog for electronic commerce to 
develop worldwide consensus on standards for consumer redress 
systems and ADR. Current concerns about consumer confidence 
must not be allowed to turn into barriers for empowering 
consumers----
    Mr. Stearns. Ms. Lawler, we need you just to sum up, if you 
would.
    Ms. Lawler. I am. HP believes that the safe harbor 
agreement is a significant step in the right direction, and we 
welcome the opportunity to work with this subcommittee in the 
development of national policies governing the collection and 
use of personal information.
    [The prepared statement of Barbara Lawler follows:]

   PREPARED STATEMENT OF BARBARA LAWLER, MANAGER, CUSTOMER PRIVACY, 
                        HEWLETT-PACKARD COMPANY

    Mr. Chairman, Members of the Subcommittee thank you for the 
invitation to appear today to discuss the EU Data Protection Directive.
    My name is Barbara Lawler, and as HP Customer Privacy Manager, I 
have global responsibility for Hewlett Packard privacy policy 
management, implementation, compliance, education and communication, in 
both the online and offline worlds.
    By way of background, HP is a leading provider of computing and 
imaging solutions and services. As a company we are focused on making 
technology and its benefits accessible to individuals and businesses 
through networked appliances, beneficial e-services and an ``always 
on'' Internet infrastructure. HP has 88,500 employees worldwide and a 
total revenue of $48.8 billion in its 2000 fiscal year.
    As you Mr. Chairman, stated in calling this hearing, the European 
Privacy Directive has implications for how we in the United States will 
address our domestic privacy issues. I am pleased therefore, to have 
this opportunity to discuss Hewlett-Packard's participation in the 
``safe harbor'' agreement . The safe harbor provides legal protection 
and a framework allowing for the safe transfer of personal information 
from European Union countries to the United States. I am pleased to say 
that HP is the first major technology company to join the safe harbor.
    As a high-tech company that sells to the consumer market, we take 
the privacy issue very seriously. HP believes that self-regulation and 
credible third-party enforcement ``such as the Better Business Bureau 
privacy seal program--is the single most important step that businesses 
can take to ensure that consumers'' privacy will be respected and 
protected online. We also believe that there should be a ``floor'' of 
uniform consumer protections which all companies must adhere to; based 
upon clear and conspicuous disclosure of privacy policies. HP testified 
last Congress in favor of the McCain/Kerry privacy bill (S. 2928) which 
we think meets the test of reasonable, practicable privacy protections. 
And, as I will discuss further, with our own websites, we are moving as 
quickly as we can, wherever possible, to an ``opt-in'' environment.

Managing Privacy at Hewlett Packard
    Let me start by giving you an overall picture of how we manage 
privacy at Hewlett Packard. HP applies a universal, global privacy 
policy built on the fair information practices: notice, choice, 
accuracy & access, security and oversight. Whether in English, French 
or Spanish, the core commitments are the same, with minimal 
localization required to reflect local country laws. Key elements of 
the policy include no selling of customer data, no sharing of customer 
data outside HP without permission, customer access to core contact 
data and a customer feedback mechanism.
    The policy can be viewed in online form at the lower left-hand 
corner of every hp.com web page: http://www.welcome.hp.com/country/us/
eng/privacy.htm
    The guiding principles for managing privacy in HP are:

 customers control their own personal data
 give choices that enhance trust and therefore enhance the 
        business
 put the customer in the lead to determine their relationship 
        with HP
 have the highest integrity in practices, responses and 
        partners
    HP people apply the privacy policy to marketing, support, e-
services and product generation using a set of HP-developed tools 
called the ``Privacy Rulebook'' and the ``Web Site Data and Privacy 
Practices Self-Assessment Tool''.
    A sample of current HP global privacy initiatives include:

 moving to opt-in for marketing contact, especially e-mail
 company-wide training on new privacy standards
 new application development and business rules for company-
        wide multiple customer database consolidation
 Platform for Privacy Preferences (P3P) implementation for our 
        most active web sites
    I want to underscore some important distinctions around the ``opt-
in'' discussion and add some clarity. It's HP policy to never sell or 
lease our customer data. HP has many business relationships with other 
companies. Companies that act as service providers or suppliers are 
required under contract and through a Confidential Non-Disclosure 
Agreement to abide by HP's privacy policy.
    A different class of business relationships is HP's strategic 
partnerships and co-marketing partners. As stated earlier, it's always 
been HP policy that there is no sharing of customer data outside HP 
without permission from the customer. This is an opt-in policy for data 
sharing with third parties.
    Applying the opt-in standard for marketing contact within HP is an 
order of magnitude more difficult, but we're committed because it's the 
right thing to do for our customers. Implementing opt-in for marketing 
contact requires us to evaluate all customer databases and customer 
privacy choice data elements, re-engineer the data structures, systems 
and associated processes, change the privacy question format itself, 
develop implementation guides and tools, and communicate the new 
standard hp-wide. Some of the challenges we face are in the areas of 
managing a program-specific customer privacy choice with a ``top-down'' 
HP request and resolving a large volume of ``unknown'' privacy choice 
data.
Managing the EU directive in an intra-European environment
    In addition to the core universal HP privacy practices already 
described, HP has developed specific standards, practices and tools to 
operate within the framework of the European Data Protection Directive 
in our European country organizations. These were developed out of a 
cross-functional HP task force with representatives from Customer 
Information, Human Resources, Privacy Management, Legal, Risk 
Management, Information Technology and Workers Council delegates.
    HP conducts a substantial amount of cross-border commercial and 
consumer business activity between the US and EU countries. This 
requires direct communications with EU country-based HP offices, 
independent suppliers and customers, and involves the receipt and 
sharing of personal information from them on a regular basis. In order 
to have HP's European offices to come into compliance with the EU 
privacy directive, a multi-country assessment of data collection, use, 
storage, and movement was conducted, out of which were identified 
compliance matches and gaps. Industry benchmarking was conducted 
concurrently. From there specific action plans were developed and the 
following deliverables completed:

 IT/Application Data Privacy Sensitivity and Development 
        Checklist
 Confidential Non-disclosure agreement for contracts with 
        suppliers
 Personal Data(base) Access Standards for employees
 Data Protection Clause--Individual Undertaking Agreement for 
        employees
 Data Protection Officer for HP Germany
 Data Protection Officer--HP European Region (in process)
 Customer Privacy Manager--HP European Region (in process)
 Establishment of European Region Privacy Council (pending)
    Current HP European-specific efforts include consolidating the 
customer email response process for privacy questions and customized 
privacy implementation guides for marketing programs by country.
Managing the EU directive requirements in the US (Safe Harbor)
    On January 29th, 2001, HP became the first high-tech company to 
certify with the U.S. Department of Commerce for Safe Harbor. This 
demonstrates our continued leadership to strong privacy practices in 
the U.S. The Safe Harbor framework offers consistency and continuity 
for business operations conducted between HP sites located in the 
United States and the European Union, critical for a global enterprise. 
HP has certified data collected by online, offline and manually 
processed methods. HP conducts a substantial amount of cross-border 
commercial and consumer business activity with direct involvement of EU 
country-based HP offices and independent suppliers.
    We believe that consumer confidence will be enhanced by ensuring 
customer privacy rights on- and off-line in a global commerce 
environment. E-commerce will grow faster if consumer confidence is 
reinforced by company efforts to ensure consumers have an effective 
recourse for privacy complaints through agreements like the Safe 
Harbor.
    The practices described in the HP privacy policy have long been 
consistent with the Safe Harbor principles. As a member of the Safe 
Harbor compliant BBBOnLine Privacy Seal program for the last 16 months, 
we were pleased to see close alignment between our existing privacy 
policy and the Safe Harbor Principles. The verification requirements 
mapped well to existing internal HP privacy standards and practices.
    HP views Safe Harbor compliance as a self-regulatory bridge to 
different approaches to data privacy between the United States and 
European Union; it's the ultimate ``self-regulatory'' approach. Joining 
the Safe Harbor is the next logical step in our commitment to privacy 
protection.
    Finally, I would like to put the trans-border privacy issue into 
the larger perspective of consumer confidence in the global electronic 
marketplace. While consumers are concerned about their privacy online, 
they are also concerned about whether their credit cards are safe 
online, and whether if they order a blue vase from a website in Paris 
or Tokyo, they will get what they order in the quality and condition 
they expected. In order for online businesses to truly earn the trust 
of consumers, we need to expand ongoing efforts to ensure that the 
global electronic marketplace a clean, well-lighted venue for both 
consumers and businesses. For example, consumers need to have 
confidence that when they do business across national borders, that 
there will be a redress system in place should anything go wrong with 
the transaction.
    HP is working with 70+ businesses from around the world through the 
Global Business Dialogue for electronic commerce to develop worldwide 
consensus standards on consumer redress systems, of ADR. In this 
effort, we are working with consumer groups and the FTC and the 
European Commission to ensure that consumers and businesses will 
quickly, fairly and efficiently resolve complaints related to online 
transactions.
    Current concerns about consumer confidence must not be allowed to 
turn into barriers to empowering consumers through global e-commerce. 
Hewlett-Packard believes that the safe harbor agreement is a 
significant step in the right direction, and we welcome the opportunity 
to work with this subcommittee in the development of national policies 
governing the collection and use of personal information.

