Report Many Failures A Brief History of Privacy Self-Regulation Section Government Privacy Self-Regulatory Activities World Privacy Forum Skip to Content Javascript must be enabled for the correct page display Home Connect With Us: twitter Vimeo email Main Navigation Hot Topics

Report Many Failures A Brief History of Privacy Self-Regulation Section Government Privacy Self-Regulatory Activities

You are reading section III., Government Privacy Self-Regulatory Activities, of the report Many Failures: A Brief History of Privacy Self-Regulation.

Report Links

Report Home & Executive Summary

Download the Full Report PDF

Jump to other sections of the report I Introduction and Summary II Industry-Supported Self-Regulatory Programs for Privacy III Government Privacy Self-Regulatory Activities IV Combination Self-Regulatory Efforts V Conclusion

III Government Privacy Self-Regulatory Activities

This section reviews several other privacy self-regulatory activities that share some characteristics with the industry self-regulatory programs discussed above, but these activities differ in various ways. The most noticeable differences are the role of the government in the programs. The Department of Commerce is involved in the Safe Harbor Framework, and the Federal Trade Commission is involved in the Children’s Online Privacy Protection Act.

Department of Commerce Safe Harbor Framework 73

The Safe Harbor Framework operated by the Department of Commerce started in 2000 with an agreement between the Department and the European Commission. [74] The Safe Harbor Framework differs somewhat from the other self-regulatory activities discussed in this report because of the role played by the Department. However, the Department’s role in the Safe Harbor Framework did not prevent the deterioration of the Safe Harbor over time or stop the lack of compliance by companies that participated in the Safe Harbor. With the adoption of the European Union’s Data Protection Directive [75] in 1995 and its implementation in 1998, much of the concern about transborder data flows of personal information centered on the export restriction policies of the Directive. Article 25 of the Directive generally provides that exports of personal data from EU Member States to third countries are allowed if the third country ensures an adequate level of protection. [76] While the EU determined that some countries (e.g., Argentina, Canada, and Switzerland) provide an adequate level of privacy protection according to EU standards, the United States has never been evaluated for adequacy or determined to be adequate. Restrictions on exports of personal data from Europe created some significant problems and uncertainties for both US and EU businesses, including online businesses. Pressured by the American business community, the Commerce Department intervened to resolve the threats to US business presented by the Data Protection Directive. The Safe Harbor framework [77] was the result. It allows US organizations to publicly declare that they will comply with the requirements. An organization must self-certify annually to the Department of Commerce in writing that it agrees to adhere to the Safe Harbor’s requirements. There are seven areas of privacy standards covering notice, choice, onward transfer (transfers to third parties), access, security, data integrity, and enforcement. Safe Harbor documentation describes the requirements and provides an interpretation of the obligations. [78] To qualify for the Safe Harbor, an organization can (1) join a self-regulatory privacy program that adheres to the Safe Harbor’s requirements; or (2) develop its own self-regulatory privacy policy that conforms to the Safe Harbor. The Safe Harbor Framework has its own standards, voluntary certification, and some external method of enforcement so that it is similar to the self-regulatory activities considered earlier this report. The International Trade Administration of the Department of Commerce now operates the Safe Harbor framework. The Commerce Department website maintains a list of organizations that filed self-certification letters. Only organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are eligible to participate. This limitation means that many companies and organizations that transfer personal information internationally cannot qualify for participation either in whole or in part. Three studies of the Safe Harbor Framework were conducted since the start of Safe Harbor. The first study was conducted in 2001 at the request of the European Commission Internal Market DG. [79] The second study, completed in 2004, was also conducted at the request the European Commission Internal Market DG. An international group of academics conducted the study. [80] The third study was prepared by Chris Connolly, director of an Australian management consulting company with expertise consultants in privacy, authentication, electronic commerce, and new technology. [81] Overall, the three studies found the same problems with Safe Harbor. Companies that claim to meet the Safe Harbor requirements are not actually in compliance with those requirements. Evidence from the three reports suggests that the number of companies not in compliance has increased over time. There is no evidence of improvement in the administration of the Department’s Safe Harbor activities. Perhaps the most prominent response to the reports of noncompliance was the addition of a disclaimer on the Department’s Safe Harbor website indicating that Department cannot guarantee the accuracy of the information it maintains. [82] It appears that the Department has made some changes to its website over the years, but there remains a lack of evidence of any substantive efforts by the Department to monitor or enforce compliance. While the Safe Harbor Framework is not a pure industry-run self-regulatory activity because of the role of the Department of Commerce, it shares characteristics of industry self-regulatory activities, namely interest in the Safe Harbor Framework diminished over time, and business support and participation deteriorated. Enforcement has been rare, and the Department never conducted or required audits of participants. The shortcomings of the Safe Harbor Framework have come to the attention of some data protection authorities in Europe. In April 2010, the Düsseldorfer Kreis, a working group comprised of the 16 German federal state data protection authorities with authority over the private sector, adopted a resolution applicable to those who export data from Germany to US organizations that self-certified compliance with the Safe Harbor Framework. The resolution tells German data exporters that they must verify whether a self-certified data importer in the US actually complies with the Safe Harbor requirements. [83] Essentially, the action by the German state data protection authorities rejects in significant part the Safe Harbor Framework, particularly the self-certification as it appears on the Department of Commerce website. The Düsseldorfer Kreis makes this clear when it states that the reason for its action is that “comprehensive control of US-American companies’ self-certifications by supervisory authorities in Europe and in the US is not guaranteed…” [84] The Department has ignored repeated evidence that many or most Safe Harbor participants are not in compliance with the requirements. Instead, in a recent green paper, the Department claimed that the Safe Harbor Framework was “successful.” [85] It is not clear what standard the Department used to measure the success of the Safe Harbor Framework. All available evidence strongly suggests a substantial lack of compliance with the Safe Harbor Framework.

