Across the Divide:  Successfully Navigating Safe Harbor

The 2009 Conference on Cross Border Data Flows, Data Protection and Privacy, entitled:  “Across the Divide: Successfully Navigating Safe Harbor” was held in Washington, D.C. from November 16-18, 2009.  The conference was organized by the United States Department of Commerce with the participation and cooperation of the European Commission and the Article 29 Working Party on Data Protection.

This year’s conference examined Safe Harbor Framework developments in the areas of cross-border electronic discovery, binding corporate rules, privacy compliance, and information security.  Other themes included cross border data sharing during pandemics, privacy by design, strategic information management for the enterprise, social network service providers and behavioral advertising in cloud computing, and global privacy standards. 

Cross-Border E-Discovery Panel

One notable aspect of this year’s conference was the panel on “Cross-Border Discovery Obligations and Data Privacy” moderated by noted privacy expert, Fred Cate of the University of Indiana.  The panel participants included James Daley of Daley & Fey, a boutique firm dealing with international e-discovery, records management and data privacy issues; Stan Crosley, Chief Privacy Officer of Eli Lilly, Lara Ballard, U.S. Department of State, and Kirsten Block, of the German Data Protection Authority.

Daley provided an overview of the culture clash involving differing notions of privacy and discovery, including several examples from his international practice.

Ballard noted the historical and jurisprudential differences between U.S. and European concepts of justice that play a critical foundational role in the tension between data privacy and cross-border discovery.

Crosley explained the practical obstacles that this tension imposes on multi-national corporations, and the undue burden, expense and risk involved in cross-border discovery.

Block outlined the major provisions of the EU Article 20 Working Party’s document WP 158 on cross-border discovery.  She explained that the “legitimate interests” exception of the EU Directive provides a possible framework for resolving many conflicts, but only in a manner that recognizes a proportional response that balances litigation and privacy interests.

The panel noted, among other developments, The Sedona Conference® Working Group 6 Framework for Analysis of Cross-Border Discovery Conflicts, the recent CNIL declaration regarding cross-border discovery issues, and initiatives by the International Chamber of Commerce and APEC, among others.

Practical steps for corporate clients, counsel and courts were another highlight of the panel.  These include:

• Identifying and balancing U.S. risks of incomplete discovery with EU risks of blocking statute violations and EU Directive violations
• Developing and implanting country-specific protocols for processing and transfer of personal data
• Use of local Counsel as liaisons between courts, counsel and corporate data privacy officers
• Encouraging sustained interaction with local Data Protection Authorities
• Safe Harbor Certification, use of Model Contractual Clauses and consideration of Binding Corporate Rules
• Use of U.S. Protective Orders for transfers for EU personal data for litigation purposes

History of Safe Harbor Agreement and Certification Scheme

The Safe Harbor Agreement between the U.S. and European Union was reached in order to address the European Commission’s Directive on Data Protection, effective October 1998, that prohibited the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. The EU has deemed the United States as a country that does not have adequate privacy protections for personal data.  While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework.  In brief, U.S. organizations that are regulated by the FTC or Department of Transportation are eligible to certify on an annual basis to the U.S. Department of Commerce that they will abide by certain Safe Harbor principles including consent of EU data subjects for transfers of personal data, providing ongoing rights of access, data security and integrity, and prohibitions against unauthorized onward transfers, among others.

Since 2005, the United States, the European Commission and the Article 29 Working Party on Data Protection have convened annually to review the progress made on the U.S.-EU Safe Harbor Framework and examine the latest developments in compliance, data protection and privacy that have occurred nationally, regionally and globally. This year’s conference continues the commitment between the United States and the European Union regarding the agreement concluded in 2000 on transfers of personal data from the European Union to the United States for commercial purposes. The EU’s Data Protection Directive, implemented in 1998, provides member states with the authority to block such transfers to countries whose privacy enforcement regime does not meet the directive’s requirements. Under the US-EU Safe Harbor Framework, the United States received an “adequacy” determination from the European Commission limited to those U.S. organizations that self-certified to Safe Harbor which allows data transfers to take place without prior approval.

This year’s conference follows a similar meeting last October in Brussels, Belgium, at the EU Commission’s headquarters. At the conference’s conclusion the United States invited the European Commission to continue the conversation with another conference in the United States in 2009.

This year’s conference was organized and hosed by Damon Greer, Director of Safe Harbor Program at the U.S. Department of Commerce, International Trade Administration.

About M. James Daley

More ...