    Mr. Stearns. Thank you.
    Mr. Henry, your opening statement?

                   STATEMENT OF DENIS E. HENRY

    Mr. Henry. Thank you, Mr. Chairman, for this invitation.
    As you mentioned, I am with Bell Canada, so let me begin by 
telling you who we are. Bell Canada and its affiliates have a 
wide variety of consumer-facing business activities, and as a 
result we have been keenly interested in the privacy issue for 
many years.
    We are the largest telecommunications carrier and internet 
service provider in Canada, and in keeping with the convergence 
trend we also have a number of investments on the content side 
of the business, including an internet portal, broadcast 
television, direct-to-home satellite----
    Mr. Stearns. Mr. Henry, we would ask you just to move your 
microphone just a shade up there.
    Mr. Henry. Certainly.
    Mr. Stearns. That is good.
    Mr. Henry. Direct-to-home satellite, and, most recently, a 
national newspaper we have added to the portfolio.
    Now, let me turn now to Canada's approach to privacy and 
our response to it. With the advent of new technologies, a 
number of options to address the concern about protecting 
personal information have been debated in various circles 
around the world. And I would characterize the Canadian 
approach as lying somewhere in the middle of the spectrum of 
options.
    It is not a detailed and prescriptive regulatory regime. On 
the other hand, it is not an approach that relies primarily on 
market forces.
    Back in 1996, in response to rising concerns about privacy, 
the Canadian Standards Association released its model code for 
the protection of personal information, which we call the CSA 
Code, as a voluntary national standard. The CSA Code was based 
on the OECD privacy guidelines and was the product of a 
consensus-building process involving government, consumers, and 
key industry sectors.
    However, following development of the CSA Code, consumer 
concerns about privacy persisted. Faced with this environment, 
the government of Canada undertook broad public consultations 
to explore the possibility of a legislative approach. These 
discussions revealed broad support for a self-regulatory 
approach but assisted by framework legislation that would 
encourage industry groups to develop sectoral codes based on 
the CSA Code.
    And this ultimately led the Canadian government to enact 
Federal privacy legislation last year, which is to come into 
effect or came into effect January 1st of this year. Its 
objective has been to establish harmonized national rules 
across the country based on a light-handed and flexible 
legislative framework.
    The Act is also intended to meet the adequate data 
protection requirements of the EU Data Protection Directive.
    This new piece of Federal privacy legislation requires all 
organizations that collect, use, or disclose personal 
information to comply with the CSA Code which is appended to 
the Act, and the Act reflects a flexible approach that does not 
prescribe particular treatment of personal information, but, 
rather, organizations can develop codes and practices tailored 
to their particular business circumstances.
    The legislation also requires commercial organizations to 
identify the purposes for which personal information will be 
collected, used, and disclosed, and to obtain consent of 
individuals. Consent can be either express or implied, 
depending on the circumstances and depending on the sensitivity 
of the information, and, again, reflecting a flexible approach.
    The Act also establishes a Federal privacy commissioner as 
its prime overseer. This commissioner has broad powers to 
receive and investigate complaints and to conduct audits of 
company practices. Unresolved disputes can be taken before the 
Federal court of Canada for a hearing and enforcement, 
including the possibility of damages.
    Recently, the Bell companies released the Bell Code of Fair 
Information Practices, in compliance with the CSA Code and the 
new legislation. And in order to implement this code, the 
companies have embarked on a plan that incorporates a number of 
elements.
    First of all, procedures were put in place to ensure that 
customers and employees are able to review and correct company 
records that contain their personal information. Customer are 
also able to challenge the company's compliance with the code 
through the Bell privacy ombudsman.
    Second, companies have implemented a communications plan to 
inform customers of the privacy policies using, for example, a 
number of means, telephone directories, web pages, bill 
inserts, point of sale brochures, and so on. The companies are 
also undertaking an extensive training program to ensure that 
employees understand and uphold our privacy commitments.
    The companies have also undertaken a comprehensive review 
of their information systems to ensure that the provisions of 
the code will be respected. And, finally, regular internal 
audits will be employed to ensure ongoing compliance.
    The Bell companies and many other industry sectors in 
Canada have supported the Canadian government's steps in 
pursuing a new model for the protection of personal 
information, a model that builds on the voluntary efforts of 
consumer groups, industry, and governments.
    We recognize that protecting customers' privacy makes good 
business sense. But at the same time, this objective must be 
balanced against the legitimate need to use customer 
information for business purposes and to avoid overly costly 
and burdensome regulation.
    By enacting a flexible legislative framework, the Canadian 
privacy approach has attempted to strike an appropriate 
balance.
    I hope these comments, Mr. Chairman, have shed some light 
on our unique approach to privacy, and I would be happy to 
answer any questions.
    [The prepared statement of Denis E. Henry follows:]

 PREPARED STATEMENT OF DENIS E. HENRY, VICE PRESIDENT, REGULATORY LAW, 
                              BELL CANADA.

                             INTRODUCTION:

    Thank you, Mr. Chairman, for the invitation to appear before you 
and the members of the Sub-committee today on this very important 
subject.
    My name is Denis Henry and I am the Vice President of Regulatory 
Law with Bell Canada, the largest telecommunications carrier in Canada.
    As a group, the Bell Companies in Canada provide a full range of 
communications services to more than eight million residence and 
business customers. We are among the world's leading communications 
organizations, with core investments in telephone networks, both wired 
and wireless; Internet Protocol (IP)-based networks and solutions; 
electronic commerce; systems integration; directories and satellite 
networks. We are a major player in the local exchange, long distance 
and Internet access markets, including high speed access. On the 
content side of the business, we have investments in cable programming 
channels, broadcast television, a multi channel video program 
distributor through our direct-to-home satellite service, an Internet 
portal, new media and most recently a national newspaper. Given all of 
these varied business activities, most of which deal directly at the 
consumer level, we have been keenly interested in these issues for many 
years.
    I understand the Sub-committee is interested in hearing about 
Canada's approach to privacy as you consider the implications of the EU 
Data Protection Directive.

                   THE CANADIAN PRIVACY ENVIRONMENT:

    Part of Canada's electronic commerce strategy recognizes that the 
future growth of the information highway will allow Canada to 
capitalize on the full potential of electronic commerce, with its 
ensuing economic and social benefits. We have recognized that in order 
to ensure that business and consumers fully embrace electronic 
commerce, building trust is critical and building trust means providing 
reasonable protection of personal information and privacy. At the same 
time, in order for Canada to become a leader in the global knowledge-
based economy, the cost for business of managing personal information 
must also be reasonable and manageable.
    This concern about protecting personal information has attracted 
the interest of governments around the world and a number of options to 
address the issue have been debated in various circles. One approach is 
to adopt a comprehensive regulatory regime with a very detailed, 
prescriptive, all-encompassing set of privacy provisions that applies 
to all organizations in all industries. At the other end of the 
spectrum is an approach that relies almost exclusively on market forces 
with specific legislation on a sectoral basis to deal with the most 
serious abuses. The Canadian approach lies somewhere in the middle.

                   THE CANADIAN APPROACH TO PRIVACY:

    In October 1998, the Governments of the OECD Member countries 
attending the Ministerial Conference (A Borderless World: Realizing the 
Potential of Global Electronic Commerce) in Ottawa, Canada, adopted the 
Ministerial Declaration on Protection of Privacy on Global Networks 
which reaffirmed the importance of protecting privacy and recognized 
that the 1980 OECD Guidelines on the Protection of Privacy and 
Transborder Flows of Personal Data (the ``OECD Privacy Guidelines'') 
continue to provide an international foundation for the protection of 
privacy on any medium. The technology-neutral principles of the OECD 
Privacy Guidelines have formed the basis of self-regulatory and 
legislative initiatives internationally for almost two decades and 
continue to represent an international consensus for the collection, 
use and disclosure of personal information in any medium.
    Let me then describe how the Canadian approach to privacy has built 
upon and implemented these Guidelines.

