TOOLS FOR THE KNOWLEDGE ECONOMY: AN OVERVIEW

CHAPTER III
CURRENT ISSUES AND DEVELOPMENTS WITH RESPECT TO DATA PROTECTION

I. Introduction - Privacy and the Data Protection Challenge

New information and communications technologies ("ICTs") that promote the collection, manipulation and exchange of information have done more than offer increased efficiencies and new channels of service delivery. At a fundamental level, they have altered our social relationship to data, especially in electronic form. This chapter on data protection is included here to illustrate the importance that data protection, and the application of its principles are playing on the stage of world trade. In the globalized knowledge-based economy privacy (also referred to as data protection) is a fundamental principle. The European Union, in its Directive on Data Protection (see below) have mandated that there be an "adequate" level of protection when personal information on European citizens is transferred to another country outside the EU. The Malaysian government has indicated, as part of the Vision 2020 strategy, that data protection is an important component in IT development. This chapter is presented as a tool to understand the role data protection is playing in our knowledge-sharing economies and world trade.

The ongoing entrenchment of ICTs in both the private and public sectors has established the virtue of efficient data flow as the cornerstone of e-commerce and e-government strategies. More than just facilitating rapid access and enhanced portability of information, ICTs allow users to assemble scattered and diverse pieces of data into meaningful groupings and identify a wide variety of previously unrealized linkages. In a commercial setting, this allows businesses to learn a great deal about prospective consumers and their personal preferences, build comprehensive customer profiles, micro-target marketing campaigns and deliver enhanced customer service. Within the context of public administration, these information management tools can assist governments to identify incidents of fraud, deliver services more cost-effectively, and respond more quickly to citizen expectations.

At the same time, new ICTs, and their ability to facilitate the flow and manipulation of electronic data have a potentially devastating role to play in the erosion of personal privacy.

Traditional democratic mechanisms seek to put reasonable limits on political and social control exercised by the state, while placing greater political and social control into the hands of the individual. Privacy, while not easily compartmentalized or even quantified, is defined by the individual's ability to control the boundaries of his or her personal spaces. As those boundaries are contracted by new data processing technologies, that control passes from the individual to the wielder of the technology.

The collection and use of electronic data is at the heart of these issues, especially from the perspective of the European Union. This issue is drawn along a multitude of fronts: in the workplace; at the cyber-malls of e-commerce; and within the virtual hospital walls of the health industry. As governments, citizens, consumers, employers and employees wrestle with these new and invasive technologies, concerns over privacy in general, and data protection, in particular, continue to escalate.

In its review of the leading privacy stories of 2000, The Privacy Foundation, based at the University of Denver, highlighted the following American developments that illustrate some of the diverse privacy challenges that have arisen in data collection and exchange:

U.S. Federal government rules to address patient privacy: Widespread public concerns that personal medical information disclosed to doctors and hospitals will end up in the hands of databanks, insurance companies and prospective employers led the U.S. Department of Health and Human Services in December, 2000 to propose 1,553 pages of new patient privacy rules under the Health Insurance Portability and Accountability Act (HIPAA). Now implemented, by the Bush Administration, these rules oblige doctors to seek patient consent to use medical records in routine matters, and give patients greater access to their own records. Although the rules were originally scheduled to begin taking effect on February 26, 2001, Tommy G. Thompson, the new secretary of health and human services, announced that the effective date would be postponed to April 14, as the new administration reviewed them to ensure they would "work as intended throughout the complex field of health care, without creating unanticipated consequences that might harm patients, access to care or the quality of care."

