Information Tecnology Law - Essay Example

?Critically analyse the effectiveness of the US Safe Harbour regime which was instituted in order to satisfy Articles 25 and 26 of the EU Data Protection Directive 95/46/EC. Introduction Directive 95/46 of the European Commission lays down the policies related to data protection and directs its Member States to amend their respective national laws to conform to its rigorous guidelines on protecting the transfer of personal information. With the advent of the internet age as well as the intensifying globalisation, the United States realised that Directive will greatly impact the conduct of business of many of its companies especially that it the EU perceives its data protection system to fall short of that required by the Directive. After holding talks for a couple of years with the EU, the US, to the initial chagrin of much of Europe, was able to wrest an agreement that would bail out its companies from the rigid standard of the EU. The EU/US Safe Harbor agreement is a compromise pact that would allow US companies to receive personal data from the UK despite the finding of inadequacy of US data protection system. The EU/US Safe Harbor agreement, which almost relies on self-regulation of its member organisations, suffers from fundamental structural and procedural lapses that weaken its effect. The EU Data Protection Law The United Nations was the first international body to delve on the issue of data protection during the 20th anniversary of the Universal Declaration of Human Rights in 1968. It posed the question as to whether limits must be set in the use of electronics to protect privacy rights. Subsequently, the Organisation for Economic Cooperation and Development (OECD) drafted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 whilst the Council of Europe came up with Convention for the Protection of Individuals with Regard Automatic Processing of Personal Data also in the same year.1 The non-binding OECD Guidelines preceded a heated disagreement between some European countries and the United States where the former charged the latter of intentional laxity in its data protection laws as a strategy to globalise its computer industry and the latter accused the former of protectionism through data protection. The OECD Guidelines therefore, was a compromise of the conflicting stance of the parties. On the other hand, the Council’s treaty came about after considerations in the difficulty, especially by multinationals, in transferring personal data from one country to another because of the different procedural elements in each country. The need to harmonise these different procedural elements was the primary objective of the treaty.2 As the emergence of a European common market loomed in the horizon, the European Council finally gave in to the longtime suggestion that it comes up with a Directive that would tackle data protection. In 1990, the EC issued Directive 95/46 also known as the Data Protection Directive, which has since been described as “the most influential international policy instrument to date.”3 It was formally implemented on October 1995, with Member States given until 1998 to amend their respective laws to conform to its provisions. Whilst the Council’s earlier treaty was aimed at harmonising national laws on data protection, 4 the primary objective of Directive 95/46 is to protect the individual’s privacy as a basic right. This Directive is a consolidation of all efforts to obtain a uniform data protection laws in all Member States, because differences in levels of data protection hamper the free flow of personal data from one Member Country to another, which can result in difficulty in the implementation of a unified European market.5 The rights that are embodied in the Directive are put in a nutshell by Article 8 of the European Union Charter of Fundamental Rights, which took effect in 2009 concurrently with the Treaty of Lisbon. These rights are: the right to protection of personal data; the right to have personal data processed fairly only for a specific purpose and with consent or when there is legal basis for it, and; the right to have compliance of the rules be made subject to an independent authority.6 Chapter 4 of the Directive includes Article 25 on Principles and Article 26 on Derogations. The first article lays down the general principle prohibiting a Member State from transferring personal data to a third country unless that third country has laws in place that guarantee adequate level of data protection.7 The level of adequacy may be evaluated on the total circumstances attendant to the transfer and particularly on the following criteria: nature of the data; purpose and duration of the transfer; the country of origin and final destination; the rules of law in the country of destination, and; the professional rules and security measures observed in the third country.8 Sections 3 and 4 of said Article also oblige a Member State to notify other Member States in the event a third country is found to have inadequate measures of data protection as well as take it upon itself to ensure that personal data is not transferred to such a country. The Directive leaves it to the Commission to enter into an agreement with such a third country to solve the problem pertaining to inadequate data protection.9 Nonetheless and despite Article 25, the Directive gives a Member State the leeway to exercise discretion in transferring personal data whose level of data protection is adjudged to be inadequate, unless this is expressly prohibited in its national law. Such a