a) The CSA Model Code for the Protection of Personal Information
    In the early 1990s, the level of concern of individuals over their 
privacy in general, and their lack of control over their personal 
information in particular, continued to rise coincident with the 
increased use of new technologies. In the face of this, the Government 
of Canada encouraged the business community to create a new Canadian 
standard for the protection of personal information. As a result, a 
Technical Privacy Committee of the Canadian Standards Association 
(``CSA'') was struck that broadly represented all key stakeholders: 
business, government and consumers. Those organizations that 
participated represented key industry sectors with vast consumer bases 
that had a large stake in establishing an effective standard for the 
protection of personal information, e.g. the telecommunications, cable, 
banking, insurance, credit reporting and marketing sectors.
    After a series of deliberations, the CSA Model Code for the 
Protection of Personal Information, CAN/CSA-Q830-96 (the ``CSA Code''), 
was finalized and released as a National Standard of Canada in March 
1996. The CSA Code is based on the OECD Privacy Guidelines and 
therefore represents a global standard. A summary of the CSA Code's 10 
Principles is appended as an attachment to this testimony.
    The Bell Companies participated actively in the development of the 
CSA Code. The Code's ten principles represent a cohesive and balanced 
set of fair information practices that reflect the needs and concerns 
of all parties. The Code clearly recognizes individual rights to 
control and limit personal information use, reflects the legitimate 
needs of companies to use information for business purposes, and 
establishes corresponding obligations for organizations to be 
accountable, obtain informed consent, safeguard personal data, and be 
open about policies and practices. As a ``model'' code, the CSA 
standard represents a set of minimum requirements and allows for the 
tailoring of the standard to meet the specific circumstances of an 
organization.

b) The Personal Information Protection and Electronic Documents Act
    Following development of the CSA Code, repeated surveys continued 
to underscore that Canadians were still concerned about the effect of 
new communications technologies on their privacy. While electronic 
commerce was starting to take off, many consumers were still reluctant 
to make purchases on-line because they lacked confidence in the 
security and privacy of on-line transactions. They were still unsure 
about what they could do or whom they could approach when something 
went wrong.
    Faced with that environment, the Government of Canada's Industry 
Department undertook broad public consultations to explore the 
possibility of a legislative approach. These discussions revealed broad 
support for self-regulation assisted by framework legislation that 
would encourage industry groups to develop sectoral codes based on the 
CSA Code.
    After much discussion and consultation with a broad array of 
representatives from government, industry and consumer groups, the 
Canadian government introduced in October 1998 draft legislation that 
was ultimately enacted in the form of the Personal Information 
Protection and Electronic Documents Act, S.C. 2000, c. 5 (the ``PIPED 
Act'') in April 2000. Its stated objective has been to establish 
harmonized national rules across the country. The PIPED Act is also 
intended to meet the adequate data protection requirements of the EU 
Data Protection Directive.
    This new piece of privacy legislation, which comes into force in 
basically two stages, is directed at the private sector and requires 
all organizations that collect, use or disclose personal information in 
the course of commercial activities to adhere to the CSA Code.
    Like the United States, Canada is a federal state. The federal 
government's approach to privacy also reflects a rather unique approach 
to the federal/provincial jurisdictional issue. As of January 1st of 
this year, the Act applies to all federal undertakings (e.g. 
telecommunications, broadcasting, airlines and banking industries), and 
those provincial undertakings that disclose personal information 
outside the province for consideration. In 2004, the provisions will 
apply more broadly to all organizations that collect, use, or disclose 
personal information in the course of commercial activities, including 
intra-provincial transactions. However, where and whenever a province 
adopts legislation that is ``substantially similar'' to the PIPED Act, 
the organizations covered will be exempted from the application of the 
federal law and the provincial law will instead govern.
    The purpose of the PIPED Act is to (s. 3):
        ``. . . establish, in an era in which technology increasingly 
        facilitates the circulation and exchange of information, rules 
        to govern the collection, use and disclosure of personal 
        information in a manner that recognizes the right of privacy of 
        individuals with respect to their personal information and the 
        need of organizations to collect, use or disclose personal 
        information for purposes that a reasonable person would 
        consider appropriate in the circumstances.''
    Due to legislative drafting conventions, it was recognized that it 
would indeed be difficult to incorporate the CSA Code principles and 
commentary directly into legislation, without significantly altering 
the carefully negotiated wording of the standard and compromising the 
flexible approach embodied in the standard. As a result the government 
adopted a novel approach to legislative drafting by having the 
legislation require compliance with the CSA Code, which in turn is 
reflected in a Schedule to the legislation.
    For the most part, the PIPED Act reflects a flexible approach that 
does not impose or mandate particular treatment of personal 
information. Rather, organizations can develop codes and practices 
tailored to their particular business circumstances. The very process 
of developing a tailored code forces an industry group or company to 
consider more thoroughly the manner in which to deal with information 
issues specific to its business activities. Furthermore, the process of 
developing a tailored code serves to educate participating industry 
sector members about their obligations and the need to develop 
corresponding practices and procedures.
    The legislation also requires commercial organizations to identify 
the purposes for which personal information will be collected, used and 
disclosed, and to obtain the consent of individuals from whom such data 
is collected. Consent can be either express or implied, depending on 
the circumstances and the sensitivity of the information--again 
reflecting a flexible approach. Commercial organizations, therefore, 
determine the scope of their identified purposes and consumers either 
accept them by continuing to do business with the organization or 
reject them by withdrawing consent or ``opting out'' of a particular 
proposed collection, use or disclosure.
    The PIPED Act establishes a federal Privacy Commissioner as its 
prime overseer. Individuals may direct to the Commissioner complaints 
about any aspect of an organization's compliance with the provisions 
relating to the protection of personal information in the PIPED Act. 
The Commissioner has general powers to receive and investigate 
complaints, including the summoning of witnesses and production of 
documents and other records. The Commissioner also has express powers 
to conduct audits and to attempt to resolve complaints by means of 
dispute resolution mechanisms such as mediation and conciliation. In 
fact, in framing the PIPED Act, the Canadian federal government clearly 
envisioned the Commissioner in an ombudsman role, with the stated goal 
of obtaining a resolution of privacy disputes in a non-confrontational 
manner. The Commissioner also has a mandate to develop and conduct 
information programs to foster public understanding of the privacy 
provisions of the PIPED Act.
    Unresolved disputes relating to certain matters can be taken before 
the Federal Court of Canada for a hearing. In addition to its normal 
powers, the Federal Court may order an organization to correct its 
practices and award damages to the complainant.
    By enshrining the CSA Code in legislation, the Canadian approach to 
protecting personal information recognizes that market forces alone 
will not provide the reasonable assurances that consumers require. At 
the same time, it avoids unnecessary and costly regulation that could 
stifle the growth potential of new technologies and provides necessary 
flexibility to tailor specific privacy practices to the unique 
circumstances of specific industry sectors. In our view, the Canadian 
approach reflected in the PIPED Act strikes an appropriate balance 
between a consumer's desire for privacy and the legitimate needs of 
business to collect and use personal information.
    Rather than imposing a common, detailed set of requirements and 
standards to be rigidly applied to all organizations in all industries, 
the Canadian framework legislation, recognizing that personal 
information needs vary tremendously across different industry sectors, 
accommodates maximum flexibility consistent with fair information 
practices.
    Most importantly, given the consensus process adopted, the CSA Code 
has the confidence of both consumer groups and the business community 
and represents, therefore, a fair and equitable basis upon which to 
build a legislative framework.

        THE BELL COMPANIES' CODE OF FAIR INFORMATION PRACTICES:

    Privacy and security of customer information is considered to be a 
key attribute of the Bell brand, and an important aspect of the 
relationship between the Bell Companies and their subscribers.
    The Bell Companies have long been committed--and continue to be 
committed--to maintaining the accuracy, confidentiality, security and 
privacy of customer and employee personal information. This is 
reflected in existing privacy and confidentiality provisions found in 
various Company policies and in applicable service rules approved by 
regulatory agencies over the years. It is also reflected in the high 
regard and trust with which customers and employees view the management 
of personal information by the Companies.
    Recently, the Bell Companies released the Bell Code of Fair 
Information Practices (the ``Bell Privacy Code''--copy attached). The 
Bell Privacy Code is a formal statement of principles and guidelines 
concerning the minimum requirements for the protection of personal 
information provided by the Companies to their customers and employees. 
The objective of the Bell Privacy Code is responsible and transparent 
practices in the management of personal information, in accordance with 
the CSA Code and the new legislation.
    The Bell Privacy Code stipulates that the Bell Companies can 
collect personal information only for the following purposes:

a) to establish and maintain responsible commercial relations with 
        customers and to provide ongoing service;
b) to understand customer needs;
c) to develop, enhance, market or provide products and services;
d) to manage and develop their business and operations, including 
        personnel and employment matters; and
e) to meet legal and regulatory requirements.
    As is the Companies' current practice, customers will continue to 
be able to review company records that contain personal information 
about them and update/correct any information contained in such 
records. Customers will also continue to be able to challenge any of 
the Companies' compliance with the Privacy Code through the existing 
office of the Bell Privacy Ombudsman. The office of the Ombudsman, 
which was established in 1992 in order to deal with unresolved privacy-
related complaints, has received very few such complaints in the 
ensuing years--an indication of the Companies' commitment to privacy 
protection and customer satisfaction.
    In order to implement the revised Bell Privacy Code, each of the 
Bell Companies has embarked on a plan that incorporates four elements: 
communications, training, systems and audit. The Companies are 
informing customers of the Companies' respective privacy policies and 
the implications thereof in a number of ways. The introductory pages of 
the white pages directory, bill inserts to customers, web pages and 
point of sale brochures all provide descriptions of the Companies' 
privacy policies. Business Office client representatives are also 
available to answer any questions that subscribers may have with 
respect to privacy. Copies of the Bell Privacy Code and other related 
documents are also available through these communication channels.
    In addition, the Companies are in the process of ensuring, through 
training and employee communications, that all employees understand and 
will uphold the commitments made in the Privacy Code and related 
documents. Particular attention is focused on employees who have 
routine access to subscriber personal information as part of their job 
function. All employees must sign-off annually that they understand the 
Privacy Code, and acknowledge that non-compliance with our privacy 
commitments could be grounds for dismissal.
    The Companies have also undertaken a review of their information 
systems to ensure that the provisions of the Privacy Code will be 
adhered to. Finally, regular internal audits will be employed to ensure 
ongoing compliance.
    The Bell Privacy Code will be reviewed at least every 5 years to 
ensure continued relevance and currency with changing technologies, 
laws and the evolving needs of the Companies, their customers and 
employees. New communications plans would precede adoption of any 
modifications to the Privacy Code.
    Finally, we intend to use technology to educate individuals about 
privacy issues, assist them to remain anonymous in appropriate 
circumstances and to exercise choice and control over the collection 
and use of their personal information.