Aggressive collection, merging and mining of consumer information: Increasingly, businesses have signalled the intent to collect and exploit the personal data of consumers, particularly data gathered over the Internet. The merger of database marketer Abacus Direct with online ad company DoubleClick sparked a federal investigation in January 2000 when it was revealed that the company had compiled profiles of 100,000 online users without their knowledge and intended to sell them. Although the plan was abandoned under intense public pressure, and online marketers Avenue A and MatchLogic were named in proposed class-action lawsuits alleging that they track customers without permission, the matching of consumers' web-surfing habits with traditional "offline" personal data, such as name, address, and income, remains attractive for marketers. For example:

Amazon.com, a bellwether of the Internet economy with 20 million customers, changed its privacy policy in September, 2000 to warn that customer data will be considered a marketable asset if the company is ever acquired, or sells off operations.
The auction of the customer database of bankrupt e-commerce company Toysmart.com was halted only after the intervention of the Federal Trade Commission.
As a result of complaints from online advertisers, Microsoft backtracked on a software patch for Internet Explorer that would allow a computer user to automatically block third-party "cookies". Instead, Microsoft will support the P3P (Platform for Privacy Preferences) standard in the upcoming Internet Explorer 6.0, that will enable users to set privacy preferences for sites while web surfing. Earlier in the year revelations that the National Drug Control Policy Office's Anti Drug Web placed "cookies" on user's computers led to an executive order banning cookies on U.S. federal websites.
The Gramm-Leach-Bliley Act went into effect in November, 2000, permitting banks, brokerages and insurance companies under the same roof to share customer information (possibly with third parties) if customers are notified how the confidential information will be used and allowed to opt-out. In the face of an extension passed earlier in the year that gave financial institutions until July 2001 to comply with the new rules, privacy advocates argued that the act did little to protect the online transfer of information.

Wireless privacy concerns: The U.S. government is mandating the deployment of location-sensing E911 service for cell phones in 2001. Following in the footsteps of wireline telemarketers, a wide range of data-service providers and marketers look to piggyback on the new wireless technology to send text ads and discount offers to cell phone subscribers.

Public access to private communications: In a variety of cases, computer server logs of government agencies and schools have been sought by the media, and by individuals, as public records. Among the incidents that illustrate this trend, a county prosecutor's secretary, fired in Washington state, had her email traffic disclosed to the media, and a school superintendent who resigned his position had his alleged web-surfing activities published in the local newspaper.

The appearance of the Chief Privacy Officer ("CPO") in corporate boardrooms: While law professor Peter Swire wrapped up his two-year tenure as the America's first chief privacy counsellor to the president, Microsoft, IBM, American Express and dozens of other firms of varied sizes have created a new executive position called Chief Privacy Officer ("CPO"). Drawing on varied backgrounds ranging from law to marketing, the position involves both public relations, and fledgling efforts to coordinate their company's strategic, legal and technical teams to enforce the company's own posted privacy policies.

The above reflects some of the growing concerns both citizens and governments have about the possible inappropriate use of personal information. Data protection has moved to the heart of the knowledge economy. More and more countries are enacting some forms of statutes, regulations or voluntary codes of practice, in order to address the abiding technological issues, concerns of the individuals in society and, finally, to create environments of confidentiality and trust. It is the latter that has driven many governments to act as they continually enact mechanisms to stimulate e-commerce and thus enhance further their knowledge economies.

II. Data Protection Initiatives

1. Background

1. Growing Calls for Action

In the area of data collection and exchange, the serious concerns canvassed above privacy have given rise to widespread demands for privacy-enhancing data protection on a global scale.

At the 22nd International Conference on Privacy and Personal Data Protection, held in Venice in September 2000, data protection commissioners from around the world adopted the "Venice Declaration", calling for a universal system of data protection.

Recognizing privacy as a fundamental personal right and a constitutive element of citizens' freedom, the Declaration seeks implementation of guidelines for the processing of personal data that:

• reaffirm the binding nature of these privacy principles, with particular regard to the purposes of data collection, the need for fair, transparent processing operations (especially in respect of the so-called invisible processing operations), proportionality, quality of data, time for which the data can be kept, access and the other data subjects' rights;
• provide data subjects with more effective protection via the independent supervision of processing operations and the availability of user-friendly remedies;
• strengthen the safeguards applying to the processing of certain categories of data such as genetic data or data related to the various types of electronic

This "would allow citizens worldwide to attain an adequate, more widely shared level of protection regardless of the place where the processing is performed and irrespective of the instruments used for implementing protection in national and international fora."

