The Department of Commerce has signed up only 12 companies and organizations so far for its hard-fought "safe harbor" protections on data privacy, but government officials Thursday said they believe a series of planned seminars will increase the number and bolster the protections' legitimacy.
Experts from the U.S. government and the private sector will lead the seminars, which are designed to inform companies about safe harbor protections and advise them on how to develop privacy policies necessary to become eligible to enter the safe harbor.
Safe harbor went into effect Nov. 1, 2000 and is designed to provide some legal protection to U.S. companies and organizations that, as part of their European operations, gather personally identifiable data about people living there, including employees and customers. Safe harbor is designed to adequately meet the European Union's 1998 data privacy directive, which is more stringent than current U.S. privacy law.
No major Internet or high-tech companies are among the 12 organizations that have been certified. The most noteworthy names on the list are Dun & Bradstreet, whose business involves collecting, selling and maintaining business-centric data from numerous clients worldwide, including many in Europe, and TRUSTe, a nonprofit privacy watchdog organization.
"We need more than 10 or 12 and we hope to increase that number," Commerce Department Deputy Assistant Secretary for information technology Michelle O'Neill said at a Thursday briefing. "This is a tough agreement to swallow, but we want to get the message out, especially to small business."
O'Neill stopped short of saying how many companies the department hopes to sign up.
One reason companies are not being certified is that they want to make sure they have considered all possible scenarios, especially those concerning liability, before they sign on the dotted line, said Lauren Hall, executive vice president of the Software and Information Industry Association (SIIA). There are a number of SIIA members who are very close to becoming certified under the safe harbor program, Hall added.
"We are confident that we can raise the profile of the safe harbor over the next several months and encourage companies to look at it carefully and give them the information that they need to make a good decision," Hall said. "For some of them, there are better solutions."
Another reason companies are not entering safe harbor is because they are not ready to endorse it and because the EU data privacy directive has no authority beyond Europe, said Timothy Deal, senior vice president of the U.S. Council for International Business in Washington.
The SIIA, the U.S. Council for International Business and the Washington, D.C., law firm Morrison & Foerster will participate in the seminars, the first of which is scheduled to take place Jan. 25 in Palo Alto. The other two will be held Feb. 7 in New York and Feb. 14 in Dallas. The Commerce Department also has set up a Web site at www.export.gov/safeharbor that provides extensive information about safe harbor and includes a form that companies can use to certify themselves.
Under safe harbor, EU counntries accept the notion that organizations that are certified are bound to adhere to seven principles, the most important of which are notice, so the individual knows that data is being collected; access, so that the individual can view the data; and the ability to refuse to allow the data to be collected. Some European officials have been skeptical that safe harbor will be effective because of complicated provisions dealing with redress.
The Commerce Department and the EU negotiated the protections over more than two years, culminating last July when the European Commission said it recognized safe harbor as adequate protection for EU citizens' privacy under the EU's data directive. The safe harbor agreement does not apply to financial services, however financial service companies can still voluntarily agree to sign up.