Computer World –
COLUMBUS, OHIO -- The "safe harbor" agreement that was approved last summer in an effort to make it easier for U.S. companies to comply with Europe's stringent data privacy laws went into effect Nov. 1. But many privacy experts predict that businesses will be slow to seek shelter under the new rules negotiated by the U.S. Department of Commerce and European government officials.
According to attendees interviewed last week at the Privacy2000 conference here, many U.S. companies may wait to see if European Union authorities are serious about enforcing their existing privacy laws as well as the safe harbor provisions, which set out a series of guidelines for transferring personal data between the U.S. and the 15 countries that belong to the EU.
Moreover, adhering to the safe harbor principles may put companies in a difficult position regarding domestic concerns about data privacy. Conference attendees said giving European residents access to data collected about them and letting them block any sharing of the information with third parties goes beyond the privacy rights that many businesses currently afford U.S. citizens.
"What happens to your American customers and American employees when they see that your company is providing a higher level of protection to [European residents] than they are to . . . folks here at home?" asked Donald Harris, president of HR Privacy Solutions, a New York-based consulting firm. "I think that is going to create sort of a groundswell of activism and interest and pressure on companies to raise the bar. If these practices are good for Europeans, they're good for Americans."
As early as this week, the Commerce Department plans to set up a Web site that will outline the process for companies to follow when applying to be recognized as adhering to the safe harbor provisions, said Peter Swire, the White House's chief counselor for privacy and a supporter of the U.S.-European agreement.
The deal covers e-commerce transactions and other business interactions with European consumers, as well as the transfer of data about European employees of U.S.-based companies. "If you're taking personal data out of Europe, you want to have a lawful basis for it," Swire said. "The safe harbor is one very achievable way to comply with the law and do your business."
But other attendees at the annual conference, organized by the Ohio Supercomputer Center's Technology Policy Group, said companies may be reluctant to quickly agree to something that will put more demands on their business operations and information technology systems as well as increase their legal risks if they don't follow through and adhere to the safe harbor rules.
It will be important for European authorities to first show that they intend to enforce their own data privacy laws against companies based in Europe, said Steve Emmert, director of government affairs at London-based Reed Elsevier PLC, which owns the Lexis-Nexis information service and other businesses.
European officials "just can't pick on U.S. companies and ignore European ones," Emmert said. "You can't have a double standarrd. There's got to be a perceived fairness." If that perception is created, he added, that will give U.S. businesses incentive to adopt the safe harbor rules.
Privacy laws passed in Europe five years ago bar data stored in databases in the EU from being transferred to other countries unless they offer similar privacy protections
-- a requirement that U.S. laws currently don't meet. The safe harbor agreement, which took three years to negotiate, is intended to provide a means for U.S. companies to continue moving data back and forth between Europe and their domestic operations.
Commerce Department officials have described the safe harbor deal as "a landmark accord for e-commerce" transactions between the U.S. and Europe. Companies that ignore the provisions or otherwise reject the idea of complying with Europe's data rules run the risk of being on the receiving end of enforcement actions that could include efforts to block their attempted data transfers.
But European authorities will likely give companies that operate in Europe enough time "to make a good-faith effort" to comply with the safe harbor agreement, said Ruth Nelson, a privacy expert at New York-based PricewaterhouseCoopers. "I think you'll see more enforcement locally in their own countries to show that [the privacy laws there] have teeth," she added.