IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006 1 1 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL.
UNICATION, VOL. 49, NO. 1, MARCH 2006
Safe Harbor and Privacy Protection: A Looming Issue for IT Professionals
MIKE MARKEL
AbstractThe 25 European Union (EU) Member States require that their residents personal information not be transferred to countries that do not protect that information adequately. In 2000, the EU ruled that the United States (US), through its voluntary Safe Harbor program, met that requirement. Since that time, however, the EU has charged that many US companies that claim to be in compliance with Safe Harbor policies are not. In this article, I report on a study of the privacy-policy statements of 20 randomly selected US companies that claim to be in compliance. Of the 20, 19 are not in compliance. This study argues that as EU Member States begin to examine Safe Harbor carefully, they are likely to force US companies to adhere to more stringent privacy policies. The burden of this adherence will be borne by US IT professionals.
Index TermsData privacy, data protection, Department of Commerce, European Commission, information technology (IT), international trade, Safe Harbor. Every week, the news media report another incident of privacy violation. Sometimes, hackers penetrate a companys database, grabbing sensitive customer information. Sometimes, laptops or storage media are lost or stolen, raising fears that the data might be compromised. On occasion, the privacy violation is a new technological innovation or business practice, such as Googles Gmail, which reads customer emails and inserts targeted ads.
Privacy is the subject of a decade-long confrontation between officials of the United States (US) and the European Union (EU). In 1995, the EU issued Directive 95/46/EC, commonly called the Data Protection Directive [1], [2]. The purpose of the Directive, which went into force in 1998, was to direct EU Member States to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data [1, p. 2]. The Directive defines PERSONAL DATA as any information relating to an identified or identifiable natural person, and PROCESSING as any operation or any set of operations which is performed upon personal data . . . [1, p. 8].
Article 25 of the Directive states that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if . . . the third country . . . ensures an adequate level of protection [1, p. 15]. What Article 25 means is that, if the
Manuscript received June 20, 2005; revised August 29, 2005. The author is with the Department of English, Boise State University, Boise, ID 83725 USA (email: mmarkel@boisestate.edu).
IEEE DOI 10.1109/TPC.2006.870462
US companies protection of personal data were considered inadequate, the 25 EU Member States, with a population of 450 million, would be required to prohibit their citizens from doing business with those US companies. EU citizens would not be permitted to buy tickets on US airlines, buy services from US banks and financial-services companies, or buy goods from US-based e-commerce sites. In short, the EU Directive posed an enormous bureaucratic threat to US-EU trade.
This confrontation is based on different views on the meaning and importance of privacy. The EU views the privacy of personal information as a fundamental human right that deserves protection by law. By contrast, the US sees some kinds of personal information (such as a persons medical information or a childs personal information) as deserving of legal protection but other kinds of personal information (such as financial information) as commodities that a person may choose to conceal or reveal. However, this decade-long struggle between the US and the EU is not merely an abstract philosophical question; it affects a growing share of the hundreds of billions of dollars of annual trade between the US and the EU.
High-level negotiations between US and EU officials began soon after the EU published its 1995 Directive. In 2000, the US announced its Safe Harbor Privacy Policy [3]. Issued by the US Department of Commerce (DoC), Safe Harbor is a set of privacy guidelines that individual US companies could pledge to comply with, guidelines that would satisfy the EU that those companies provided adequate protection for personal information transferred from the EU. Safe Harbor succeeded: the EU ruled that its residents were entitled to do business with US companies that pledge to comply with Safe Harbor.
0361-1434/$20.00 2006 IEEE IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006 2 2 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
However, the EU has never been fully satisfied with Safe Harbor, for two main reasons. First, Safe Harbor is voluntary. A company simply decides whether to declare that it complies with Safe Harbor principles. As of today, five years after the introduction of Safe Harbor, fewer than 700 US companies have done so [4]. Second, Safe Harbor is self-certifying. No US government agency investigates whether the company in fact complies with Safe Harbor, or even whether its privacy-policy statement reflects Safe Harbor principles. In various official progress reports about Safe Harbor, EU officials have claimed that the privacy policies of many US companies that say they comply with Safe Harbor in fact do not. (For more on the history of Safe Harbor and the EU Directive, see [5].)