Children s Online Privacy Protection Act COPPA

The safe harbor provision in the Children s Online Privacy Protection Act COPPA [86] is sometimes cited as a self-regulatory program. For that reason, COPPA is discussed here. However, it is crucial to note that COPPA self-regulation is significantly different from the others discussed in this report. The companies in a COPPA safe harbor must follow all the substantive standards established in the COPPA statute and FTC regulations, meaning that a participant in a safe harbor program must do everything that a non-participant must do plus bear the cost of the safe harbor. The standards cannot be changed by the participants in the self- regulatory program. The FTC formally oversees and approves COPPA safe harbor programs, a characteristic that other self-regulatory programs reviewed here lacked. [87] In effect, the COPPA safe harbor programs mostly engage in limited enforcement of the statute and relieve the Commission of some of the burden. This may have some benefits overall. It should not be surprising that industry participation in the safe harbor aspect of COPPA is limited. Whether COPPA self-regulation is a success or failure is a subject for reasonable debate, but COPPA has fewer characteristics of failure than the industry self-regulation discussed earlier. For example, there is a formal input procedure for consumers, the safe harbor program has not disappeared, and there has been COPPA enforcement by the FTC. The COPPA model does not appear to be a model in current use outside of this instance. The reason may be that self- regulatory activities under a legislative scheme have little attraction when the principal purpose of industry self-regulation for privacy has been avoidance of regulation in the first place. ___________________________________ Endnotes [73] This summary is adapted from an analysis of the Department of Commerce’s international privacy
activities published by the World Privacy Forum in 2010. The WPF report is The US Department of
Commerce and International Privacy Activities: Indifference and Neglect. The WPF report contains
additional citations and support for the conclusions presented here. See: http://www.worldprivacyforum.org/pdf/USDepartmentofCommerceReportfs.pdf (last visited 9/20/11). [74] All Safe Harbor documents can be found at http://www.export.gov/safeharbor/eg_main_018237.asp (last visited 9/20/11). [75] Council Directive 95/46, art. 28, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, 1995 O.J. (L 281/47), http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML (last visited 9/20/11). [76] Other grounds for data exports are not relevant here. [77] http://www.export.gov/safeharbor/eu/eg_main_018476.asp (last visited 9/20/11). [78] http://www.export.gov/safeharbor/eu/eg_main_018493.asp (last visited 9/20/11). [79] The Functioning of the US-EU Safe Harbor Privacy Principles, (September 21, 2001). This study was reportedly published by the European Commission, but a copy has not been located on the EU’s data protection webpage or elsewhere on the Internet. The study author is not identified in the document, but a Commission official publicly identified Professor Joel R. Reidenberg, Fordham University Law School, as the author, and the 2004 Study also identified Professor Reidenberg as the author. See 2004 Study at note 2. [80] Safe Harbour Decision Implementation Study (2004), http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf (last visited 9/20/11). As identified in the paper, the authors are Jan Dhont, María Verónica Pérez Asinari, and Prof. Dr. Yves Poullet (Centre de Recherche Informatique et Droit, University of Namur, Belgium) with the assistance of Prof. Dr. Joel R. Reidenberg (Fordham University School of Law, New York, USA) and Dr. Lee A. Bygrave (Norwegian Research Centre for Computers and Law, University of Oslo, Norway). [81] The US Safe Harbor – Fact or Fiction? (2008), http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fiction_2008/safe_harbor_fact_or_fiction.pdf (last visited 9/20/11). [82] See https://www.export.gov/safehrbr/list.aspx (last visited 9/20/11) (“In maintaining the list, the Department of Commerce does not assess and makes no representations to the adequacy of any organization’s privacy policy or its adherence to that policy. Furthermore, the Department of Commerce does not guarantee the accuracy of the list and assumes no liability for the erroneous inclusion, misidentification, omission, or deletion of any organization, or any other action related to the maintenance of the list.”). [83] Supreme Supervisory Authorities for Data Protection in the Nonpublic Sector (Germany), Examination of the Data Importer’s Self-Certification According to the Safe-Harbor-Agreement by the Company Exporting Data (revised version of Aug. 23, 2010), http://www.datenschutz- berlin.de/attachments/710/Resolution_DuesseldorfCircle_28_04_2010EN.pdf?1285316129 (last visited 9/20/11). [84] Id. [85] Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework at 44 (undated; released in December 2010), http://www.commerce.gov/sites/default/files/documents/2010/december/iptf-privacy-green-paper.pdf (last visited 9/20/11). [86] 15 U.S.C. §§ 6501-6506. [87] 15 U.S.C. § 6503. Roadmap: Many Failures – A Brief History of Privacy Self-Regulation in the United States: III. Discussion: Government Privacy Self-Regulatory Activities

