This substance of this analysis is about the new EU-US Privacy Shield, with contextual background and an analysis of how this new proposal compares to the old EU-US Safe Harbor agreement. The analysis includes a discussion of winners and losers in Privacy Shield, and discusses its potential future.
The US and the European Commission have released details about the proposed Privacy Shield program, formerly known as the "EU-US Safe Harbor Framework." A key takeaway on US side is that the program will still rely on self-certification, although with improved verification and monitoring mechanisms. For its part, the US ...
Update for February 29, 2016: The US and the European Commission have released new details about the proposed Privacy Shield program. We have published a new post about this release here . Briefly, the US Department of Commerce has released a 132-page package containing the program principles, letters from the ...
The closely watched Safe Harbor talks to craft new privacy rules for transatlantic data flows between the US and the EU have resulted in some preliminary signals today, although a final outcome is still pending. Commissioner Jourova, speaking before the Committee on Civil Liberties, Justice, and Home Affairs, said that ...
This report is a landmark analysis and history of self-regulatory efforts in the area of privacy. The report is authored by Robert Gellman and Pam Dixon. It includes details about programs such as the IRSG, the Privacy Leadership Initiative, the Privacy Alliance, and other privacy self-regulatory programs.
Current online privacy debates focus on respecting the privacy interests of Internet users while accommodating business needs. Formal and informal proposals for improving consumer privacy offer different ideas for privacy regulation and privacy self-regulation, sometimes called codes of conduct. [1] Some in the Internet industry continue to advance or support ideas for privacy self- regulation. Many of these same players proposed and implemented privacy self-regulatory schemes that started in the late 1990s.
This section offers a historical review of privacy self-regulation that occurred in the years just before and just after 2000. For a variety of reasons, it is not necessarily fully comprehensive. Some self-regulatory efforts may have disappeared without a trace. Activities within existing trade associations are difficult or impossible to assess from evidence available to those outside the associations. However, this discussion captures the leading organizations of the time. [13]
This section reviews several other privacy self-regulatory activities that share some characteristics with the industry self-regulatory programs discussed above, but these activities differ in various ways. The most noticeable differences are the role of the government in the programs. The Department of Commerce is involved in the Safe Harbor Framework, and the Federal Trade Commission is involved in the Children’s Online Privacy Protection Act.
Self-regulation -- The World Privacy Forum has published a report on past self-regulatory efforts in the area of privacy, Many Failures: A brief history of privacy self-regulation. "Privacy self-regulation has been a Potemkin Village of consumer protection," says executive director Pam Dixon. "History shows a pattern of past self-regulatory efforts that have been erected quickly and have faded after regulatory threats fade." The report is authored by Robert Gellman and Pam Dixon. It includes details about programs such as the IRSG, the Privacy Leadership Initiative, the Privacy Alliance, and other programs. A key finding of this report is that the majority of the industry self-regulatory programs that were initiated failed in one or more substantive ways, and many disappeared entirely.
The self-regulatory efforts in this category include projects that have many components, including input from government, industry, academia, and civil society.
Is there any reason to think that privacy self-regulation will work today when it did not work in the past? Privacy self-regulation done in the same way that it has been done in the past, without sufficient consumer participation, and with the same goals of simply evading real regulation and effective privacy controls will continue to fail.
The World Privacy Forum filed comments on the US Department of Commerce Green Paper today and urged the department to adopt a fair stakeholder input process that included consumers in a robust and meaningful way. WPF outlined seven specific steps for the department to take to ensure a fair process.
This report evaluates the US Department of Commerce’s international privacy programs, their efficacy, and their value to business and to consumers. The role of the Commerce Department has become more important in light of the Obama Administration's establishment of a Subcommittee on Privacy and Internet Policy in October 2010. The Subcommittee is chaired jointly by the Department of Commerce and the Department of Justice, and it is intended to promote “individual privacy,” among other things. [1] This report reviews, analyzes, and summarizes major international privacy activities of the Department of Commerce, with a focus on the Safe Harbor Framework established in 2000 with the European Union in response to the requirements of the EU Data Protection Directive. The report also considers briefly the Department’s work on the Asia Pacific Economic Cooperation (APEC) Privacy Framework.