                              CONCLUSION:

    In my view, the development by industry, government and consumers 
of the CSA Code has had a positive impact in influencing the Canadian 
government's approach to legislation in this area. The result is a 
piece of legislation that is flexible and far less intrusive and 
prescriptive than other possible legislative approaches. The Canadian 
legislation enshrines high-level privacy principles while avoiding 
unnecessary and costly regulation and providing necessary flexibility 
to tailor specific privacy practices to the unique circumstances of 
specific industry sectors.
    As leaders within our industry, we are committed to fair 
information practices within our individual companies, and to new 
voluntary initiatives that will further strengthen the level of privacy 
protection afforded to our customers and employees. Public education 
combined with market-developed technological solutions tailored to 
consumers' concerns and market demand will assist in providing the most 
efficient and effective means to protect personal information.
    The Bell Companies have supported the Canadian government's steps 
in pursuing a new model for the protection of personal information in 
the private sector, a model tailor-made for Canada which builds on the 
voluntary efforts of consumer groups, industry and governments.
    We believe the best model in Canada for private sector privacy 
legislation is a strong and consistent framework of harmonized federal-
provincial laws. Most importantly, only consistent harmonized privacy 
laws across all jurisdictions will provide the level of privacy 
protection that individuals seek and require for the growth of global 
electronic commerce.
    The Bell Companies remain committed to working with governments to 
promote effective privacy protection within a broader societal context.
    We wish you well in your deliberations.

                    CSA Code--Principles in Summary

    Principle 1--Accountability: An organization is responsible for 
personal information under its control and shall designate an 
individual or individuals who are accountable for the organization's 
compliance with the following principles.
    Principle 2--Identifying Purposes: The purposes for which personal 
information is collected shall be indentified by the organization at or 
before the time the information is collected.
    Principle 3--Consent: The knowledge and consent of the individual 
are required for the collection, use, or disclosure of personal 
information, except where inappropriate.
    Principle 4--Limiting Collection: The collection of personal 
information shall be limited to that which is necessary for the 
purposes identified by the organization. Information shall be collected 
by fair and lawful means.
    Principle 5--Limiting Use, Disclosure, and Retention: Personal 
information shall not be used or disclosed for purposes other than 
those for which it was collected, except with the consent of the 
individual or as required by law. Personal information shall be 
retained only as long as necessary for the fulfillment of those 
purposes.
    Principle 6--Accuracy: Personal information shall be as accurate, 
complete, and up-to-date as is necessary for the purposes for which it 
is to be used.
    Principle 7--Safeguards: Personal information shall be protected by 
security safeguards appropriate to the sensitivity of the information.
    Principle 8--Openness: An organization shall make readily available 
to individuals specific information about its policies and practices 
relating to the management of personal information.
    Principle 9--Individual Access: Upon request, an individual shall 
be informed of the existence, use, and disclosure of his or her 
personal information and shall given access to that information. An 
individual shall be able to challenge the accuracy and completeness of 
the information and have it amended as appropriate.
    Principle 10--Challenging Compliance: An individual shall be able 
to address a challenge concerning compliance with the above principles 
to the designated individual or individuals accountable for the 
organization's compliance.