Report home Read the report PDF Previous section Next section

Posted October 14, 2011 in Behavioral Advertising, Consumer Privacy, Government privacy, International Privacy, Network Advertising Initiative (NAI), Online Privacy, Region: EU, Report: Many Failures - A Brief History of Privacy Self-Regulation, Safe Harbor (EU), Self-regulation Next »Many Failures: WPF report on history of privacy self-regulation « PreviousReport: Many Failures: A Brief History of Privacy Self-Regulation Section: Industry-Supported Self-Regulatory Programs for Privacy WPF updates and news CALENDAR EVENTS

WHO Constituency Meeting WPF co-chair

6 October 2022, Virtual

OECD Roundtable WPF expert member and participant Cross-Border Cooperation in the Enforcement of Laws Protecting Privacy

4 October 2022, Paris, France and virtual

OECD Committee on Digital and Economic Policy fall meeting WPF participant

27-28 September 2022, Paris, France and virtual more Recent TweetsWorld Privacy Forum@privacyforum·7 OctExecutive Order On Enhancing Safeguards For United States Signals Intelligence Activities The White House https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/Reply on Twitter 1578431679592427526Retweet on Twitter 1578431679592427526Like on Twitter 1578431679592427526TOP REPORTS National IDs Around the World — Interactive map About this Data Visualization: This interactive map displays the presence... Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974 This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process. COVID-19 and HIPAA: HHS’s Troubled Approach to Waiving Privacy and Security Rules for the Pandemic The COVID-19 pandemic strained the U.S. health ecosystem in numerous ways, including putting pressure on the HIPAA privacy and security rules. The Department of Health and Human Services adjusted the privacy and security rules for the pandemic through the use of statutory and administrative HIPAA waivers. While some of the adjustments are appropriate for the emergency circumstances, there are also some meaningful and potentially unwelcome privacy and security consequences. At an appropriate time, the use of HIPAA waivers as a response to health care emergencies needs a thorough review. This report sets out the facts, identifies the issues, and proposes a roadmap for change.