In the United States, a broad, bipartisan coalition of privacy organizations and constituencies, such as American Library Association, the United Automobile Workers, U.S. Public Interest Research Group, Electronic Frontier Foundation and Privacy International appealed to President Bush, the Congressional Leadership and State representatives for the adoption of a comprehensive framework for privacy protection to safeguard the rights of Americans in the years ahead. The framework includes:

• The implementation and enforcement of strong Fair Information Practices, including the right to access one's own information held by others, to limit the use of the information, and to obtain redress when information is improperly used, as well as notice, consent, and security.
• The creation of a privacy commission to address emerging privacy issues.
• Limitations on new surveillance technologies, including locational tracking, video surveillance, and workplace monitoring.
• Support for genuine Privacy Enhancing Techniques that limit the collection and use of personal information.

This climate of concern over privacy has spawned a number of initiatives involving the transborder flow of data. Those relating to the European guidelines are outlined below. First, however, it is helpful to briefly examine the "Fair Information Practices" upon which most data protection regimes are based.

2. The Fair Information Practices

The term "Fair Information Practices" ("FIPs") refers to a general set of 8 standards or principles governing the collection, accuracy and use of personal data. Although these principles were first set out in a formal way by the OECD's 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the Fair Information Practices have been adopted, modified and expanded by different commercial organizations and political bodies around the world.

The Fair Information Practices consist of:

Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except:

1. with the consent of the data subject; or
2. by the authority of law.

Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle: An individual should have the right:

1. to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
2. to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him;
3. to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
4. to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.

The Fair Information Practices provide guiding principles and a general framework within which data protection rules can be formulated, such as those relating to Safe Harbor, (discussed below).

In Canada, for example, the Canadian Standards Association has created a voluntary national standard for the protection of personal information, called the Model Code for the Protection of Personal Information. This Model Code has been augmented to include 2 more fair information practices, namely to require the consent of an individual to the collection of his or her personal information, and to allow an individual to broadly challenge an organization's compliance with any of the principles. Canada's federal Personal Information Protection and Electronic Documents Act, in force January 1, 2001, specifically adopts the CSA Model Code and requires private sector compliance with the Code's 10 fair information practices.

1. Data Protection Regimes in Europe

1. European Union

The European Community has enacted two data protection Directives, one in 1995 and one in 1997. The rationale for these has been said to be "to harmonize laws throughout the EU to ensure consistent levels of protections for citizens and to allow for the free flow of personal information throughout the EU."

The 1995 Directive required member states to pass legislation blocking the transfer of information to non-member states that do not provide an adequate level of data protection. This Directive has led to the Safe Harbor agreement between the United States and the EU, as will be discussed below, and motivated Canada's new Personal Information Protection and Electronic Documents Act, which came into force January 1, 2001.

The 1995 Directive focuses on the protection of individual rights. A recent study examines the data protection accorded to the rights and interests of legal persons, and:

• examines in detail the current (and, to a lesser extent, the proposed future) situation in the Member States of the EC with regard to the applicability of the Member States' national data protection laws to legal persons;
• describes and evaluates the risks to the free movement of data within the internal market resulting from the differences between the national laws in this respect and;
• makes recommendations as to the ways in which the provisions of the 1995 Directive could be extended to the protection of the rights and interests of legal persons

But the Directive is not without its critics. Jacob Palme, a professor of computer science at Stockholm University, has documented how Sweden's implementation of the directive has censored anti-bank and animal rights activists and limits search engines. "The Swedish Data Inspection Board has in general interpreted the law in such a way that it allows all activities which it likes, but disallows all activities which it dislikes. The general view in Sweden is that it is not enough to make slight changes in the directive. The whole directive should be rewritten."