decision, however, is limited by six conditions under s 26: clear consent of the data subject; there is necessity in performing the terms of a contract between the data subject and the controller; there is necessity in concluding or performing in the interest of the data subject; on the grounds of public interest or legal claims; necessary to protect important interests of the data subject, and; necessary for public information.10 The UK has since then amended its laws to incorporate the provisions of Directive 95/46 with the Data Protection Act 1998 (DPA), which replaced and expanded the previous law Data Protection Act 1984. It is underpinned by 8 data protection principles: fair and lawful processing of personal data; personal data processing should be confined only to its specified and lawful purpose; personal data should be adequate, relevant and not excessive; it should be accurate and updated; it should not be kept longer than necessary; data processing must take into consideration the rights of the data subject under the DPA.11 The US-UK Safe Harbor Agreement As earlier discussed, the Directive prohibits Member States from transferring personal data covered by its provisions from being transferred outside to third countries that has not adequate data protection system. Third countries considered as having adequate data protection are Argentina, Canada, Faeroe Islands, Guernsey, Isle of Man, Jersey and Switzerland. On the other hand, the United States is deemed to have an inadequate system of data protection.12 The primary difference between the EU and the US in data protection is that the former depends on comprehensive legislation whilst the later in a mixture of legislation, regulations and self-regulatory measures. In the eyes of the EU, the US mixture of legislation, regulations and self-regulations is a weak data protection system and therefore any transfer of personal data to it is generally a violation of the Directive. Considering that many US organisations and multinationals deal substantially with EU countries on a daily basis, the EU Directive was considered as a big impediment to their trans-Atlantic transactions.13 In February 1999, the US Department of Commerce subsequently moved to remedy the situation and entered into talks with the Federal Trade Commission (FTC hereafter). The two agencies discussed the potential impact of the looming EU Directive on US commerce considering that, at the time, the internet industry was beginning to flourish, with personal data of internet users being collected left and right by companies. As earlier discussed, the US lacked a comprehensive legislation on data protection as it partially relied on self-regulation, believing that such a measure enhances e-commerce and is good for consumers. The US had already adopted the OECD data protection Guidelines and many US companies had subsequently joined self-regulatory bodies in compliance with the principles laid down in said Guidelines.14 Subsequently, the US and the EU went into talks for several months to find a solution that would allow the smooth flow of data transfer from the UK to the US despite the fact that the US was considered as having inadequate data protection. In negotiating with the EU, the US had the following objectives: “voluntary participation of American companies that received EU data; compliance standards that the US through the Department of Commerce (and not the EU) certified, and; existing US law enforced by the FTC.”15 The result was the Safe Harbour Agreement concluded on July 2000. The Agreement bridges the disparity between the two data protection systems allowing data protection flow from the EU to the US without altering their respective basic data protection policies.16 It consists of a certification process with seven data protection policy principles: notice; choice; onward transfer; access; security; data integrity, and; enforcement. The first principle of ‘notice’ requires companies to divulge to persons why the latter’s personal information are to be taken as well as provide details as to company information that will allow data subjects to contact them and make further inquiries or file complaints. The principle ‘choice’ means that the companies that collected personal data must give the data subjects the option whether to give their consent or not to the data disclosure to third parties. On the other hand, the ‘onward transfer’ principle refers to the requirements necessary to make a lawful transfer of data to third party. Such a procedure requires that a company must only undertake this data transfer with prior notice to and giving the data subject the choice. If the third party is an agent, the controller must make sure that the agent abides by the safe harbor policy or is bound by the Directive or it can agree with such third party to provide an adequate level of data protection. The ‘access’ principle requires that the data subject must be able to retrieve the information that the company has on him and amend, correct, or delete inaccurate information except when the cost of such access to the company is disproportionate to the risk of the data subject or when another party’s rights will be violated thereby. It is also the responsibility of the company to secure the data it has so far collected from loss, misuse and other forms of threat to it in accordance to the ‘security’ principle of the safe harbor framework. The principle of ‘data integrity’ requires that the element of relevance to the use is present in all data gathering and keeping of personal information. Finally, ‘enforcement’ refers