March 13, 2001, 1:46 PM — Hewlett-Packard Co. this week signed up to adopt the U.S.-Europe "safe harbor" provisions on data privacy, making it the largest company to do so thus far and providing the struggling privacy effort with its biggest boost since the arrangement took effect in November.
Moreover, the computer and software vendor said the safe harbor privacy protections negotiated by the U.S. Department of Commerce and European officials will now be applied to all of its data transactions. That vow could lend credence to the idea that the accord may help raise privacy standards in the U.S., as well as accomplish its main goal of providing a self-regulatory framework for companies doing business in Europe.
The safe harbor agreement provides a manageable legal and ethical means to move data between the U.S. and Europe, said Barbara Lawler, consumer privacy manager at HP. "If corporations are serious about following the self-regulation approach, rather than having to deal with privacy regulations, then this is what they should be looking at," she added.
But to date, only 21 companies have signed up for the voluntary safe harbor certification program, which provides legal protection from Europe's tough privacy laws to U.S. companies that transfer information about employees or customers out of European databases. Commerce Department officials have been trying to boost that number in order to bolster the legitimacy of the safe harbor deal.
Companies that agree to adhere to the safe-harbor provisions have to promise to give European Union residents some basic privacy protections, such as notices about how personal information will be used and the ability to opt in or opt out from having sensitive data disclosed to other businesses. Access to personal data is also guaranteed, as is the right to amend and correct the data.
Most of the companies that have signed up, with the exception of HP and The Dun & Bradstreet Corp. in Murray Hill, N.J., are small to medium-size businesses. Many larger Fortune 500-type companies are still "investigating their options or taking a wait-and-see approach," said Jeff Rohlmeier, a trade official at the Commerce Department.
American companies have been "sort of reluctant to be first out of the box" for fear of being singled out for scrutiny by European authorities, said Barbara Wellbery, who was the principal negotiator of the agreement while she worked at the Commerce Department. "So the more big companies on the list, the better," added Wellbery, who is now an attorney in the Washington office of San Francisco-based Morrison & Foerster LLP.
But Jean Cantrell, Dun & Bradstreet's director of government affairs, said the company has realized immediate benefits by agreeing to the safe harbor provisions. For example, by consolidating a U.K.-based data center with one in New Jersey, the company was able to save a significant amount of money in legal expenses by gaining a waiver for the required data transfers. "I think [the accord is] working in terms of its objective," Cantrell said.
However, the clock is ticking on the agreement. European authorities plan to review U.S. corporrate compliance with the provisions this summer, and they possibly could begin enforcement actions against companies that haven't agreed to comply shortly thereafter, according to people familiar with the process.
The safe harbor pact isn't the only option for U.S.-based companies that want to comply with Europe's data protection laws. Companies can also use a "model contract" that guarantees adherence to the regulations and is signed either by a European country's data protection authorities or by individual workers or customers whose data is being transferred to the U.S.
But European officials are still negotiating the wording of the model contracts with the Commerce Department, and an official at the U.S. agency said a final version may not be ready until June.
In addition, the model contracts may turn out to be a less desirable option for companies than the safe harbor provisions because it's possible that the compliance standards built into the contracts will be tougher, said Donald Harris, president of HR Privacy Solutions, a New York-based consulting firm.
Although the safe harbor provisions come close to meeting the data protection standards that some privacy advocates would like to see U.S. companies adopt in general, the self-regulatory approach still falls short of providing adequate safeguards, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington.