Why should IT professionals in the US care about Safe Harbor? Writing in Computerworld, Frank Hayes argues that although the decision whether to comply with Safe Harbor will be made at a corporate level, most of the steps needed to comply will be taken in the IT department [6]. IT will need to monitor all the customer informationdigital and analogthat is disbursed within the company, collate it, and prepare it to be presented in clear English to enable any EU resident to see and correct his or her personal information quickly and easily. Hayes makes one other point: IT people need to figure out how to do this now, because when corporate leaders decide to do it, they will want it done immediately.
In this essay, I investigate the EUs claim by studying a small set of privacy-policy statements published by US companies that have declared that they comply with Safe Harbor. I begin by describing the major provisions of Safe Harbor and the EUs increasingly frustrated official comments about Safe Harbor. Then, I study the set of privacy policies. Finally, I describe the implications of this conflict for IT professionals in US companies.
THE MAJOR PROVISIONS OF SAFE HARBOR The two main documents on the Safe Harbor section of the US DoC website that describe Safe Harbor are Safe Harbor Privacy Principles Annex and a set of 15 Frequently Asked Questions. The site also includes the Safe Harbor List, a list of some 700 companies that have pledged to comply with the program. This list is updated periodically, although the site does not specify the frequency or schedule of the updating.
The Text of the Safe Harbor Documents The core of the Safe Harbor framework is seven privacy principles [7]: (1) Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure. (2) Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual. (3) Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. The organization must also ensure that the third party subscribes to the safe harbor principles or is subject to the [EU] Directive or another adequacy finding or enter into a contractual agreement with the third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. (4) Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individuals privacy in the case in question, or where the rights of persons other than the individual would be violated. (5) Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. (6) Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. (7) Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individuals complaints and disputes can MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 3 3 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured. This and other documents on the site explain other provisions of Safe Harbor, four of which are important to this study: A companys request to be put on the Safe Harbor list, and its appearance on this list pursuant to that request, constitute a representation that it adheres to a privacy policy that meets the Safe Harbor privacy principles [7]. Companies must state in their relevant published privacy policy statements that they adhere to the Safe Harbor Principles, the privacy-policy statements must be clear, concise and easy to understand, and the company must provide an accurate and publicly available location for their applicable privacy statement [8]. Each company is required to appoint a contact point [a person] for the handling of questions, complaints, access requests, and any other issues arising under the Safe Harbor [8]. For resolution and enforcement in cases of disputes between individuals and companies, companies may pledge to accept the ruling of the relevant EU data-privacy officials or accept the ruling of a private US dispute-resolution organization. Helpful Hints Prior to Self-Certifying to the Safe Harbor [8] lists organizations that companies might consider enlisting, including BBB [Better Business Bureau] OnLine, TRUSTe, AICPA [American Institute of Certified Public Accountants], WebTrust, the Direct Marketing Association, the Entertainment Software Rating Board, JAMS [Judicial Arbitration and Mediation Services], and the American Arbitration Association. More informative than the texts of the Safe Harbor documents, however, are their subtexts.
The Subtext of the Safe Harbor Documents The rhetoric of the Safe Harbor documents suggests that the US DoC views the EU Directive as unreasonable, and that US companies should do as little as possible to satisfy the letter of the Directive.
This view is apparent in the Safe Harbor Workbook, which presents the background of the EU Directive and of Safe Harbor. In explaining the US approach to privacy, the Workbook describes privacy protection not as ethical practice but as good business: In the United States, the importance of protecting the privacy of individuals personal information is a priority for the federal government and consumers. Consumers repeatedly cite fears that their personal information will be misused as a reason for not doing business online. In this way, moves to bolster on-line privacy protect consumer interests and fuel the broader growth of on-line communications, innovation, and business. Self-regulatory initiatives are an effective approach to putting meaningful privacy protections in place. In certain highly sensitive areas, however, legislative solutions are appropriate. These sensitive areas include financial and medical records, genetic information, Social Security numbers, and information involving children. [9] Notice that although the first sentence of this statement refers to privacy protection for individuals, in the next two sentences individuals become consumers. Sentence four claimscounterintuitively, in my view, and without explanation or evidencethat self-regulation is effective. The failure to argue this point is puzzling, considering that the occasion for devising Safe Harbor in the first place is that the EU believes that self-regulation is ineffective.