to the ability of the organisation to provide for a recourse mechanism, appropriate procedures and obligations to cure the defect in the event of disputes related to the data gathering and keeping.17 In practical terms, a company must undergo certain procedures to qualify under the Safe Harbor program: publicly declare that it will abide by the program, and; establish a three-step compliance program for its use in data protection that will be monitored by the FTC. Since the FTC is the supervisory agency, companies that are not under its jurisdiction such as telecommunications and financial services are not currently qualified to avail the Safe Harbor program. Participation in the Safe Harbor program has an added benefit to US companies: all disputes relative to data protection involving EU countries will be resolved by the FTC under US jurisdiction. FTC is also authorised to initiate an action against any US company that violates data protection under the Safe Harbor framework.18 The Effectiveness of the US-UK Safe Harbor in Fulfilling the Mandate of the EU Data Protection Law Globalisation dictates and warrants the constant transfer of personal data from one country to another. This is especially true with multinational companies that have branches or subsidiaries in both the EU and the US, or in internet transactions where one party is located in the EU and the other in the US. Directive 95/46, however, restricts the smooth flow of personal data from any of the EU countries to the US because the latter does not qualify as having adequate data protection system in accordance with the standards of said Directive. Today, multinational corporations and other entities that necessarily deal with the transfer of personal information from any of the EU states to the US have two options: individually negotiated contracts, and; the Safe Harbor program being administered by the FTC of the US.19 The effectiveness of the Safe Harbor program, however, has been assailed by observers since its inception in 2000. An observer remarked that the EU/US Safe Harbor is a trade off of high European data protection standards for the mighty US dollars. Criticisms such as these stemmed from the perceived weaknesses of the program, particularly in the lack of detailed mechanisms in the implementation of the seven principles. The EU Parliament itself has criticised the Commission in 2000 for its conduct in the negotiations of the Safe Harbor agreement, noting that it failed to ensure the incorporation of adequate protection mechanisms.20 Last year, a meeting of German Data Protection Authorities (DPAs) concluded with a decision for data exporters to undertake minimum verification measures to ensure that US companies are data protection compliant even if they are on the Safe Harbor program list. This decision seems to evidence a general lack of trust on the effectiveness of the program, at least, by the Germans.21 A. No Guarantee of the Accuracy of Information of Companies in the DoC List Galexia, a private specialist management consultant specialising in privacy, among others, conducted a study of the UE/US safe harbor list 2008 and concluded that a flaw in the system exists that may result in its ineffectiveness. Foremost in the findings is the fact that the number of companies on the list does not reflect the actual number of membership. For example, the list contained, in 2008, 1,597 entries, but upon closer scrutiny, many of those on the list are either ‘not current’, or have failed to renew their certification, but are still kept on the list. Moreover, there are companies that have double and even triple entries, according to Galexia.22 Today, there are about 2582 companies currently included in the Safe Harbor List, but the same system of including outdated certifications are still being implemented.23 A further scrutiny of the Safe Harbor list showed that of the 1,597 listed as members as of 2008, only 348 organisations met the basic requirements of the framework. Nonetheless, even those 348 may not be totally compliant as the basis of the research was only the enforcement principle. Moreover, there was a possibility that the organisations found to be compliant with the enforcement principle may have restricted their compliance to a particular aspect, such as human resources data. In reaching this finding, Galexia filtered the list by removing organisation that were indicated as ‘not current,’ with no unreachable website despite claim to the contrary, no specific mention of ‘safe harbor’ although has a privacy policy subsisting, those that selected AAA or JAMS as their dispute resolution provider, and those that required password or direct contact to get private policy, among others. There are other criteria used by Galexia in filtering the list.24 Many organisations listed were also found to have misrepresented themselves as members of the Safe Harbor program when, in fact, they are no longer current members. One of the claimants was an organisation that had been inactive since 2003 whilst most of those misrepresenting themselves had not been ‘current’ for at least a year. Moreover, membership in a third party privacy program does not also ensure membership in the Safe Harbor list as 26 organisations that has membership in TRUSTe EU Safe Harbor, a privacy program, were discovered to be not on the DoC list. As of Galexia’s study in 2008, the US had not instituted a single false claim suit against any of these organisations although the oldest false claim had been made in September 2005.25 B. The Problem of Detecting Violations Although the Safe Harbor programme has been in force since 2000, no complaint has been filed before the FTC, the US agency that has the statutory authority to enforce the seven principles of the programme, as of 2008. The FTC is empowered to bring an action against a company for failure to honor its commitment under self-certification in the Safe Harbor programme and for breach of privacy policy and other misrepresentations.26 It was only in 2009, however, that the FTC brought an action against an organisation under the Safe Harbor programme.27 Membership to the Safe Harbor programme requires an organisation do two things: publicly declare that it abides by the Seven Principles and complies with them through a privacy policy that can be accessed by the public, and; self-certify with the DoC of its compliance of said Principles. 