    Mr. Stearns. Thank you, Mr. Henry.
    Let me start off. Mr. Winer, if we enacted--if we had the 
European Union privacy laws, what would be the cost to American 
taxpayers, American businesses? I mean, just give me a little 
brief scenario here. I have got lots of questions, so--I mean, 
it is going to be burdensome from your testimony, but, I mean, 
is there any kind of statistical or quantitative----
    Mr. Winer. I have never been able to find one, sir. I have 
asked the Europeans any number of times if they have ever done 
such a study.
    Mr. Stearns. Right.
    Mr. Winer. I believe the Department of Commerce may have 
requested that information from the EU and never gotten any 
response back.
    Mr. Stearns. Okay. Ms. Lawler, your company has signed the 
safe harbor, and there is less than 20. So you folks are out 
there early. And so I guess the real question, why--can you 
sort of let us in with a trade secret, why haven't the other 
technical companies signed on to this safe harbor? We all 
respect and admire your company, and it is one of the 
bellwether leaders in the industry. Why are you way ahead? Why 
haven't the other people done it?
    Ms. Lawler. Let me answer that by saying last month I was 
at a workshop on safe harbor that was conducted in the Bay 
area, which by the way was extremely well attended by many 
large global and national concerns.
    And what I heard in comments--I think the first thing to 
keep in mind is that while the safe harbor principles have been 
under discussion for a couple of years, the real final result 
that was available for American businesses to actually look at 
and evaluate what they needed to do to certify to the safe 
harbor has really only been available since November 1st.
    Now, for Hewlett Packard, we really had a running start 
because we had such a strong set of privacy policy and 
associated practices before the actual safe harbor agreement 
was even ratified, partly through our work with the safe 
harbor--I am sorry--with the BBB Online folks and that privacy 
seal program.
    What I heard from some of my peers in that area is that 
there is still concern about some of the jurisdictional issues. 
They are waiting to see the standard contracts that were 
discussed in the first panel, to see if that was a viable 
alternative.
    Mr. Stearns. The model directives, you mean?
    Ms. Lawler. Excuse me? I am sorry.
    Mr. Stearns. You are saying contracts.
    Ms. Lawler. The standard contracts that one would sign with 
each----
    Mr. Stearns. For safe harbor.
    Ms. Lawler. [continuing] protection authority.
    Mr. Stearns. Okay.
    Ms. Lawler. As opposed to safe harbor, evaluating that as 
an alternative. Some companies are actually looking at 
developing very elaborate express permission scenarios, very 
expensive.
    Frankly, a lot of companies just simply are not as far 
along in their internal practices and take safe harbor and the 
principles outlined very seriously. And so I think it is going 
to take them some time to evaluate where they are at, what they 
are doing, and it is probably about a year process for them.
    Mr. Stearns. Mr. Winer, does the safe harbor provide a 
prudent option for American companies to comply with the EU 
directives, in your opinion?
    Mr. Winer. If you are a company with a complex corporate 
structure, it is going to be very difficult because of the--
each company, each structure, is viewed to be a third party, 
and you have to agree not to transfer to third parties, which 
could include intra-company transfers. Of course, it can't 
apply to financials or telecoms because they are not within the 
jurisdiction.
    I think it is up to each company. The fact that so few have 
so far chosen to sign on is a vote with your feet proof that to 
date it has not been an attractive option for most companies. I 
think it would be terrifically valuable if we were able to get 
a cost assessment--as an answer to the question you asked me--
done by proper economists, properly trained people, to try and 
figure out what real compliance costs are likely to be.
    I noted in the testimony of my colleagues from HP, they are 
doing a very great job, but they confessed, I believe, at one 
point that there are some areas that they are finding some 
difficulty in completely meeting the terms of the directive as 
they develop their processes. So it is going to be a bit of 
work for everybody, and potentially an expensive one. We ought 
to know the costs.
    Mr. Stearns. Ambassador Aaron, you stated that the 
provisions of the safe harbor had to be more flexible than the 
directive and address real-world information practices on a 
reasonable basis. Yet only 26 companies and organizations have 
signed up for the safe harbor. Does this suggest that safe 
harbor is not a reasonable option for American companies?
    Mr. Aaron. I think it is a very reasonable option, and I 
might say that since we have had some of our panelists here say 
that it was either too tough and onerous, and others said it 
didn't mean anything and would not help, I think we have 
probably hit the sweet spot in trying to put this thing 
together.
    I think the main reason that companies haven't signed on 
yet is that it is very complicated, and they want to look at it 
carefully. I think you could tell, even from the discussion 
this morning with the European Data Protection Authorities, 
even there is some confusion on their part as to exactly how 
all of this would work.
    Well, I would be careful, too. And we are advising our 
clients that the safe harbor is a good way to go but that they 
have got to be very careful in how they do it, and that they 
have got to be sure that it is going to apply.
    My principal concern at this point has been the fact that 
the European Union has started to chip away at the safe harbor. 
First, in the final days of negotiation, they made changes to 
how employee data would be covered, making it much more 
difficult than the safe harbor ought to operate from the 
standpoint of enforcement.
    There are suggestions now that the--from the data 
protection authorities that if you send a cookie from the 
United States to a computer in Europe, that this somehow 
creates a facility in Europe, and, therefore, operates under 
European law, and, therefore, somehow the safe harbor doesn't 
apply; it has got to be European law.
    Well, I talked to the Commission personally on this issue, 
and they were rather horrified by this conclusion because it 
has implications for taxation and a whole lot of other things. 
And they are going to seek to get this clarified, but it is the 
kind of uncertainty that I think causes companies pause.
    Mr. Stearns. My time has expired.
    Mr. Towns?
    Mr. Towns. Thank you, Mr. Chairman.
    Let me continue with the Ambassador. Is there an organized 
effort by some in the business community to keep U.S. firms 
from signing on to the safe harbor?
    Mr. Aaron. I, frankly, don't know. I haven't personally 
encountered--I know there were some people toward the very end 
of the negotiation that raised some objections, some of them of 
the sort that we have heard here today. But I don't know of any 
organized effort to boycott it in any way.
    Mr. Towns. Well, in a recent article in Computer World, a 
representative of Dun & Bradstreet said that safe harbor 
allowed that company to obtain waivers for data transfers so 
that it could consolidate a UK-based data center with one in 
New Jersey. Do you believe that safe harbor helps keep data 
firms and jobs in the United States?
    Mr. Aaron. Well, there is no question about it. If--you 
know, there are two ways to run a business. One is you can 
totally decentralize, and if you are dealing with European 
employee data, customer data, that sort of thing, if you just 
keep it in Europe, but--particularly if there is obstacles to 
bringing it back to the United States.
    I have one client who is--that basically provides a service 
that involves employee evaluation, and they provide this 
service to companies all over the world. And so they get 
evaluations from superiors and subordinates and colleagues and 
self-evaluations, and so forth. They do all of this processing 
in the United States.
    Now, if they are not a member of the safe harbor, they are 
not going to be able to be in business. Now, they can go toward 
contracts, but I think, as Mr. Winer indicated, these contracts 
are enormously onerous. The basic principles are the same as 
the safe harbor, but then they tack on a whole series of other 
things about rights, private action, and all the rest, that 
this is not going to turn out to be an attractive alternative.
    So I think at this point you have basically got the safe 
harbor, you have contracts, and that is what you have got. And 
I think the safe harbor is a much more congenial, flexible 
tool, even though it may go further in some respects than we 
would like.
    Mr. Towns. Anybody disagree with that? Yes? You have a 
comment on that?
    The reason I--let me just say, the reason I ask that, not 
that I am interested in having a debate of any sort, but the 
point is that I just think this issue is just so serious that 
we need to make certain that we get as much information as 
possible before we move forward, because I am convinced that 
something is going to be done in this Congress. So I really 
want to get information.
    Yes?
    Mr. Reidenberg. I would hope you are right that this 
Congress will do something to protect privacy in the United 
States. I guess I disagree with at least one statement, that in 
the absence of signing up for safe harbor the companies will 
not be able to transfer data back to the United States.
    Article 26 of the directive has a series of derogations 
from safe harbor--or, excuse me, has a series of derogations 
from export prohibitions that are more extensive than simply 
having a contract between an American data importer and the 
European data exporter.
    The other thing that I think the committee ought to be 
aware of is that the export prohibition provision did not begin 
with the European directive. It began with member state law 
that preexisted the directive for many years.
    And many of the certainly larger American companies have 
been dealing with this as a fact of life for more than 20 years 
in some member states and have not had problems, because they 
have worked with the national data protection authorities in 
each of those member states, assuring them of treating the 
European data with fair standards in the United States.
    So if it is a company that is treating data fairly in the 
United States, I find it very perplexing that they have such 
difficulty either signing onto a contract for data protection 
or subscribing to something like the safe harbor, the 
substantive standards of the safe harbor.
    If they are indeed practicing privacy, these obligations 
should not be that--should not be burdensome for them. Again, 
keeping in mind if they are operating in Europe, they are under 
legal obligation in European countries to do that anyway.
    Mr. Towns. Thank you.
    Yes, Mr. Winer?
    Mr. Winer. Yes, sir. I would say that the devil is in the 
details in this area. And one of the reasons why so few 
companies have signed up is because you have to do a very 
detailed analysis of how the safe harbor applies to your actual 
operations and information systems. And if you have got a 
complex corporate structure or complex sets of information, you 
may not be able to live up to the safe harbor very easily. It 
may be expensive and difficult.
    So its value is very fact-dependent, and there are lots of 
gaps.
    Mr. Aaron. May I just add one point? This is true of any 
privacy policy. And one of the great and surprising things is 
that if you would talk to most companies about the privacy 
policy, you can often find out that they just borrowed it from 
some other company. They just went on the web, took the privacy 