This US pro-business stance is visible in every reference to the EU Directive. For example, the Safe Harbor Overview states that The safe harborapproved by the EU in 2000is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides adequate privacy protection, as defined by the Directive. [7]
The Safe Harbor Workbook offers this advice on how to select a dispute-resolution organization: When evaluating a third-party service, keep your own business processes in mind. Make sure that the services offered provide your customers the assurance that they seek and your organization MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 4 4 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
the support it needs without impeding your regular operations. [9] The second sentence in this passage is quite revealing, in two ways. First, it uses the word assurance in a misleading way. Throughout the Safe Harbor documents, assure and ensure are used interchangeable, as if to assure someone that their privacy will be protected is the same as to ensure that their privacy will be protected. This is not a quibble about usage, because the use of assurance in this passage enables readers to infer that the real purpose of retaining the dispute-resolution service is to appear to satisfy the customers concerns, rather than to make sure the problem is solved by keeping the individuals information private. Second, the advice to make sure the dispute-resolution service does not impede your regular operations enables readers to draw the unhappy inference that the company will not experience any added burdens, even at the start. Wouldnt it be more reasonable to assume that doing things differently might indeed require impeding your regular operations to some extent, at least in the short run?
There is still one more dubious passage. Earlier I quoted the section from the Safe Harbor Workbook stipulating that a companys request to be included on the Safe Harbor list constitutes a representation that it adheres to Safe Harbor. The following passage appears in the introduction to the Safe Harbor List: In maintaining the list, the Department of Commerce does not assess and makes no representation as to the adequacy of any organizations privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or any other action related to the maintenance of the list. [4] So much for assurances.
This grudging approach to Safe Harbor dates to the programs planning stages. When David L. Aaron, Undersecretary of Commerce for International Trade, circulated an initial draft of Safe Harbor on 4 November 1998, he addressed his letter Dear Industry Representatives. The letter includes this passage: Please note that these principles are designed to facilitate a bilateral understanding between the US and European Community and thus to enhance commerce between the US and the European Community. They are not intended to govern or affect US privacy regimes, which are being addressed by other government and private sector efforts. Adoption of the principles is voluntary and their use is intended solely by US organizations receiving personal data from the European Union for the purpose of qualifying for the safe harbor. [10] Many industry representatives did respond to Ambassador Aarons call for comments, presenting technical arguments for revising certain aspects of the Safe Harbor draft. Also responding were many privacy and information-policy consultants, among them Robert Gillman. On 12 November 1998, Gillman wrote, in part: The salutation of Ambassador Aarons letter is telling. It says Dear Industry Representative. The letter is clearly not addressed to organizations that represent consumers, privacy advocates, Internet users, or ordinary citizens. Any observer of the process for soliciting comments could easily conclude that the Department is only interested in the views of carefully selected members of the American business community and that it has no particular interest in the views of other parts of the business community or any other segment of American society. [11] Gillman went on to summarize his argument against the Safe Harbor draft: The principles of fair information practices were largely invented here in the United States, and the federal government has operated successfully under them for almost 25 years. Businesses in Europe, including many subsidiaries of American corporations, function successfully under data protection regimes. The goal should be finding ways to that we can address data protection here in a practical manner rather than to seek broad exemption from basic principles. [11]
EU ASSESSMENT OF SAFE HARBOR The EUs growing frustration with Safe Harbor is apparent in three major documents published over the last five years: the approval of Safe Harbor (2000); a working paper assessing Safe Harbors implementation (2002); and its formal assessment of its implementation (2004).
2000 Approval by EU On 26 July 2000, the EU ruled that Safe Harbor constitutes adequate protection, and therefore that the data flow of personal information from the EU to US companies would not be interrupted [12]. The EU decision was subject to several expected qualifiers: that the organization receiving the data has unambiguously and publicly disclosed its commitment to comply with the Principles implemented in accordance with the FAQs; MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 5 5 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
that the organization is subject to the statutory powers of a government body in the United States . . . which is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals, irrespective of their country of residence or nationality, in case of noncompliance with the Principles . . .; that the EU could review its decision in light of future developments that cause it to question whether Safe Harbor is achieving its ends; that individual EU Member States could stop the flow of personal information to US signatories to Safe Harbor if they concluded that those companies were not in compliance with Safe Harbor. The tone of the letter from the chief EU official, John F. Mogg, to the DoC official is diplomatic and cordial, as this excerpt suggests: Our dialogue has proved extremely useful in clarifying rules and practices on both sides, identifying much common ground and exchanging information on procedures. The continuation of this dialogue would seem desirable, on a periodic basis and/or when a particular problem makes it necessary. This will allow us to continue to exchange information on relevant developments concerning the implementation of Articles 25 and 26 and developments in the United States, in line with our general commitment to regulatory co-operation in the context of the TransAtlantic Economic Partnership [13].