28 However, whether these organisations that have self-certified themselves with the DoC actually comply fully or at all with the Safe Harbor principles cannot be ensured considering that the DoC have no auditing or assessment mechanism in place and relies only upon complaints initiated by third parties. On the contrary, the DoC has specifically indicated in their website that it does not guarantee the accuracy of the Safe Harbor list nor assumes responsibility for any inaccuracy.29 It was assumed before 2009 that the absence of complaints relative to the Safe Harbor agreement was because there was general compliance by members of their respective self-certification. In a study conducted by the Working Staff of the Commission of the European Communities in 2004, which was done by analysing companies, it was discovered, however, that many member organisations were not faithfully adhering to many aspects of the program such as visible privacy policy requirement and the integration of the seven policies into privacy policies.30 The recent spate of activities by the FTC, however, could indicate that the FTC and the DoC are taking a more pro-active approach in the detection of breaches of the Safe Harbor agreement, with seven cases filed within the last quarter of 2009. The first case was, however, initiated by the UK consumers themselves, whilst press releases in the second batch of six cases did not indicate what triggered them. In 2009, the FTC brought its first case under the Safe Harbor programme. The case FTC v Javian Karnani, and Balls of Kryptonite, LLC31 was triggered by complaints from consumers in the UK against the defendant, which had falsely represented itself as self-certified under the EU/US Safe Harbor program when, in fact, it was not. The consumers from UK used a “website established by 25 international consumer protection agencies to facilitate global consumer protection efforts” 32 to reach the FTC. The investigation was jointly conducted by the FTC and the UK Office of Fair Trading and also invoked the US Safe Web Act 2006 legislation in prosecuting the California-based company that not only misrepresented itself as a member of the Safe Harbor program but also duped its UK customers into believing that it operated in the UK and could offer warranties on its products that were valid within the UK.33 Just two months after it filed its initial UE/US Safe Harbor-related case, FTC went after six companies for misrepresenting themselves as holders of certifications under the programme although they had, in fact, not renewed them, but instead allowed such certifications to lapse. The cases of In the Matter of World Innovators, Inc.,34 In the Matter of ExpatEdge Partners, LLC,35 In the Matter of Onyx Graphics, Inc.,36 In the Matter of Directors Desk LLC,37 In the Matter of Progressive Gaitways, LLC,38 In the Matter of Collectify LLC, 39 were eventually settled, however, when the respective company defendants offered to enter into a settlement agreement with the FTC.40 Despite these developments, however, there remains no fixed and comprehensive mechanism that the DoC or the FTC have put in place to detect violation of the Safe Harbor data protection principles. C. Enforcement Issues The enforcement aspect related to this part of the paper refers to enforcement as one of the principles of Safe Harbor and enforcement as a tool of the FTC in enforcing the all the principles of Safe Harbor framework. To be within the ambit of adequate data protection, an effective data protection policy must contain a system that ensures that compliance is followed, that data subjects have recourse when aggrieved and that imposes penalty in the event of breach of the policies.41 In the review conducted by the Working Staff of the Commission in 2004, it was revealed that there inadequacies in this area. For example, there were companies that failed to indicate the Alternative Resolution Body (ADR) or its equivalent, and even if they did, some failed to specify what procedures were to be followed. For those that indicated the EU panel instead of an ADR, some did not specifically include a statement to abide with its decision or simply failed to indicate how the panel can be contacted.42 Moreover, the EU Parliament pointed out the following missing mechanisms: failure to indicate an appeal system to an independent public body specifically given the task to accept appeals relative to data protection violation; failure to specifically obligate violating companies and other entities to compensate, either in actual or moral damages, in case of violation and to delete personal data that are products of data protection violation, and; failure to provide for easy procedures to ensure deletion of data that are products of data protection and obtain