The 1997 Directive, more commonly known as the Telecommunications Directive, "establishes specific protections covering telephone, digital television, mobile networks and other telecommunications systems." However, it will likely be replaced by a proposed new Directive, introduced in July 2000, "on the processing of personal data and the protection of privacy in the electronic communications sector" that will extend an individual's telecommunications protections to a broader, more technology neutral category of "electronic communications."

The proposed directive will:

• replace existing definitions of telecommunications services and networks with new definitions of "electronic communications services and networks."
• add new definitions and protections for "calls," "communications," "traffic data" and "location data" in order to enhance the consumer's right to privacy and control with respect to a variety of data processing practices. For example, it would ensure the protection of all information ("traffic") transmitted across the Internet, prohibit unsolicited commercial marketing by e-mail (spam) without opt-in consent, and protect mobile phone users from precise location tracking and surveillance
• give subscribers to all electronic communications services (such as GSM and e-mail) the right to chose whether they are listed in a public directory.
• Allow member states to restrict provisions of the Directive in the interests of law enforcement and public security.

The latter exemption for law enforcement is indicative of the growing tension between the impetus towards data protection and privacy and concern of European bodies (both the Council of Europe and the EU) about the growing phenomena of "cyber crime". While data matching and other uses of technologies can be extremely helpful in combating criminal activity, particularly in cyberspace, it can also lead to serious invasions of privacy not just in regard to suspected or accused individuals, but also in regard to the thousands or millions or innocent individuals caught in a data matching net.

Following in the footsteps of several of its member states, the G8 and the U.S., the European Commission plans on establishing a Forum on cybercrime to enhance cooperation across borders and discuss sensitivities involved with the issue, such as the appropriate balance between privacy, law enforcement and business. The Forum will bring together law enforcers, service providers, network operators, consumer groups and data protection authorities in order to enhance the current level of co-operation and awareness of the issue. It will serve as both a rapid alert body to tackle incidences of cybercrime and as a general platform for information exchange.

The Forum flows from the wider e-Europe Action Plan, agreed by EU heads of state at the Lisbon summit last March, to integrate Europe into the new economy by 2002. Put forward by the commissioner for information society, Erkki Liikanen, and the commissioner for justice and home affairs, Antonio Vitorino, one of the key objectives behind this latest initiative is to inspire consumer confidence and boost e-commerce, and to address a serious gap in the EU's current resources for fighting cybercrime. A parallel measure contemplates the creation of specialised cybercrime police units in countries where they do not already exist, and technical training to further enhance European network security.

2. Council Of Europe

The Council of Europe ("CoE") has been a leading force in regard to data protection since 1950.

Article 8 of the 1950 European Convention on the Protection of Human Rights and Fundamental Freedoms, promoted protection and respect for "private life". Article 8 states:

Everyone has the right to respect for his private and family life, his home and his correspondence.

There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Emphasizing the importance of data protection in the interpretation of Article 8, the Convention, the European Court of Human Rights has stated that:

"the protection of personal data (...) is of fundamental importance to a person's enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention".

Article 8 is the European regional variation of:

• Article 12 of the Universal Declaration on Human Rights, which states:

  "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Article 17 of the International Covenant on Civil and Political Rights which states: " No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." (For the text of the General Comment on Article 17 by the ICCPR Committee, see Appendix "A").

In 1974, Resolutions (73) 22 (1973) and (74) 29 (1974), which established principles for the protection of personal data in automated data banks in the private sector and the public sector, culminated in the creation of "the first legally binding international instrument with worldwide significance on data protection," the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. Opened for signature on 28 January 1981, this convention takes on increased weight because of its status as a treaty document.

The 1981 Convention enunciates "data protection principles of "fair and lawful collection and automatic processing of data, storage for specified legitimate purposes and not for use for ends incompatible with these purposes, nor kept for longer than is necessary. They concern also the quality of the data, in particular that they must be adequate, relevant and not excessive (proportionality); their accuracy; the confidentiality of sensitive data, information of the data subject and his/her right of access and rectification."