The rise of privacy as an issue of international attention has taken place during the past forty years. Various agencies of the US Government have played roles on international privacy matters, including the State Department, Federal Trade Commission, Department of Homeland Security, Office of Management and Budget, the Department of Commerce, and scattered other agencies. The privacy activities of these agencies have waxed and waned over the decades. Of the US agencies, the US Federal Trade Commission has played by far the most significant role in consumer privacy issues, for example, identity theft, financial privacy, and a host of issues related to privacy and fair business practices. Historically, the Department of Justice, primarily a law enforcement agency, has never played a significant role in consumer privacy. Indeed, in its law enforcement capacity, the Justice Department is often directly antagonistic to the protection of consumer privacy.
The Department of Commerce’s actions on international privacy matters have often been characterized by highly visible but ineffectively administered programs that lack rigor. As this report discusses, three separate studies show that many and perhaps most Safe Harbor participants are not in compliance with their obligations under the Safe Harbor Framework. The Department of Commerce has thus far carried out its functions regarding the Safe Harbor program without ensuring that organizations claiming to comply with the Safe Harbor requirements are actually doing so.
The privacy responsibilities of the National Telecommunications and Information Administration of the Department of Commerce originated with the establishment of a privacy coordinating committee by President Jimmy Carter in 1977 as part of a presidential privacy initiative. [4] The staff that carried out the work was transferred to NTIA at the time of its establishment in 1978. [5]
With the adoption of the European Union’s Data Protection Directive [21] in 1995 and its implementation in 1998, much of the concern about transborder data flows of personal information centered on the export restriction policies of the Directive. Article 25 generally provides that exports of personal data from EU Member States to third countries are only allowed if the third country ensures an adequate level of protection. While some countries have been found to provide an adequate level of protection according to EU standards, the United States has never been evaluated for adequacy or determined to be adequate.
Report home | Read the report (PDF) | | Three studies of the Safe Harbor Framework were conducted since the start of Safe Harbor. The first study was conducted in 2001 at the request of the European Commission Internal Market DG [2001 Study]. [29] The second study, completed in 2004, ...
The shortcomings of the Safe Harbor Framework have come to the attention of some data protection authorities in Europe. In April 2010, the Düsseldorfer Kreis, a working group comprised of the 16 German federal state data protection authorities with authority over the private sector, adopted a resolution applicable to those who export data from Germany to US organizations that self-certified compliance with the Safe Harbor Framework. The resolution tells German data exporters that they must verify whether a self-certified data importer in the US complies with the Safe Harbor requirements.
The Asia Pacific Economic Cooperation (APEC) is a grouping of 21 member economies in the Asia Pacific Region, including Russia, China, and the United States. APEC was established in 1989 to facilitate economic growth, cooperation, trade, and investment in the region. The Asia-Pacific Economic Cooperation (APEC) is a forum for 21 member economies in the Asia Pacific region. APEC includes Russia, China, and the United States as members. APEC adopted a Privacy Framework in 2004. The APEC Privacy Framework is largely viewed as an attempt to create a different international privacy regime as an alternative to the European Union’s Data Protection Directive. Whether APEC will succeed in influencing international privacy developments in a meaningful way remains to be seen.
The World Privacy Forum prepared this report in part because the role of the Department of Commerce in privacy may change in the near future. The Department of Commerce is co-chair with the Department of Justice on the Subcommittee on Privacy and Internet Policy established by the Obama Administration toward the end of 2010. It is not comforting to consumer privacy advocates that Department of Justice is a law enforcement agency that is often antagonistic to consumer privacy interests, that the Commerce Department has mostly represented business interests in international privacy matters, and that the Commerce Department does not have an admirable record in the areas of privacy that it currently oversees. This leaves the leadership of the Subcommittee on Privacy and Internet Policy without a strong voice for consumer privacy interests.