policy, stuck it on there. It has nothing to do with their 
business.
    You talk to general counsels of major corporations about 
their privacy policy, and you ask them, ``Do you collect 
personal data? And who do you share it with?'' And they say, 
``We will get back to you,'' because they don't know. They have 
to go all the way down to the data base managers and find out 
what is really happening in those companies.
    This is true of any privacy policy. It goes to the heart of 
most companies and business operations, and it is a crucial 
thing, and it is going to cost money for everybody.
    Mr. Towns. All right. Mr. Chairman, my time has expired.
    But let me commend Ms. Lawler for her company in terms of 
their moving forward. I just wanted to let you know that we 
salute you for that.
    Ms. Lawler. Thank you, sir.
    Mr. Towns. Right. I yield back.
    Mr. Stearns. Mr. Buyer is recognized for 5 minutes.
    Mr. Buyer. Thank you, Mr. Chairman.
    Ms. Lawler, I have got your web page. Okay?
    Ms. Lawler. Okay.
    Mr. Buyer. One thing I do like about it, what appears to be 
open and conspicuous, and I don't know if it is redundant, but 
over here it says privacy statement. So you can click on it, 
right? And you get over into it, it says, ``Who do we share it 
with?'' i.e. obviously, the personal data.
    So you want to get in there, and it is--I heard your 
testimony. It sounds good. So let us examine what you said. HP 
will not sell, rent, or lease your personally identifiable 
information to others. And that is what your testimony was.
    Ms. Lawler. Correct.
    Mr. Buyer. Okay. Now let us go into the but. You then give 
permission to your partners----
    Ms. Lawler. What I said in my testimony is that we will not 
share with partners without customer permission. I can share 
some examples if you would like.
    Mr. Buyer. [continuing] that you provide online with other 
HP entities and/or business partners who are acting on behalf, 
and the uses are described, how we use it.
    Ms. Lawler. Business partners acting on HP's behalf. That 
was the scenario I described where their suppliers and service 
providers--they are required and covered under contract and on 
disclosure to abide by our privacy policy.
    Mr. Buyer. So all of your other subsidiaries or partners 
whom you do business with, you go all the way back to your 
customer. If I click on--my son clicks on and does something 
with HP, you are not going to give any of that data unless you 
go back and ask whether or not you can give it?
    Ms. Lawler. What that is saying is that if they are covered 
under contract, they are covered by the privacy policy. An 
example would be an advertising agency creating material for us 
or a shipper like, say, Federal Express shipping our product.
    Mr. Buyer. Let me ask this. Do you believe that there 
should be a level of comfort with someone who would use your 
site, that the information or their practice is not going to 
then be shared with your other business partners or 
arrangements or contractual partnerships that dominoes one 
after another?
    Can I turn to my constituents and say, ``Hey, what HP says 
is when you deal with them, none of that information is going 
to be shared with anyone else unless they come back to you''?
    Ms. Lawler. If you are referring to the situation we talked 
about with suppliers----
    Mr. Buyer. No, no, no, no. Don't go to what your situation 
is. Go to mine. See, I don't believe----
    Ms. Lawler. Can you give me a specific----
    Mr. Buyer. I don't believe you can stand by what you just 
said. That is what I am questioning. First, you give that one 
statement that is pretty emphatic, and then you go into the 
``unless.'' I always pay attention to the unless, however, but, 
comma.
    Ms. Lawler. That is not a but or unless, but I understand 
what your question is.
    Mr. Buyer. All right. I don't want to quibble with you.
    Ms. Lawler. Okay.
    Mr. Buyer. I just want to get the definition.
    Mr. Stearns. Will the gentleman yield for just a moment?
    Mr. Buyer. Yes.
    Mr. Stearns. Another question you might ask is, how are 
they enforcing against their partners?
    Mr. Buyer. Well, that is the real problem. If you have 
information which you say, ``Well, we are going to give it to 
one of our business partners,'' then you begin to lose control 
when that business partner has a second arrangement with 
another business partner, and all of a sudden it is three, four 
down the line and you have----
    Ms. Lawler. Okay. I need to go back to what I had been 
saying, which is that if it is a partner doing business on 
behalf of HP--in other words, we could have our own shipping 
organization that delivered packages to your door, we could 
have an in-house ad agency, we could have all in-house call 
centers for an example. An alternative is to outsource that 
effort.
    Outsourced efforts are covered under contract and legal 
non-disclosure agreements that the vendor--this is a vendor-
supplier relationship--that they sign. Therefore, they are 
protected. So they have the data, but they are not using it for 
their own business purposes. They are using it on behalf of HP 
contractually; therefore, legally protected.
    That is different from a business partnership, say, for 
example, with a software supplier. Say, for example, you bought 
a Hewlett Packard Pavillion PC, and you decided to register 
that product with Hewlett Packard, which, by the way, is your 
choice. You can also choose to register your software 
applications at the same time in one single approach, which 
many customers see as a benefit. Others prefer to register 
individually.
    So if we think of a major software provider, we provide you 
the option to transmit your personal data to that software 
provider to complete the registration process in one single 
effort. But we ask that permission question before that 
happens. And if you don't want to do that, it doesn't happen. 
You are in control.
    Mr. Buyer. Thank you.
    Mr. Stearns. The gentleman from Tennessee, Mr. Gordon?
    Mr. Gordon. Thank you. We only have 5 minutes just like you 
do, so I am going to try to be quick with three questions and 
hope you will be quick with three answers, or at least the 
first two.
    Ambassador Aaron, if you could help maybe clear up a 
question I had raised earlier concerning the safe harbor, and 
that is that if a company is within safe harbor, then FTC makes 
those determinations. My concern is, then, does the--is there a 
veto or an override in some regard by any of the EU countries 
to say that the FTC is not doing their job properly or they 
don't agree?
    Mr. Aaron. No, there isn't. Now, having said that--and that 
is part of the deal. Having said that, if Mr. Rodota, for 
example, should decide he didn't agree with that and he thought 
that some U.S.--some firm in Italy was sending information to a 
company in the United States that wasn't behaving properly, and 
he moved to enjoin that transmission of information, then it 
would be the responsibility of the European Commission to go 
after Mr. Rodota and to get together his various committees and 
make a determination as to whether Mr. Rodota was in his rights 
or was not.
    And they have made clear to us, in the course both of the 
negotiations, that they would move to insist that the national 
data----
    Mr. Gordon. So they can overrule the FTC.
    Mr. Aaron. They can overrule the----
    Mr. Gordon. Well, that is all I wanted to----
    Mr. Aaron. They can overrule the national--the Commission 
can overrule the national Data Protection Authority.
    Now, anybody can sue anybody. If somebody goes into court 
and says, ``I am not being protected in a European court,'' 
then the European Commission will weigh in on the side of the 
U.S. defendant if they are within the safe harbor.
    Mr. Gordon. But they still can overrule the FTC, the 
individual countries, can't they?
    Mr. Aaron. No, they cannot. The European Commission comes 
in and declares that action illegal or unacceptable.
    Mr. Gordon. But isn't that the same thing?
    Mr. Aaron. No. The action of the member state is illegal or 
unacceptable. In other words, any----
    Mr. Gordon. But can they rule that it is acceptable, their 
action is acceptable?
    Mr. Aaron. Well, I suppose that is conceivable, but then 
that is a violation of our agreement and that raises everything 
to a political level and we begin to----
    Mr. Gordon. So why would--okay. Well, maybe I just need to 
understand that more.
    Mr. Winer, you gave a lot of reasons why the EU should not 
go forward with the regulations that they have. Is there any 
reason that they can't make a bad decision? I mean, you said it 
is a bad decision. But do they have the right to make that bad 
decision?
    Mr. Winer. They certainly have the right to make a bad 
decision. The question is, what is the U.S. response when 
another country makes a bad decision?
    Mr. Gordon. That is the main thing I wanted to know.
    Mr. Winer. Yes, sir.
    Mr. Gordon. So they have the right to make that bad 
decision.
    And, finally, if I can--Mr.--I guess this is--Mr. 
Reidenberg, if I was a--from a business perspective, what makes 
me most concerned about dealing with the EU would be the 
uncertainty as well as maybe the arbitrariness of how some of 
the rulings, you know, could be arbitrated.
    I think you have what I would think is the best suggestion, 
and that is some type of international treaty which would go 
beyond EU into problems around elsewhere. What would be the 
vehicle for that international treaty?
    Mr. Reidenberg. The WTO, in particular, Telecoms Annex.
    Mr. Gordon. Yes, okay.
    Mr. Reidenberg. There is a specific exception for 
restrictions on trade and services and information under the 
Telecoms Annex for privacy. And the WTO agreements require 
biennial assessments at a ministerial level for----
    Mr. Gordon. Is there any kind of effort going on to develop 
some international standards in that regard?
    Mr. Reidenberg. There has been some suggestion that the WTO 
take it up. To my knowledge, that has not yet happened. I think 
it is inevitable that the WTO will have to focus on privacy 
issues. I would prefer to see the United States taking the lead 
than being the second seat at the table.
    If I may for a moment refer specifically--this goes back to 
your first question that you raised with Ambassador Aaron. 
Article 3 of the Commission decision of July 26th, which is the 
decision approving the safe harbor, specifically allows the 
member state data protection authorities to reject transfers to 
a company on the safe harbor list.
    So the specific answer is Article 3--it is specifically 
Article 3, clause 1(b), specifically says that the member 
states under certain circumstances can refer to recognize a 
company on--listed on the Commerce Department's listing of 
certified safe harbor companies.
    Mr. Gordon. Well, that was my understanding.
    Ambassador Aaron, I guess you can say it, but maybe I don't 
understand it, I mean, why do you see this differently than the 
rest of us?
    Mr. Aaron. Because the Commission has further powers. The 
Commission has the power to look at any decision made by a 
national Data Protection Authority and decide whether it is 
within the scope of the safe harbor or whether it is doing 
something aberrant. It has nothing to do with the safe harbor, 
trumping the FTC, doing something----
    Mr. Gordon. Right.
    Mr. Aaron. [continuing] of that sort.
    Mr. Gordon. So however you get there, but that is the same 
result. I mean, that they can overrule the FTC, can't they? But 
why don't you maybe----
    Mr. Aaron. No.
    Mr. Gordon. Again, I am just wondering, why do you see this 
differently than everyone else here?
    Mr. Aaron. I guess maybe because I negotiated it and I know 
what those words mean.
    Mr. Gordon. Or is that just editorial pride?
    Mr. Aaron. No, I don't think so. I don't think so. I don't 