The Convention also deals with the conditions under which data may freely flow between States party to the Convention. Parties may derogate if the level of protection in the other State is not "equivalent" or the data is being sent to a third country that is not a Party to the Convention.

In June 2000, the Consultative Committee of CoE (also known as the "T-PD") adopted a draft protocol to the 1981 Convention reinforcing the Supervisory Authorities and prohibiting the transfer of personal data to States or organizations that do not provide for an adequate level of protection.

Supporting this is the publication of a model contract as part of an effort to use contract law to facilitate transborder data flows between Parties to the Convention and states not Party to the Convention. The Convention's Consultative Committee, the European Community and the International Chamber of Commerce have developed the model contract. A related Report, published during 2000 on the role of contracts in transborder data flow, is currently being considered by the Consultative Committee.

3. OECD

The OECD's concern with privacy has, arguably, undergone a significant evolution since the late 1970's, from an emphasis on privacy and data protection in the human rights context to a focus on privacy as an important and enabling component of e-commerce. During that period, the OECD has focused less on elaborating new standards than on elaborating mechanisms for implementing and enforcing those standards, such as contractual and technological "fixes" to the perceived privacy problems.

In setting out its objectives with respect to privacy, the OECD notes:

An important question to be addressed before new technologies will be wholly embraced and electronic commerce can reach its full potential is how to build user confidence in network technologies and electronic transactions. Trust in electronic communications and commerce requires that: services and networks are secure and reliable; transactions are safe and private; personal data are protected; the origin, receipt and integrity of information received can be proved; means of identifying the parties involved are available; and there are appropriate redress mechanisms if something goes wrong. Secure and user-friendly technologies and a predictable regulatory environment to support them will form the framework for building business and consumer trust in electronic transactions.

This emphasis on privacy as facilitator of e-commerce has been echoed, among other places, at both the OECD Conference "Dismantling the Barriers to Global Electronic Commerce" held in Turku, Finland, in November 1997 and the Emerging Market Economy Forum in Dubai., in January 2001. At a February, 1998 workshop on "Privacy Protection in a Global Networked Society", participants recognized that:

...the growth of electronic commerce requires increased consumer confidence in privacy protection, and that the OECD Guidelines continue to provide a common set of fundamental principles for guiding efforts in this area. They affirmed the commitment to protect individual privacy in the increasingly networked environment, both to uphold human rights and to prevent interruptions in transborder data flows.

In pursuing these objectives, the OECD has generally been guided by an approach that stresses:

the development of "soft law" standards around which national laws and other instruments may be harmonized;
the negotiation of non-binding standards which establish authoritative, morally compelling yardsticks against which laws and practices can be measured.

Out of that approach has advanced a number of significant Recommendations, highlighted by the following e-commerce oriented initiatives:

1. 1980 - Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Adopted September 23, 1980. (In the view of the OECD, "The Privacy Guidelines are applicable to the online environment since they are technology-neutral and apply to all types of personal data; they still represent an international consensus on general guidance concerning the collection and management of personal information.")
2. 1992- Guidelines for the Security of Information Systems. Adopted November 26, 1992.
3. 1995 - The Declaration on Transborder Data Flows. Adopted April 11, 1985.
4. 1997 - The Recommendation concerning Guidelines for Cryptography Policy. Adopted March 27, 1997
5. Ministerial Declaration On The Protection Of Privacy On Global Networks. Adopted by Ottawa Ministerial Conference 7-9 October 1998, and integrated into the instruments of the Organization on October 19, 1998. The Ministers' Declaration reaffirms "their commitment to the protection of privacy on global networks in order to ensure the respect of important rights, build confidence in global networks, and to prevent unnecessary restrictions on transborder flows of personal data". A number of reports, conferences, publications and tools have resulted, in particular, from this Ministerial Conference 1999 - Guidelines for Consumer Protection in the Context of Electronic Commerce.

Lastly, the OECD is pursuing the promotion of:

• the use of privacy-enhancing technologies. ("PETs")
• user education and awareness about online privacy issues.

Additional work is also being undertaken on the issue of privacy and security related to genetic testing.

