'Safe harbor' deal takes effect, but adoption may be slow

COLUMBUS, OHIO -- The "safe harbor" agreement that was approved last summer in an effort to make it easier for U.S. companies to comply with Europe's tough data-privacy laws goes into effect today. But many privacy experts predict that businesses will be slow to seek shelter under the new rules negotiated by the U.S. Department of Commerce and European government officials.

According to attendees interviewed yesterday at the Privacy2000 conference here, many U.S. companies may wait to see if European authorities are serious about enforcing the existing privacy laws in that region as well as the safe harbor provisions, which set out a series of guidelines for transferring personal data between the U.S. and the 15 countries that belong to the European Union (see story).

Moreover, adhering to the safe harbor principles may put companies in a difficult position regarding domestic concerns about data privacy. Conference attendees noted that giving European residents access to data collected about them and letting them block any sharing of the information with third parties go beyond the privacy rights that many businesses currently offer to U.S. citizens.

"What happens to your American customers and American employees when they see that your company is providing a higher level of protection to [European residents] than they are to . . . folks here at home?" asked Donald Harris, president of HR Privacy Solutions, a New York-based consulting firm. "I think that is going to create sort of a groundswell of activism and interest and pressure on companies to raise the bar. If these practices are good for Europeans, they're good for Americans."

As early as next week, the Commerce Department plans to set up a Web site that will outline the process for companies to follow in applying to be recognized for adhering to the safe harbor provisions, said Peter Swire, the White House's chief counselor for privacy and a supporter of the U.S.-European agreement.

The deal covers e-commerce transactions and other business interactions with European consumers, as well as the transfer of data about European employees of U.S.-based companies. "If you're taking personal data out of Europe, you want to have a lawful basis for it," Swire said. "The safe harbor is one very achievable way to comply with the law and do your business."

But other attendees at Privacy2000, an annual conference organized by the Ohio Supercomputer Center's Technology Policy Group, said companies may be reluctant to quickly agree to something that will put more demands on their business operations and information technology systems as well as increase their legal risks if they don't follow through and adhere to the safe harbor rules.

It will be important for European authorities to first show that they intend to enforce their own data-privacy laws against companies based in Europe, Steve Emmert, director of government affairs at London-based Reed Elsevier PLC, which owns the Lexis-Nexis information service and other businesses.

European officials "just can't pick on U.S. companies and ignore European ones," Emmert said. "You can't have a double standard. There's got to be a perceived fairness." If that perception is created, he added, that will give U.S. businesses incentive to adopt the safe harbor rules.

Privacy laws passed in Europe five years ago bar data stored in databases in the European Union from being transferred to other countries unless they offer similar privacy protections -- a requirement that U.S. laws currently don't meet. The safe harbor agreement, which took three years to negotiate, is intended to provide a means for U.S. companies to continue moving data back and forth between Europe and their domestic operations.

Commerce Department officials have described the safe harbor deal as "a landmark accord for e-commerce" transactions between the U.S. and Europe. Companies that ignore the provisions or otherwise reject the idea of complying with Europe's data rules run the risk of being on the receiving end of enforcement actions that could include efforts to block their attempted data transfers.

But European authorities will likely give companies that operate in Europe enough time "to make a good faith effort" to comply with the safe harbor agreement, said Ruth Nelson, a privacy expert at PriceWaterhouseCoopers. "I think you'll see more enforcement locally in their own countries to show that [the privacy laws there] have teeth," she added.

As an alternative to the safe harbor agreement, companies can enter into individual contracts with European data protection authorities. But conference attendees said the agreement is aimed at eliminating that contracting process and thus making it easier for companies to comply with the European privacy laws.

Ironically, though, companies that do voluntarily commit to adhering to the safe harbor provisions may help fuel the push for comprehensive privacy legislation in this country, said Jason Catlett, president of Junkbusters Corp., a privacy advocacy organization in Green Brook, N.J. If U.S. companies are providing better privacy protections to European citizens than they are here, Catlett said, "Americans are going to ask why they are second-class citizens in their own country."

Related stories:

For complete coverage of data-privacy issues, head to our Focus on Privacy page.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon