January 10, 2001, 3:03 PM — The Department of Commerce has signed up only 12 companies and organizations so far for its hard-fought "safe harbor" protections on data privacy, but government officials Thursday said they believe a series of planned seminars will increase the number and bolster the protections' legitimacy.
Experts from the U.S. government and the private sector will lead the seminars, which are designed to inform companies about safe harbor protections and advise them on how to develop privacy policies necessary to become eligible to enter the safe harbor.
Safe harbor went into effect Nov. 1, 2000 and is designed to provide some legal protection to U.S. companies and organizations that, as part of their European operations, gather personally identifiable data about people living there, including employees and customers. Safe harbor is designed to adequately meet the European Union's 1998 data privacy directive, which is more stringent than current U.S. privacy law.
No major Internet or high-tech companies are among the 12 organizations that have been certified. The most noteworthy names on the list are Dun & Bradstreet, whose business involves collecting, selling and maintaining business-centric data from numerous clients worldwide, including many in Europe, and TRUSTe, a nonprofit privacy watchdog organization.
"We need more than 10 or 12 and we hope to increase that number," Commerce Department Deputy Assistant Secretary for information technology Michelle O'Neill said at a Thursday briefing. "This is a tough agreement to swallow, but we want to get the message out, especially to small business."
O'Neill stopped short of saying how many companies the department hopes to sign up.
One reason companies are not being certified is that they want to make sure they have considered all possible scenarios, especially those concerning liability, before they sign on the dotted line, said Lauren Hall, executive vice president of the Software and Information Industry Association (SIIA). There are a number of SIIA members who are very close to becoming certified under the safe harbor program, Hall added.
"We are confident that we can raise the profile of the safe harbor over the next several months and encourage companies to look at it carefully and give them the information that they need to make a good decision," Hall said. "For some of them, there are better solutions."
Another reason companies are not entering safe harbor is because they are not ready to endorse it and because the EU data privacy directive has no authority beyond Europe, said Timothy Deal, senior vice president of the U.S. Council for International Business in Washington.