January 05, 2001, 3:24 PM — COLUMBUS, OHIO -- The "safe harbor" agreement that was approved last summer in an effort to make it easier for U.S. companies to comply with Europe's stringent data privacy laws went into effect Nov. 1. But many privacy experts predict that businesses will be slow to seek shelter under the new rules negotiated by the U.S. Department of Commerce and European government officials.
According to attendees interviewed last week at the Privacy2000 conference here, many U.S. companies may wait to see if European Union authorities are serious about enforcing their existing privacy laws as well as the safe harbor provisions, which set out a series of guidelines for transferring personal data between the U.S. and the 15 countries that belong to the EU.
Moreover, adhering to the safe harbor principles may put companies in a difficult position regarding domestic concerns about data privacy. Conference attendees said giving European residents access to data collected about them and letting them block any sharing of the information with third parties goes beyond the privacy rights that many businesses currently afford U.S. citizens.
"What happens to your American customers and American employees when they see that your company is providing a higher level of protection to [European residents] than they are to . . . folks here at home?" asked Donald Harris, president of HR Privacy Solutions, a New York-based consulting firm. "I think that is going to create sort of a groundswell of activism and interest and pressure on companies to raise the bar. If these practices are good for Europeans, they're good for Americans."
As early as this week, the Commerce Department plans to set up a Web site that will outline the process for companies to follow when applying to be recognized as adhering to the safe harbor provisions, said Peter Swire, the White House's chief counselor for privacy and a supporter of the U.S.-European agreement.
The deal covers e-commerce transactions and other business interactions with European consumers, as well as the transfer of data about European employees of U.S.-based companies. "If you're taking personal data out of Europe, you want to have a lawful basis for it," Swire said. "The safe harbor is one very achievable way to comply with the law and do your business."
But other attendees at the annual conference, organized by the Ohio Supercomputer Center's Technology Policy Group, said companies may be reluctant to quickly agree to something that will put more demands on their business operations and information technology systems as well as increase their legal risks if they don't follow through and adhere to the safe harbor rules.