Commerce Department tries to boost 'safe harbor' adoption

www.computerworld.com –

WASHINGTON -- The U.S. Department of Commerce thus far has signed up only 12 companies and organizations to support the "safe harbor" data-privacy provisions it negotiated with European officials. But Commerce Department officials yesterday said they hope an upcoming series of explanatory seminars will increase that number and bolster the legitimacy of the safe harbor arrangement.

Representatives from the government and the private sector will take part in the seminars, which are aimed at informing U.S.-based companies about the new provisions and providing advice on how to develop corporate data privacy policies that are necessary in order to be eligible for legal protection from stringent European privacy laws.

Commerce Department officials said at a briefing here that the first seminar is scheduled to take place Jan. 25 in Palo Alto, Calif., with others due to follow next month in New York, Washington and Dallas. The federal agency has also set up a new Web site that provides detailed information about the safe harbor deal along with a form companies can use to certify themselves under the agreement.

The safe harbor provisions went into effect Nov. 1 and are designed to provide privacy-related legal protections to U.S. companies that do business in Europe and gather personal information about employees and customers who live there. Member countries of the European Union adopted privacy laws that go far beyond current U.S. regulations in 1998, leading to two years of negotiations before the safe harbor provisions were finalized.

But adoption of the guidelines by U.S. companies has been slow. The most noteworthy names on the list of 12 organizations that have been certified to date are business and consumer data provider Dun & Bradstreet Corp. and San Jose-based privacy watchdog Truste, which last fall announced that it would offer a seal of approval to companies that promise to adhere to the guidelines.

No major Internet companies or technology vendors have signed up thus far, government officials said yesterday while acknowledging that increased support is necessary for the safe harbor agreement to be successful.

"We need more than 10 or 12 [adherents], and we hope to increase that number," said Michelle O'Neill, deputy assistant secretary for IT at the Commerce Department. "This is a tough agreement to swallow, but we want to get the message out, especially to small businesses." O'Neill wouldn't say how many companies the department wants to sign up.

One reason companies aren't acting more quickly is that they first want to make sure they've considered all the possible ramifications, especially those concerning potential legal liabilities, said Lauren Hall, executive vice president of the Software & Information Industry Association (SIIA). But she added that some members of the Washington-based SIIA are close to becoming certified under the safe harbor program.

"We're confident that we can raise the profile of the safe harbor [agreement] over the next sevveral months and encourage companies to look at it carefully and give them the information that they need to make a good decision," Hall said. Nonetheless, she said there are "better solutions" for some companies than signing up to support the provisions.

Another reason companies aren't certifying themselves is that the European Union's data privacy directive has no legal standing beyond Europe, said Timothy Deal, senior vice president of the U.S. Council for International Business (USCIB), a Washington-based business lobbying group that represents about 300 companies and trade associations.

The SIIA and the USCIB both plan to take part in the upcoming safe harbor seminars, along with San Francisco-based law firm Morrison & Foerster LLP.

Some officials in Europe, including members of the European Parliament, have been skeptical that the safe harbor deal will be effective enough in protecting the privacy of citizens there. But the European Commission last summer agreed to recognized the provisions as adequate safeguards under the region's privacy laws.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies