[Federal Register Volume 64, Number 77 (Thursday, April 22, 1999)]
[Notices]
[Pages 19747-19748]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-10145]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration


Reports and Guidance Documents; Availability etc.; European 
Union's Directive on Data Protection; Compliance Guidance for U.S. 
Organizations

AGENCY: International Trade Administration, U.S. Department of 
Commerce.

ACTION: Notice of publication.

-----------------------------------------------------------------------

SUMMARY: The Department of Commerce has been working very closely over 
the last several months with the European Commission to develop clear 
and predictable guidance to U.S. organizations that would enable them 
to comply with the European Union's Directive on Data Protection. The 
Directive, which went into effect late last year, allows the transfer 
of personally identifiable data to third countries only if they provide 
an ``adequate'' level of privacy protection. Because the United States 
relies largely on a sectoral and self-regulatory, rather than 
legislative, approach to effective privacy protection, many U.S. 
organizations have been uncertain about the impact of the ``adequacy'' 
standard on personal data transfers from European Community countries 
to the United States.
    Last Fall, the DOC proposed a safe harbor for U.S. companies that 
choose to adhere to certain privacy principles. As the DOC explained 
then, the principles are designed to serve as guidance to U.S. 
organizations seeking to comply with the European Union Directive. 
Organizations within the safe harbor would have a presumption of 
adequacy and data transfers from the European Community to them would 
continue. Organizations could come into the safe harbor by self 
certifying that they adhere to these privacy principles. The decision 
to enter the safe harbor is entirely voluntary. As a result of the safe 
harbor proposal, the European Union announced last Fall its intention 
to avoid disrupting data flows to the US so long as the US is engaged 
in good faith negotiations with the European Commission.
    Last November, the DOC issued draft principles for review and 
comment by interested organizations, noting that the content of the 
principles was of course crucial to the proposal. The DOC received 
numerous written comments in response to that draft and countless 
additional comments and suggestions in the subsequent months through 
extensive discussions with interested parties. Generally, the comments 
the DOC received supported the safe harbor concept. They also raised 
concerns with certain aspects of the principles, particularly access 
and onward transfer.
    Because the principles are quite broad and general, questions were 
also raised about how they would be applied in specific circumstances. 
DOC consultations also made clear that US organizations would welcome 
additional information on the benefits of being in the safe harbor and 
the procedures that would be followed when they were in the safe 
harbor. The comments the DOC received have been extremely valuable both 
in helping the DOC understand how data is protected in practice and in 
working with the European Commission to find appropriate solutions to 
issues raised in DOC/EC discussions.
    Concurrently with DOC discussions with US organizations, the DOC 
has had extensive discussions with the European Commission about the 
content and contours of the safe harbor as well as on the comments 
raised by US organizations. On the basis of our discussions with US 
negotiators and the EU Commission, the DOC has further refined the safe 
harbor principles to account for the many views expressed and those of 
our European counterparts.

New Documents for Review and Comment

    At this point, the two sides have achieved a substantial level of 
consensus on the content of the principles, on the content of more 
specific guidance (FAQs), and safe harbor procedures and benefits. 
Accordingly, the DOC is now issuing for comment by US organizations the 
first tranche of documents that will comprise the relevant safe harbor 
documents. These include: (1) revised safe harbor principles; (2) 
frequently asked questions and answers (FAQs) on access; and (3) a 
draft European Commission document on the procedures that will be 
established for the handling of complaints where the Commission had 
made an adequacy determination, as it will with the safe harbor. (These 
documents are also available on our web site at http://www.ita.doc.gov/
ecom.) In addition to your comments on these documents, the DOC also 
requests your views on the weight to give the FAQs relative to the 
principles.
    The DOC will also be issuing within the week additional FAQs 
addressing certain sectoral concerns, procedural issues, and several 
clarifications requested during DOC consultations. The European 
Commission is also providing these documents to the Member States for 
their comments and review. Additional documents will be put on the ITA 
website as soon as they are available for review.
    All the draft documents are still under negotiation with the 
European Commission. Points of difference between the two sides have 
been identified in footnotes in the text and mark those parts of the 
document that are most likely to be revised further. Please note that 
these principles and the

[[Page 19748]]

accompanying explanatory materials were developed solely for use by US 
organizations receiving personal data from the EU under the safe 
harbor. Consequently, they rely on references to European Union law, as 
for example in defining sensitive information and some of the relevant 
exceptions, which limit their general applicability. For that reason, 
adoption of the principles for other purposes may well be 
inappropriate.

Safe Harbor Benefits

    The Dept. of Commerce would like to highlight the several benefits 
of the Safe Harbor approach. They include:
     All 15 Member States (MS) will bound by US/EC 
understanding;
     The understanding will create the presumption that 
companies within the safe harbor provide adequate data protection 
(rather than the opposite) and data flows to those companies will 
continue;
     MS requirements for prior approval of data transfers 
either will be waived or approval will be automatically granted; and
     US companies will have a transition period to implement 
safe harbor policies.
     Claims against US organizations will for the most part be 
limited to claims of non-compliance with the principles, European 
consumers will be expected to exhaust their recourse with the US 
organization first, and due process will be assured for US 
organizations that are subject to complaints; and
     Generally, only the European Commission, acting with a 
committee of Member State representatives (the Article 31 Committee), 
will be able to interrupt personal data flows from an EU country to a 
US organization.
    In addition to the documents made available today and next week, 
the final package of safe harbor documents will include the European 
Commission's Article 25.6 decision, letters from the Department of 
Commerce to the European Commission and a reply letter from the 
Commission to the Department of Commerce, and memoranda describing 
enforcement authority in the US for unfair and deceptive practices and 
European Union Member State enforcement procedures involving data 
protection claims. Please remember to check the website http://
www.ita.doc.gov/ecom for postings of additional documents.
    Document Availability: April 19, 1999 at URL; http://
www.ita.doc.gov/ecom. If you would like to speak to someone or want 
hard copies of the documents please call Brenda Carter-Nixon on (202) 
482-5227.
    Address Comments: Please submit comments on any of the draft 
documents to the Department of Commerce by May 10, 1999. DOC requests 
that all comments be submitted electronically in an HTML format to the 
following email address: E[email protected]. If organizations do not 
have the technical ability to provide comments in an HTML format, they 
can forward them in the body of the email, or in a Word or WordPerfect 
format. The DOC intends to post all comments on the ITA/ECOM website.
    If necessary, hard copies of comments can be mailed to the 
Electronic Commerce Task Force, U.S. Department of Commerce, Room 2009, 
14th and Constitution Ave., NW, Washington DC 20230, or faxed to 202-
501-2548.

    Dated: April 19, 1999.
Eric Fredell,
International Trade Specialist, International Trade Administration/
Trade Development.
[FR Doc. 99-10145 Filed 4-20-99; 2:35 pm]
BILLING CODE 3510-DR-P