New 4/26/02
In October of 1998, the European Union (EU) enacted a sweeping privacy law prohibiting the transfer of personal data to the United States and other non-EU countries that do not meet the EU standard for adequate privacy protection. The difference in the EU’s and United States’ privacy policies presents substantial difficulties for United States companies dealing with Europe, particularly those with branches in the EU, and threatens to disrupt data transmission making it difficult if not prohibitively expensive to conduct business in Europe. For example, basic information about a company’s employees would not be transferable to the US, and accountants would not be able to perform consolidated audits for multi-national firms with offices in Europe and the US. The US and EU have taken steps to conclude a “safe harbor” Data Privacy Accord that will protect consumers’ privacy and maintain data flows and the right environment for e-commerce. The safe harbor is a mechanism that enables the EU to certify through an exchange of documents that participating US companies meet the EU requirement for adequate privacy protection. Participation in the safe harbor is voluntary and organizations need to agree to adhere to the privacy requirements laid out in the safe harbor document for all data received from the EU. For example, under the safe harbor principles a company can only transfer or sell personal data to another company with the explicit agreement of the subject of the data and will also have to allow the data-subject reasonable access to his personal data to review it and possibly correct it. The principles will also ensure adequate enforcement to provide proper compliance. Companies wishing to adhere to the principles will sign up with the Department of Commerce and be placed on a database available to the public over the Internet.