2002 Working Paper In a progress report dated 13 February 2002 [14], the EU registered two main concerns about the implementation of Safe Harbor: A substantial number of organizations that have self-certified adherence to the Safe Harbour do not seem to be observing the expected degree of transparency as regards their overall commitment or as regards the contents of their privacy policies. Transparency is a vital feature in self-regulatory systems and it is necessary that organizations improve their practices in this regard [14, p. 2]. The document notes that fewer than half the companies post privacy policies that reflect the seven principles of Safe Harbor. A wide array of sanctions to enforce Safe Harbour rules exist under dispute resolution mechanisms. But not all dispute resolution
TABLE I MAJOR EU CONCERNS IN THE 2004 ASSESSMENT OF SAFE HARBOR
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 6 6 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
mechanisms have indicated publicly their intention to enforce Safe Harbour rules and not all have in place privacy practices applicable to themselves that are in conformity with the Principles, as required by Safe Harbour rules [14, p. 2]. Calling this situation a case of teething problems [14, p. 3], the 2002 document reiterates that the EU will continue to cooperate with the Department of Commerce in encouraging US organizations to join and to insist on a rigorous respect for the transparency requirements of the Safe Harbour [14, p. 3]. It is only through the vigilance and enforcement action of the relevant public authorities in the US, the EU document states, that the arrangement will remain credible and serve its purpose as a guarantee of adequate protection for personal data transferred from the EU to the US [14, p. 11]. 2004 Three-Year Assessment The three-year assessment [15], published in 2004, shows increasing frustration with the DoCs oversight of Safe Harbor. Table I presents the major sources of unhappiness expressed by the EU.
The 2004 assessment also includes a set of recommendations to the DoC: Respect the Safe Harbor principles. Be more proactive in publicizing Safe Harbor and ensuring that companies that say they adhere to it in fact do. Be more proactive in launching investigations where questions exist regarding Safe Harbour compliance. Provide more specific guidance about Safe Harbor, including guidelines or best practices on
TABLE II CHARACTERISTICS STUDIED IN PRIVACY POLICIES ON WEBSITES OF SELECTED COMPANIES THAT CLAIM COMPLIANCE WITH SAFE HARBOR
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 7 7 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
how to draft privacy policies that comply with Safe Harbor. In short, the testy 2004 assessment suggests that the EU privacy officials are quite frustrated with Safe Harbor. The central problem is that the US is doing exactly what it said it was going to do: create a voluntary, self-certifying set of principles but take no affirmative action unless it received complaints.
AN ANALYSIS OF SELECTED SAFE-HARBOR PRIVACY-POLICY STATEMENTS On 26 and 27 May 2005, I investigated the privacy-policy statements of selected companies that are listed on the DoC Safe Harbor list. I used the following methods: (1) Using Research Randomizer, I generated a random list of ten companies on the Safe Harbor list [16]. I chose a small number to determine whether the EU claims about lack of compliance were credible. (2) I studied the privacy-policy statement on each companys site, looking for the characteristics noted in Table II. (3) Using Research Randomizer [16], I generated a random list of an additional ten companies from the Safe Harbor list and studied their privacy policies. I selected these additional ten companies because my first set of ten did not yield any that were in compliance. (4) I emailed the privacy official or body listed in each of the twenty sites, with this body text: I am a university professor studying the Department of Commerces Safe Harbor privacy program. Would you please tell me whether you consider your company to be in compliance with the Safe Harbor program? Thank you. If no email link was listed, I
TABLE III NONCOMPLIANCE WITH SAFE HARBOR: HALF OF THE FIRST SET OF TEN COMPANIES
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 8 8 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
wrote a business letter. My purpose was to determine whether the company had in place an official responsible for responding to questions about its privacy policy, as stipulated in the Safe Harbor documents.
Tables III and IV present my findings for the first randomly selected set of ten companies on the Safe Harbor list. For each company, I present the major areas of noncompliance, using the numbering system presented in Table II. That is, if the company fails to present a link to its privacy-policy statement on its home page, I number that area of noncompliance as 1.