think I actually wrote the words.
    Mr. Gordon. Okay.
    Mr. Aaron. What happens is that if the national--there are 
some exceptions, as you pointed out. But, basically, if the 
national data protection authorities do not recognize the safe 
harbor, the Commission has the right to come in and make them 
recognize it. That is the deal. So if they do something----
    Mr. Gordon. They have the right to, but does that mean that 
they have the obligation to?
    Mr. Stearns. The gentleman's time has expired.
    Mr. Aaron. Well, that----
    Mr. Gordon. I mean, if they don't have the obligation to, 
then it doesn't really matter, does it?
    Mr. Aaron. Well, they actually have the obligation to under 
their own rules.
    Mr. Gordon. Thank you.
    Mr. Stearns. The gentleman's time has expired.
    The gentleman from Georgia, Mr. Deal, is recognized for 5 
minutes.
    Mr. Deal. Thank you, Mr. Chairman.
    Mr. Henry, as I understand, what has happened in Canada is 
you started out with industry code that was industry derived, 
and that has now been backed up with legislation, but the 
legislation is very flexible and embodies the possibility for 
many variations of types of agreements. Is my understanding 
correct?
    Mr. Henry. Flexible in the sense that it allows--it sets 
out a number of obligations. But the manner in which you meet 
those obligations or fulfill them leaves some flexibility. So, 
for example, different industries, it actually envisages that 
different industries would develop different practices to 
reflect the particular business circumstances, still complying 
with the principles and having an obligation to comply with the 
principles.
    And consent as well is a flexible concept. The form of 
consent depends very much on both the sensitivity of the 
information and the circumstances, and so on.
    Mr. Deal. But these are national standards with----
    Mr. Henry. Right.
    Mr. Deal. [continuing] the right of territorial----
    Mr. Henry. Right.
    Mr. Deal. [continuing] variations.
    Mr. Henry. Right.
    Mr. Deal. I guess the next question, then, is, has the EU 
acknowledged your legislation and your code as an acceptable 
compliance with their directive?
    Mr. Henry. It is in the process of doing so. There is a 
couple of working group studies underway. I think Mr. Smith 
earlier acknowledged that it looks like they will accept it, 
and certainly----
    Mr. Deal. Will it be a blanket approval, or will it--since 
there is flexibility, would it be a case-by-case determination?
    Mr. Henry. Well, our hope and understanding, and the 
Canadian government's hope and understanding, is that it will 
be accepted. The EU is looking at it, and once they understand 
it we are confident that they will accept it. Yes, absolutely. 
And it was drafted not only with that in mind but certainly 
with that in mind, that it was to comply with the EU directive.
    Mr. Deal. All right.
    Mr. Henry. And if I could just add one other thing. When I 
say ``flexibility,'' it is flexibility on those points I talked 
about. On the enforcement side, I think it is much stricter. 
There is a privacy commissioner with a lot of power. There is 
possibilities to go to court. There is audits. There is public 
reports that the privacy commissioner can make. So it is quite 
strict in that sense.
    Mr. Deal. Professor Reidenberg, I believe your suggestion 
of trying to arrive at some standard initiated that would be 
acceptable to our country, and then going through WTO to see if 
we could arrive at a mutually agreeable standard, is probably a 
very good approach.
    But your comments also indicate that if American companies 
are really doing basically what they should be doing, they 
really shouldn't have that much trouble under the current 
arrangement, even though it is somewhat disjointed. Is that a 
fair summary of what I heard you say?
    Mr. Reidenberg. Yes and no. I think it is a fair summary, 
but it probably doesn't completely present an accurate picture. 
If American companies were doing what they were supposed to be 
doing, and by that I am going to treat that as an American 
standard, if companies were treating information fairly with 
the kinds of principles that we have long recognized in the 
United States going back to the OECD guidelines from the early 
1980's, if they were doing that, then substantively they should 
be in compliance with the kinds of obligations that the 
European directive imposes.
    It would not, however, alleviate the practical problem of 
having to prove their adequacy on a case-by-case basis, because 
there would be no obvious legal right to point to, no obvious 
enforcement ability to point to. They would have to go and show 
case by case, yes, we are doing these things. So----
    Mr. Deal. Mr. Winer, or Ambassador Aaron, do either of you 
disagree that going to a standard--WTO approved standard would 
be not a desirable goal to try to shoot for? Or is there a 
better way?
    Mr. Aaron. I think there is a better way, and I think the 
better way was reflected in the testimony we heard earlier, 
which is a thing called the global business dialog for e-
commerce. They are in the process of developing a number of 
private sector, international rules and standards, much along 
the lines that the Canadian private sector did, kind of a code 
of conduct.
    I think that is likely to be much more flexible, much more 
effective, much more widely accepted, and to try to go into an 
organization of 140 or 70, or I don't remember how many members 
there are now, including China and a couple of other countries, 
and try to negotiate privacy, this is not going to be an easy 
thing to do.
    Mr. Deal. Thank you, Mr. Chairman.
    Mr. Stearns. Thank you. I think--there are just a few of us 
left--we will take another quick round. Make sure you don't 
miss your planes.
    Mr. Henry, it seems like Canada has developed something 
with the participation of industry. So industry came in and 
participated in developing the code and practices, as I 
understand it, that is tailored to the different industry that 
applies.
    Did you find that industry's participation made it less 
burdensome? I mean, that relationship, did that make it 
palatable for them to take an all-encompassing law? I mean, you 
might give us just a little----
    Mr. Henry. Absolutely. What they did was develop a code 
that was at a higher level, and that code is a single code. 
That is a CSA Code. But that code itself allows and envisages 
that industry-specific sectoral codes could be developed to be 
in compliance with that code. And so----
    Mr. Stearns. Ambassador Aaron, you mentioned the global 
business dialog of e-commerce. So if you were in a position 
where you could wave a magic wand and put in place, for the 
United States or for world commerce, one consistent privacy 
practice, how would you do it, and what would it be?
    Mr. Aaron. Well, I think that the basic principles that 
were contained in the OECD privacy principles are a good place 
to start. But it is very important to recognize that different 
sectors of the economy have different privacy requirements and 
need different kinds of flexibility.
    So I would build from there, but I would try to realize 
that there are sectoral differences. For example, the Europeans 
don't accept our Gramm-Leach-Bliley and Fair Credit Reporting 
Act. I think this is a big mistake on their part. We provide 
tremendous----
    Mr. Stearns. They don't accept our what?
    Mr. Aaron. They don't accept that the Gramm-Leach-Bliley 
privacy protections and the Fair Credit Reporting Act 
protections----
    Mr. Stearns. Oh, okay.
    Mr. Aaron. [continuing] are adequate.
    Mr. Stearns. Okay.
    Mr. Aaron. They think that is not adequate privacy 
protection. I think that is entirely unacceptable for us. And, 
of course, we are going to come to the crunch on this issue 
pretty soon. But those two acts working together provide 
tremendous privacy protections, and they are enforced by the 
Fed and by the Office of Thrift Supervision and all the rest of 
it.
    But I really think you can't just spell out--well, I would 
be happy to do it at some point, maybe write a book about it, 
but I think you really have to think about--you know, you have 
to give notice; how much? You have to give choice; opt-in/opt-
out. You have to talk about third parties and your obligations.
    Mr. Stearns. Do you think in opt-in or opt-out there is a 
favorite in your mind?
    Mr. Aaron. I think that opt-out ought to be quite 
acceptable for many, many purposes.
    Mr. Stearns. So----
    Mr. Aaron. And, in particular, let me just say one thing. 
You know, the debate that took place in Gramm-Leach-Bliley, 
during that period, was whether there should be opt-in for 
sharing with affiliates. That was the big fight over that 
issue.
    Well, the Europeans say, ``No, you have to have''--what we 
were trying to do with that was to try to make us equal to the 
Europeans. The European banking institutions and financial 
institutions aren't structured the way we are. They have 
insurance. They have brokerage. They have banks. They are not 
affiliates. They are actual divisions of a company. So, 
therefore, they share this between each other all the time, 
with no difficulty.
    We are structured--many of our companies are structured 
differently. So all of a sudden you get this issue of affiliate 
sharing, and whether there should be opt-in or there should be 
opt-out. Well, I think we have got to be careful there because 
the fact of the matter is if we accepted either one of those 
procedures--and we did accept opt-out to some extent--we find 
ourselves at a competitive disadvantage.
    Mr. Stearns. Mr. Winer and Professor Reidenberg, both of 
you briefly tell me what you would do if you could wave a magic 
wand to get this privacy so that it would be a global business 
policy.
    Mr. Winer. For starters, the EU needs to recognize the US 
system for protecting privacy as adequate. Our system protects 
privacy in practice better than the EU system. You go in, you 
get privacy policies----
    Mr. Stearns. So they have got to recognize the Gramm-Leach 
bill.
    Mr. Winer. Absolutely. And Fair Credit Reporting. You look 
at the privacy policies companies put online. If you don't do 
that, you are going to have customer problems, you are going to 
have FTC problems, you going to have Attorney General problems.
    We have a system in this country of regulation and 
enforcement that is very aggressive. You go over to the EU they 
have got soft guidelines, and they have got much less 
enforcement. They don't have regulations for the most part.
    And the testament is, you get the consumer groups looking 
at it, and they are saying, ``Yes, America actually does it 
better, even though the EU standards are tougher.'' So the 
first thing would be they have to recognize our system and give 
due respect to our system. Yes, sir.
    Mr. Stearns. Okay. Professor?
    Mr. Reidenberg. I think it is nonsense that Gramm-Leach-
Bliley meets the standards contained in the European directive. 
I think we are bandying about the term ``adequate'' in 
different ways. Adequate, under the directive, means does it 
satisfy the obligations contained in the directive.
    We may talk about it as being adequate for the American 
context as an enacted by Congress. I personally have views much 
more akin to Mr. Markey's from this morning. But in terms of 
the Gramm-Leach-Bliley compared to the standards in the 
directive, Gramm-Leach-Bliley is essentially a notice and 
consent statute. The directive contains substantially more than 
that in terms of fair information practices.
    It contains data subject access rights. It contains 
security rights. It contains a whole host of things that Gramm-
Leach-Bliley is just simply silent on.
    Similarly, the Fair Credit Reporting Act is a very 
important piece of privacy legislation in the United States. 