4. The U.S. - European Union Compromise: Safe Harbor

Background

In an environment of global information exchange, data exchange, and therefore data protection, cannot end at national borders. Not surprisingly, therefore, one of the cornerstones of European Union data protection policy is the 1995 Data Directive that complying states block the transfer of information to non-member states that do not provide an adequate level of data protection.

In the context of European Union - U.S. data flows, this has caused significant challenges, as the stricter rules of the European privacy regime has clashed with the sectoral, self-regulatory approach favoured by the United States.

In order to ensure the free and continued flow of data between the EU and U.S., the U.S. began negotiating a "Safe Harbor" agreement with the EU in 1998. Applying to companies overseen by the Federal Trade Commission and Department of Transportation (excluding the financial and telecommunications sectors), "Safe Harbor" allows U.S. companies to voluntarily self-certify adherence to a set of privacy principles agreed to by the U.S. Department of Commerce and the Internal Market Directorate of the European Commission. These companies would then have a presumption of adequacy and they could continue to receive personal data from the European Union.

Privacy and consumer advocates criticized the negotiations, arguing that Safe Harbor status rests on a self-regulatory system without a meaningful enforcement mechanism or a systematic review of compliance, and lacking an individual right to appeal or right to compensation for privacy infringements. Nevertheless, the Commission approved the agreement on July 26, 2000 while promising to re-open negotiations on the arrangement if the remedies available to European citizens prove inadequate. U.S. companies were permitted to join Safe Harbor starting in November, 2000, and an open-ended grace period was given for U.S. signatory companies to implement the Safe Harbor principles.

The Safe Harbor Principles

As enunciated by the U.S. Department Of Commerce on July 21, 2000, those principles include:

NOTICE: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

CHOICE: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

ONWARD TRANSFER: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

SECURITY: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

DATA INTEGRITY: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

ACCESS: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

ENFORCEMENT: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

The Federal Trade Commission and the Department of Transportation are empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals in case of non-compliance with the Principles implemented in accordance with the agreement.

It is important to emphasize that, certainly from the perspective of the EU, participation in the "safe harbor" is not intended to change the status quo ante for any organisation with respect to jurisdiction, applicable law or liability in the European Union. Moreover, "safe harbor" discussions "have not resolved nor prejudged the questions of jurisdiction or applicable law with respect to websites. All existing rules, principles, conventions and treaties relating to international conflicts of law continue to apply and are not prejudiced in any way by the "safe harbor" arrangement."

Appendix A

Data Protection Related Recommendations by Council of Europe's Project Group on Data Protection

• Recommendation No. R (99) 5 for the protection of privacy on the Internet (23 February 1999)
• Recommendation N? R(97) 18 on the protection of personal data collected and processed for statistical purposes (30 September 1997)
• Recommendation N? R(97) 5 on the protection of medical data (13 February 1997)
• Recommendation N? R(95) 4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services (7 February 1995)
• Recommendation N? R(91) 10 on the communication to third parties of personal data held by public bodies (9 September 1991)
• Recommendation N? R(90) 19 on the protection of personal data used for payment and other operations (13 September 1990)
• Recommendation N? R(89) 2 on the protection of personal data used for employment purposes (18 January 1989)
• Recommendation N? R(87) 15 regulating the use of personal data in the police sector (17 September 1987) and Second evaluation Report of the Recommendation
• Recommendation N? R(86) 1 on the protection of personal data for social security purposes (23 January 1986)
• Recommendation N? R(85) 20 on the protection of personal data used for the purposes of direct marketing (25 October 1985)
• Recommendation N? R(83) 10 on the protection of personal data used for scientific research and statistics (23 September 1983)
• Recommendation N? R(81) 1 on regulations for automated medical data banks (23 January 1981)
• Resolution (74) 29 on the protection of individuals vis-à-vis electronic data banks in the public sector
• Resolution (73) 22 on the protection of privacy of individuals vis-à-vis electronic data banks in the private sector.