Asia Pacific Economic Cooperation Group (APEC)

This report evaluates the US Department of Commerce’s international privacy programs, their efficacy, and their value to business and to consumers. The role of the Commerce Department has become more important in light of the Obama Administration’s establishment of a Subcommittee on Privacy and Internet Policy in October 2010. The Subcommittee is chaired jointly by the Department of Commerce and the Department of Justice, and it is intended to promote “individual privacy,” among other things. [1]

This report reviews, analyzes, and summarizes major international privacy activities of the Department of Commerce, with a focus on the Safe Harbor Framework established in 2000 with the European Union in response to the requirements of the EU Data Protection Directive. The report also considers briefly the Department’s work on the Asia Pacific Economic Cooperation (APEC) Privacy Framework.

The rise of privacy as an issue of international attention has taken place during the past forty years. Various agencies of the US Government have played roles on international privacy matters, including the State Department, Federal Trade Commission, Department of Homeland Security, Office of Management and Budget, the Department of Commerce, and scattered other agencies. The privacy activities of these agencies have waxed and waned over the decades. Of the US agencies, the US Federal Trade Commission has played by far the most significant role in consumer privacy issues, for example, identity theft, financial privacy, and a host of issues related to privacy and fair business practices. Historically, the Department of Justice, primarily a law enforcement agency, has never played a significant role in consumer privacy. Indeed, in its law enforcement capacity, the Justice Department is often directly antagonistic to the protection of consumer privacy.

The Department of Commerce’s actions on international privacy matters have often been characterized by highly visible but ineffectively administered programs that lack rigor. As this report discusses, three separate studies show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under the Safe Harbor Framework. The Department of Commerce has thus far carried out its functions regarding the Safe Harbor program without ensuring that organizations claiming to comply with the Safe Harbor requirements are actually doing so.

The privacy responsibilities of the National Telecommunications and Information Administration of the Department of Commerce originated with the establishment of a privacy coordinating committee by President Jimmy Carter in 1977 as part of a presidential privacy initiative. [4] The staff that carried out the work was transferred to NTIA at the time of its establishment in 1978. [5]

With the adoption of the European Union’s Data Protection Directive [21] in 1995 and its implementation in 1998, much of the concern about transborder data flows of personal information centered on the export restriction policies of the Directive. Article 25 generally provides that exports of personal data from EU Member States to third countries are only allowed if the third country ensures an adequate level of protection. While some countries have been found to provide an adequate level of protection according to EU standards, the United States has never been evaluated for adequacy or determined to be adequate.