Because the results from my study of ten randomly selected companies showed an overwhelming lack of complianceby companies that stated they are in complianceI decided to randomly select and study another set of ten companies. I present the results in Table V.
CONCLUSION Although these results on their face present an embarrassing picture of Safe Harbor compliance by companies that claim to be in compliance, this study is subject to several limitations.
The most obvious limitation is that it examines a rhetorical and legal issue that is two removes away from the truly important question of how companies protect their customers personal information. That is, I looked only at how these 20 companies described their privacy policies. I did not gain access to any
TABLE IV NONCOMPLIANCE WITH SAFE HARBOR: REMAINING HALF OF THE FIRST SET OF TEN COMPANIES
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 9 9 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
of these companies private operations to determine how companies in fact treat personal information. The overarching objective in examining privacy-policy statements is not, of course, to study the statements, or even company policies. It is to study the companys practices. Unfortunately, it is impossible to examine either a companys policies or its practices, except in isolated instances in which a company employee blows the whistle or a plaintiff takes legal action in a court.
TABLE V NONCOMPLIANCE WITH SAFE HARBOR: SECOND SET OF TEN COMPANIES
MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 10 1 0 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
Beyond this obvious limitation lies another. I looked at only 20 sites, a number too small to allow statistically significant conclusions. In addition, because the privacy-policy statements consist of words, not of precise quantitative data, I had to interpret the often imprecise passages that I record in Tables III, IV, and V. Although I tried to be fair-minded in interpreting these passages, another reader certainly might differ with some of my interpretations. (For an earlier study of the imprecise writing in many privacy-policy statements, see [17].)
Despite these limitations, one conclusion seems to me to be incontestable: of the 20 privacy-policy statements that I studied, 19 are literally noncompliant. By this I mean that they violate, in at least one way, the EUs stipulation that such statements be clearly and simply written and that they address certain issues. In almost all 19 cases, they violate this stipulation in more than one way.
To be precise, we can say that it is logically possible that all 20 companies have privacy policies in place that protect customers personal information. And we can say that it is logically possible that all 20 companies follow practices that protect their customers personal information, as required by Safe Harbor.
However, these possibilities seem unlikely. If 19 of the 20 companies are unable or unwilling to publish compliant statements, I think it improbable that many of these companies achieve the more difficult task of creating compliant policies, and even more improbable that they achieve the considerably more difficult task of acting in compliance with Safe Harbor.
My guess is that, in all likelihood, the EU 2004 assessment understates the noncompliance and that a healthy majority of US companies that claim they act in compliance with Safe Harbor do not.
Why should IT professionals follow legal developments in the Safe Harbor story? I think there are two reasons.
First, Americans are concerned about data privacy. Perkins and Markel review the data that suggest that public skepticism about privacy is a significant drag on e-commerce [5]. And as more and more privacy breaches hit prominent US companies, the American public is likely to become increasingly concerned. At this point, the US public only dimly understands the meaning of privacy-policy statements. According to a recent report from the Annenberg Public Policy Center, three quarters of the US internet-using public believes that if a company has a privacy policy, it means the site will not share my information with other websites and companies [18, p. 30]. At some point, the US public will begin to take the issue more seriously, forcing companies to implement stricter privacy policies to remain competitive.
Second, European data-protection officials are likely to become more aggressive in examining US companies statements, policies, and practices. Mark Schreiber, an attorney in the US, writes that some data transfers from the EU to US companies are already being delayed or denied by EU data-protection authorities [19]. Several EU Member States, including Holland, Austria, Portugal, Sweden, and Italy, have recently authorized new sanctions, including prison terms, for violation of their privacy laws.
It is possible, of course, that EU companies will not take significant, widespread legal action against US companies or that they will rarely win. It is possible that Safe Harbor will remain what the DoC has always said it would be: a voluntary, self-certifying program. After all, the DoC has never tried to hide the fact that it sees Safe Harbor only as a move to placate EU data-protection authorities, and it has steadfastly and consistently rejected EU requests that the DoC monitor the program and take legal action against US companies that claim they comply but do not.
It would be unwise, however, for US IT professionals to trust that the current lax data-protection environment will persist. When corporate management decides to implement a fully transparent privacy policyin response to a sincere belief that it is the right thing to do, or to competitive pressures, or to legal actions taken by EU data-protection officialsIT professionals will have to act quickly. The IT professional who already understands the EU data-privacy requirementsas well as the gaps between the companys privacy statement, policy, and practiceswill most likely succeed in the enormous task of implementing a system that truly protects customer data.