But if you look at it carefully in the context of the 
directive, and if you look at it carefully in its own context, 
it has the most tortured set of definitions for what is covered 
under the Fair Credit Reporting Act of any recent legislation 
we have had.
    What I would do in the United States, I would enact the 
OECD guidelines and statutory obligations, and I think we need 
to look at some creative ideas like creating a mechanism such 
that--a safe harbor mechanism so that companies have a degree 
of certainty in particular contexts what their obligations are 
under a statutory enactment like the OECD guidelines.
    Mr. Stearns. My time has expired.
    Mr. Towns?
    Mr. Towns. Thank you very much, Mr. Chairman.
    Mr. Winer, I see from your statement that in the previous 
administration you served in the State Department and were 
engaged in negotiations with the EU. When you were at the State 
Department, were you a member of the United States delegation 
that negotiated the EU-U.S. safe harbor agreement?
    Mr. Winer. No, sir.
    Mr. Towns. So you are not appearing at this hearing as an 
expert witness based on any direct involvement in those 
negotiations. Is that correct?
    Mr. Winer. In those negotiations, no, sir. I did lots of 
other negotiations with the EU, however, sir.
    Mr. Towns. Your written statement says that you are 
affiliated with the law firm of Alston and Byrd, and that you 
spend much of your time, ``Counseling U.S. companies about 
privacy issues,'' including the EU privacy directive that is 
the subject of this hearing today.
    Are you representing clients this afternoon in your 
appearance before the subcommittee? And, if so, who are they?
    Mr. Winer. No, sir, I am not. These represent my views. No 
one from outside my law firm reviewed any aspect of my 
testimony prior to my writing it. It reflects my views. In 
fact, it reflects opinions that I held when I was in the 
Clinton Administration.
    Mr. Towns. Okay. Well, do your clients want to see the safe 
harbor agreement terminated?
    Mr. Winer. I have not asked that question of any client, if 
they want the safe harbor agreement terminated. I think what 
people want is a safe harbor that is going to work for them.
    I think what they want is respect for--when you are in 
compliance with U.S. law, that you are not going to be punished 
for when you act in compliance with U.S. law by somebody else, 
and that your compliance with U.S. law will buy you some 
protection against being punished elsewhere. I think that is 
what some people would like to see, sir.
    Mr. Towns. All right. Thank you.
    Ms. Lawler, you know, I am still back on the question that 
Congressman Buyer raised, if there was a violation. It is my 
understanding that if HP would actually be liable to its 
consumer if that occurred, and it would be my understanding 
that then HP would go after the vendor, is that correct?
    Ms. Lawler. Correct.
    Mr. Towns. Yes. So I couldn't quite understand where he was 
going with that. That was really, you know--I couldn't quite, 
you know--well, anyway, that is another issue. I am sorry he is 
not here, because I don't want to pursue it any further because 
I am sure he would have, you know, maybe a response. It is 
unfair I think to pursue it, you know, because of the fact that 
he is not present. But I just had to say that because I have 
thought about it.
    The other thing is that, basically, I wanted to raise with 
you, Ms. Lawler, it is my understanding that the EU has tried 
for years but so far has failed to agree on what a model 
privacy contract should look like. Nevertheless, contracts are 
being entered into every day.
    Do U.S. companies have sufficient commercial presence in 
the EU that they can hold their own in these contract 
negotiations? Or does the absence of a model contract mean that 
our companies are at the mercy of EU privacy directives?
    Ms. Lawler. I think the companies that are looking at this 
issue have significant presence in Europe, and not just in 
Europe, quite frankly, and have fairly sophisticated groups, 
both in legal and contracts, that certainly could hold their 
own if they chose to pursue that particular route.
    I know for Hewlett Packard we made a very distinct business 
strategy decision not to get into the contracts business if you 
will. Our business, as many technology companies--business 
changes so rapidly that you are essentially in an ongoing 
contract discussion that never ends. And we didn't feel that 
was a good business model for us.
    Mr. Towns. All right. Thank you.
    Professor Reidenberg, let me say we have something in 
common. You know, I was on staff at Fordham as well, I want to 
let you know, so we have that in common.
    Now I will ask you the question. The international treaty 
that you talked about to solve the privacy issue, what is the 
timetable, the timeframe, with that? You know, because when you 
think about these kinds of things you think about, you know, 
something going on and on and it might not even happen during 
my lifetime.
    Mr. Reidenberg. I can't predict how long it would take to 
negotiate such a treaty. It certainly would not happen 
overnight. But then, if we look at the basic privacy principles 
that the United States domestically has committed to over the 
years, and those in the directive, they have been around for 30 
years. They have been pretty enduring. So my guess is it would 
take a couple of years to negotiate it.
    At the WTO, they will--as I said, I think it inevitable 
that they will have to focus on privacy in the context of the 
trade and services assessments that take place every 2 years. 
Now, whether it will be this year or next year, I couldn't tell 
you, but I think it will be imminent that this will have to be 
on the agenda.
    Mr. Towns. Thank you very much, Mr. Chairman. My time has 
expired.
    Mr. Stearns. I thank my colleague.
    Mr. Deal, you are recognized for 5 minutes.
    Mr. Deal. Thank you, Mr. Chairman.
    Well, I omitted saying at the outset thanks to all of you 
for being here. I think we have heard some very good testimony 
and certainly this panel and the preceding panel have given us 
information that is important in our deliberations.
    But I suppose always there is, from our perspective, the 
question of, what is the starting point and what is the goal? 
And I have heard very divergent goals set forth here, and I 
guess I am probably at this point in time coming down on the 
side of saying that our approach maybe should be something 
similar to what the Canadians have some, and similar to what--
the position Mr. Winer has advocated.
    And that is, once we have legislatively determined what 
standards we feel are acceptable and agreeable for our 
constituency as citizens of our country, then we then move to 
the next stage of, do our trading partners agree with that? And 
if they don't, then what modifications, if any, should we come 
to? And, of course, we have not fully come to those 
conclusions.
    And, obviously, Professor Reidenberg, I have a connection, 
too. My son-in-law is a graduate of Fordham, so we will make 
that connection.
    But, obviously, yours is a much more long-term goal of 
having something in a more international context whereby you 
would have an agreement that was enforceable. But for the 
immediacy of the problem, I think we would all recognize that 
that is fraught with great difficulties.
    Obviously, some who are members of WTO think that 
government should know everything, and some of us think they 
should know nothing. And I think it would be very difficult in 
a short timeframe to come to a standard that would perhaps be 
acceptable without major deviations from it or exceptions 
carved out of it.
    I think from my perspective, our focus should be, in the 
short term, let us decide what standards our people want, and 
then, if at all possible, try to mesh those with our trading 
partners as they now exist. If those can be done, it seems to 
me then we have a very workable base from which to move to a 
broader WTO-type concept. Am I looking at it in an unrealistic 
fashion?
    Mr. Aaron. I don't think so, Mr. Deal. I think that one of 
the difficulties that I had in negotiating the safe harbor is 
that we really didn't have anything to sort of say, ``This is 
where we are.''
    Mr. Deal. Right.
    Mr. Aaron. And so I had to kind of negotiate off of their 
sheet of music. It would have been much better for me, as well 
as I think for the country, if we had had something of our own.
    The one thing, I would make one comment about the Canadian 
rules. They are really designed--they are very much in the mold 
of the European ones, and they have very strong enforcement 
provisions. And that is the one thing that I think is going to 
be very difficult for the United States.
    We looked at this back in the 1970's, at an idea of a 
comprehensive privacy program, what the privacies are, and all 
that kind of stuff. And we came to the conclusion that this 
might well threaten people's privacy. I mean, somebody 
independent----
    Mr. Deal. We don't want to tell anybody, so he can decide.
    Mr. Aaron. Yes. I mean, this is--so that very key thing--
and that is the key thing that makes it acceptable to the 
Europeans. So we still have something resembling a square that 
needs to be circled.
    Mr. Deal. Mr. Winer?
    Mr. Winer. Yes, sir. I think if you think of the U.S. 
approach with consumer issues, it is very often an approach of 
fairness in which you want to say, ``Has the person been 
informed about what is going to happen? Has the person 
consented to what is going to happen?'' If you have got a 
situation where somebody has been informed and consented, that 
tends to be acceptable in American commercial and consumer 
context in many, many situations.
    Now, of course, there are situations at the very extremes 
where you want to go beyond that. But informed consent is the 
heart of our system, and seems to me might be a basis for 
proceeding here, sir.
    Mr. Deal. Professor?
    Mr. Reidenberg. Let me come back I think first to your 
original query. I think you are absolutely correct. We first 
have to get our house in order and deal with privacy in the 
United States.
    Part of--and I agree completely with Ambassador Aaron, part 
of the difficulty in dealing with the rest of the world right 
now is that the rest of the world is looking to Europe for 
leadership on privacy and is no longer looking at the United 
Sates. We used to be the leaders. That is no longer the case.
    So I do think we do, first, indeed have to focus on what 
are the kinds of rights for the American democracy that we need 
to protect in the context of privacy. And in that context, we 
have to do more than just give window-dressing privacy. We need 
enforceable rights that have legal remedies for individual 
citizens who are victimized. That is something that is also 
very typical in the American context.
    And I think that in this area in particular there are some 
instances where informed consent is not likely to be 
satisfactory for us. We find privacy is a political right. 
Privacy has very important political implications, and we don't 
in the United States allow selling of votes. There are 
instances where we should not be in the position of forcing 
citizens to sell their privacy so that they can get an extra 
couple of dollars off. That essentially says rich people have 
privacy and poor people don't, and I don't think, as a society, 
we should accept that in the United States.
    Mr. Deal. Thank you, Mr. Chairman.
    Mr. Stearns. I thank my colleague, and I thank panel two, 
especially for your patience in waiting when we went through 
over an hour of voting. I appreciate your attendance, and I 
thank my colleagues for staying with us. This is very nuanced 
debate that will continue.
    With that, the committee is adjourned.
    [Whereupon, at 3:13 p.m., the subcommittee was adjourned.]