The document discusses the U.S. government's approach to privacy in relation to the EU's privacy directive and the Safe Harbor framework. It outlines the differences between the European comprehensive privacy legislation and the U.S. self-regulatory model, providing details on the seven Safe Harbor principles concerning notice, choice, data security, and enforcement. Additionally, it highlights the importance of compliance and provides resources for further information.

1. Privacy and Security in the Information Age Conference, Melbourne, Australia August 16, 2001 The United States Government’s Approach to Privacy: The EU Directive and the Safe Harbor Framework Patricia M. Sefcik U.S. Department of Commerce

2. Privacy in Europe and the U.S. The European privacy system is based on comprehensive legislation. The U.S. privacy system is based on self regulation and sector specific legislation in highly sensitive areas such as financial, medical, children’s and genetic information.

3. Historical Overview: Safe Harbor OCTOBER 1998 EU’s sweeping privacy directive went into effect JULY 2000 Safe Harbor principles are deemed adequate NOVEMBER 1, 2000 Safe Harbor becomes effective DOC launches safe harbor website http://www.export.gov/safeharbor JANUARY 4, 2001 Official Department of Commerce roll-out JANUARY-AUGUST, 2001 Outreach events

4. Safe Harbor Implementation What are the Benefits? Who Can Join and How? How and Where will Safe Harbor be Enforced?

5. The Safe Harbor Framework 7 Privacy Principles 15 FAQ’s European Commission’s adequacy determination Letters between U.S. Dept. of Commerce and the European Commission Letters from U.S. Dept. of Transportation and Federal Trade Commission

6. The 7 Safe Harbor Principles Notice Choice Onward Transfer Security Data Integrity Access Enforcement

7. The Safe Harbor Principles (1) NOTICE Inform individuals about the purpose for which the information is being collected. Inform individuals about how to contact the organizations with inquiries or complaints. Provide information on the types of third parties to which information is being disclosed, and the choices and means offered for limiting its use and disclosure.

8. The Safe Harbor Principles (2) CHOICE An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party, or (b) to be used for a purpose that is incompatible with the purposes for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

9. The Safe Harbor Principles CHOICE: Sensitive Information For sensitive information (i.e. medical/ health conditions; racial/ethnic origin; political opinions; religious/ philosophical beliefs; trade union membership; sex life), individuals must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized.

10. The Safe Harbor Principles (3) ONWARD TRANSFER To disclose information to a third party, organizations must apply the notice and choice principles. Notice and Choice are not required for data transfers to an agent (someone who acts on behalf of the transferor) if it is first determined by the organization that the agent complies with the safe harbor principles, or is subject to the directive or another adequacy finding, or enters into a written agreement with the organization .

11. The Safe Harbor Principles (4) SECURITY Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. Organizations must take more care to protect sensitive information, as it is defined in the principles.

12. The Safe Harbor Principles (5) DATA INTEGRITY Personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

13. The Safe Harbor Principles (6) ACCESS Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

14. The Safe Harbor Principles (7) ENFORCEMENT Follow-up procedures for verifying that safe harbor policies and mechanisms have been implemented; Readily available and affordable independent recourse mechanisms to investigate and resolve complaints brought by individuals; Obligations to remedy problems arising out of a failure by the organization to comply with the principles.

15. DIRECT COMPLIANCE WITH THE EU DIRECTIVE CONSENT ENTERING INTO A MODEL CONTRACT Other Ways To Comply With The Directive:

16. Safe Harbor: Next Steps Mid-Year Review “ Visual” Compliance Financial Service Negotiations DPA Visit EU Directive Review

17. CONCLUSION Additional resources are available on the safe harbor website www.export.gov/safeharbor Safe Harbor List (updated regularly) Safe Harbor Workbook Safe Harbor Documents (including Principles, FAQ’s, correspondence) Historical Documents (including public comment)

18. Contact Information Patricia Sefcik, Director Office of Electronic Commerce International Trade Administration U.S. Department of Commerce Room 2003 14th & Constitution Avenues, NW Washington, DC 20230 Tel: (202) 482-0216 Fax: (202) 482-5522 E-Mail: patty_sefcik@ita.doc.gov