REFERENCES
[1] European Union. (1995, Oct.) Directive 95/46/EC of the European Parliament. [Online]. Available: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf [2] European Union. (1995, Oct.) Directive 95/46/EC of the European Parliament. [Online]. Available: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf [3] US Department of Commerce. (2000) Safe Harbor Agreement. [Online]. Available: http://www.export.gov/safe- harbor MARKEL: SAFE HARBOR AND PRIVACY PROTECTION: A LOOMING ISSUE FOR IT PROFESSIONALS 11 1 1 IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION, VOL. 49, NO. 1, MARCH 2006
[4] US Department of Commerce. (2000) Safe Harbor List. [Online]. Available: http://web.ita.doc.gov/safe- harbor/shlist.nsf/webPages/safe+harbor+list [5] E. Perkins and M. Markel, Multinational data-privacy laws: An introduction for IT managers, IEEE T rans. Prof. Commun., vol. 47, no. 2, pp. 8594, Jun. 2004. [6] F. Hayes. (2000, Nov.) Beyond Safe Harbor. Computerworld [Online]. Available: http://www.computer- world.com/securitytopics/security/story/0,10801,53350,00.html [7] US Department of Commerce. (2000) Safe Harbor Overview. [Online]. Available: http://www.export.gov/safe- harbor/sh_overview.html [8] US Department of Commerce. (2000) Helpful Hints Prior to Self-Certifying to the Safe Harbor. [Online]. Available: http://www.export.gov/safeharbor/helpful_hints.html [9] US Department of Commerce. (2000) Safe Harbor Workbook. [Online]. Available: http://www.export.gov/safe- harbor/sh_workbook.html [10] D. L. Aaron. (1998, Nov.) Presentation to International Trade Administration Electronic Commerce Task Force. [Online]. Available: http://www.ita.doc.gov/td/ecom/aaron114.html [11] R. Gillman. (1998, Nov.) Comments of Robert Gellman on the Department of Commerce International Safe Harbor Privacy Principles. [Online]. Available: http://ita.doc.gov/td/ecom/comabc.htm [12] European Commission. (2000) Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbor Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce. [Online]. Available: http://europa.eu.int/eurlex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32 000D0520:EN:HTML [13] J. F. Mogg. (2000, Jul.) Letter to Mr. Robert LaRussa. [Online]. Available: http://www.export.gov/safe- harbor/EUletter27JulyHeader.htm [14] European Commission. (2002) Commission Staff Working Paper: The Application of Commission Decision 520/2000/EC of 26 July 2000 Pursuant to Directive 95/46 of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce. [Online]. Available: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/adequacy/sec-2002-196/sec-2002-196_en.pdf [15] European Commission. (2004) Commission Staff Working Document: The Implementation of Commission Decision 520/2000/EC on the Adequate Protection of Personal Data Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce. [Online]. Available: http://europa.eu.int/comm/justice_home/fsj/privacy/docs/adequacy/sec-2004-1323_en.pdf [16] G. C. Urbaniak and S. Plous. (2005) Research Randomizer. [Online]. Available: http://www.random- izer.org/form.htm [17] M. Markel, The rhetoric of misdirection in corporate privacy-policy statements, Tech. Commun. Quart., vol. 14, no. 2, pp. 197214, 2005. [18] J. Turow, L. Feldman, and K. Meltzer. (2005, Jun.) Open to Exploitation: American Shoppers Online and Offline: A Report From the Annenberg Public Policy Center of the University of Pennsylvania. [Online]. Available: http://www.annenbergpublicpolicycenter.org/04_info_society/Turow_APPC_Report_WEB_FINAL.pdf [19] M. E. Schreiber. (2001) New Privacy Rules and H.R. Compliance. Palmer & Dodge LLP Web site. [Online]. Available: http://www.palmerdodge.com/dspSingleArticle.cfm?ArticleID=364
Mike Markel is Director of Technical Communication at Boise State University, Boise, ID. His latest book is Technical Communication (Bedford/St. Martins, 7th edit., 2004). From 1994 to 1996, he was the Editor of IEEE TRANSACTIONS ON PROFESSIONAL COMMUNICATION.