compensation thereof43 On the other hand, the lack of fixed and simple detection rules may weaken the enforcement capability of the FTC. Clearly, detection is shifted to data privacy entities such as the Electronic Privacy Information Center (EPIC). The Commissioner of the FTC stated that the agency will be guided by established precedents in enforcing and handling safe harbor cases. These precedents can be found in the cases of In the Matter of Microsoft Corporation,44 In the Matter of Eli Lilly and Company,45 and In the Matter of Guess?, Inc and Guess.com, Inc.46 All of these cases involved internal data protection violation, whose investigations the FTC had initiated independently, and misleading representations in their respective privacy statements. They were all underpinned by the provision of §5 of the FTCA. The FTC asserted that Safe Harbor cases will be likewise based on the same basis as the aforementioned cases. Conclusion The EU/US Safe Harbor agreement has been assailed as a trade off of EU high standard in data protection for the almighty US dollar. Many of the basic policies enshrined in the EC Directive seem to have been compromised and lost in the agreement. The two previous reviews conducted by the Working Staff of the Commission have confirmed these weaknesses which go into the heart of the seven policies embodied in the Safe Harbor agreement. Facts abound that showed that some of the elements in the framework have not been complied with. The DoC website itself reflects this weakness in the system with its statement relieving itself of any liability in the non-accuracy and concealed misrepresentations in its Safe Harbor List. Until lately, the FTC, the prosecution agent of the data protection agreement, had not been active in pursuing violators of the agreement simply because there were no complaints. The seeming huge disparity in the implementation between the Directive and the EU/US Safe Harbor merely illustrates the differences in the approach between the EU and the US in handling data protection. Evidently, whilst the EU believes that data protection can only be ensured by a comprehensive legislation where the state agencies are on the frontline initiating the compliance of the law on companies and other concerned entities, the US chooses to stay in the background relying upon the latent value of self-regulation and the perseverance of the victims to pursue the means to enforce their rights. References (2007) ‘Data Protection Policy: Overview of the Data Protection Act 1998’ University of London: School of Oriental and African Studies, http://www.soas.ac.uk/infocomp/dpa/policy/overview/. (2011) ‘U.S.-EU Safe Harbor Overview’ export.gov, https://www.export.gov/safeharbor/eu/eg_main_018476.asp. Beyleveld, D (2004) The Data Protection Directive and Medical Research across Europe Ashgate Publishing, Ltd. Connolly, C (2008) ‘The US Safe Harbor – Fact or Fiction?’ Galexia, http://www.galexia.com/public/research/assets/safe_harbor_fact_or_fiction_2008/safe_harbor_fact_or_fiction.pdf. Commission Staff (2004) ‘The Implementation of Commission Decision 520/2000/EC on the Adequate Protection of Personal Data Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce’ Commission of the European Communities. Criminal Proceedings against Bodil Lindqvist Case C-101/01. Dilascio, T (2004) ‘How Safe is the Safe Harbor? US and EU Data Privacy Law and the Enforcement of the FTC’s Safe Harbor Program’ Boston University International Law Journal Vol 22 (399), http://www.bu.edu/law/central/jd/organizations/journals/international/volume22n2/documents/399-424.pdf. Dunn, M & Kreishna-Hensel, S F & Mauer, V (2007) The Resurgence of the State: Trends and Processes in Cyberspace Governance, Ashgate Publishing, Ltd. Fischer-Hubner, S (2001) IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms, Springer. FTC v Javian Karnani, and Balls of Kryptonite, LLC Civil Action No. 09-CV-5276 (2009). FTC ‘FTC Settles with Six Companies Claiming to Comply with International Privacy Framework’ Federal Trade Commission 2009, http://www.ftc.gov/opa/2009/10/safeharbor.shtm. FTC ‘Court Halts U.S. Internet Seller Deceptively Posing as U.K. Home Electronics Site’ Federal Trade Commission 2009, http://www.ftc.gov/opa/2009/08/bestpriced.shtm. Greenleaf, G (2000) ‘Safe Harbor’s Low Benchmark for ‘Adequacy’: EU Sells out Adequacy for US$’ Practical Law and Policy Reporter 2004:32, http://www.austlii.edu.au/au/journals/PLPR/2000/32.html. Howard, C (2011) The Organizational Ombudsman: Origins, Roles, And Operations: A Legal Guide, American Bar Association. In the Matter of Collectify LLC, File No. 092 3142 (2009). In the Matter of Directors Desk LLC, File No. 0923140 (2009). In the Matter of Eli Lilly and Company File No. 0123260 (2002). In the Matter of ExpatEdge Partners, LLC, File No. 0923138 (2009). In the Matter of Guess?, Inc and Guess.com, Inc File No. 0223260 (2003). In the Matter of Microsoft Corporation File No. 0123240 (2002). In the Matter of Onyx Graphics, Inc., File No. 0923139 (2009). In the Matter of Progressive Gaitways, LLC, File No. 092 3141 (2009). In the Matter of World Innovators, Inc., File No. 0923137 (2009) Kuner, C (2003) European Data Privacy Law and Online Business, Oxford University Press. Noorda, C & Hanloser, S (2010) E-discovery and Privacy: A Practical Guide, Kluwer Law International. Thompson, M & van Wagonen Magee, P (2003) ‘US/EU Safe Harbor Agreement: What It is and What it Says About the Future of Cross Border Data Protection’ Federal Trade Commission http://www.ftc.gov/speeches/thompson/thompsonsafeharbor.pdf. Read More