PL&B International E-news, Issue 32

  1. Safe Harbor privacy programme flawed says EU report
  2. UK set to respond to European Commission charges
  3. Telecoms operators cannot hide behind data protection law
  4. Ontario prepares for health privacy law

1. Safe Harbor privacy programme flawed says EU report

Organisations transferring customer and employee records between the EU and US are potentially breaking European data protection law, according to a European Commission-backed study published last week. Academics in Belgium, Norway and America have uncovered a number of compliance gaps within the Safe Harbor privacy programme - a scheme set up to allow the exchange of data between the US and Europe.

Safe Harbor is seen as a streamlined method for US multinationals to comply with the European Data Protection
Directive, which places restrictions on the transfer of personal data outside the EU. Under Safe Harbor's self-certification process - which is managed by the US Department of Commerce (DoS) - organisations are required to publicly state their compliance with a set of Safe Harbor 'Privacy Principles' that have been approved by the European Commission.

The Commission's study, however, found that a "substantial minority" of participants are failing to indicate Safe Harbor compliance through their privacy policies. While the majority of signatories have declared compliance, a "relevant number" are not properly translating the programme's principles into their online privacy policies. The study notes that a number of organisations are unclear on why they are handling personal data, are failing to give
consumers control over how their details are shared with third parties, and are inhibiting individuals' right to access their records.

The report also highlighted problems over how Safe Harbor is managed and enforced, calling for additional guidance and scrutiny from the US Department of Commerce, as well as more proactive monitoring by the Federal Trade Commission (FTC), the body responsible for enforcing compliance with the Safe Harbor principles.

Since its launch in November 2000, Safe Harbor has been pilloried over the poor take up from US multinationals. By the end of 2001 only around 130 companies had signed up to the programme. Although current figures show that close to 600 organisations are now participating in Safe Harbor, the Commission concedes that the number is "lower than anticipated".

Full analysis on the Safe Harbor status report will be published in the October/November edition of PL&B International.

Click here for a copy of the European Commission's study

2. UK set to respond to European Commission charges

The UK government is expected to respond this week to a European Commission probe into the country's data protection legislation. In July this year, the Commission launched an investigation after concerns were raised that the UK's narrow interpretation of the EU Data Protection Directive was restricting individuals' privacy rights. There have also been suggestions that the lack of adequate regulatory powers has been a target for reform by the Commission.

Although the two-month deadline for a response set by the Commission has since passed, government advisors are now close to issuing a reply, according to a report by IT Week. However, should the Commission be dissatisfied with the government's response, it could formally request the UK to change its law. Failure to do so could result in a case being brought before the European Court of Justice (as in the case of Austria, see story below).

3. Telecoms operators cannot hide behind data protection law

The European Court of Justice has ruled that EU data protection laws do not prevent telecoms operators from providing itemised billing services to their customers. In a decision published last week, the Court of Justice upheld a case brought by European Commission against Austria, in which the government was accused of failing to provide consumers with protection under the itemised billing provisions contained in an EU telecommunications directive (98/10/EC). According to the Commission, users of fixed line telephony services in Austria were not being given sufficient information to allow them to identify and verify the calls they had made.

Although Austria argued that the directive in question was subject to data privacy controls and that providing more detailed billing would infringe data protection law, the Court ruled that government had provided insufficient evidence to support its claims.

Click here for a copy of the judgment

4. Ontario prepares for health privacy law

A new law governing the collection, use and disclosure of health-related data comes into effect in the Canadian province of Ontario on November 1st. The Personal Health Information Protection Act (PHIPA) will apply to all individuals and organisations in the healthcare sector. Service providers and third parties such as insurance companies or employers will also be governed by the rules.

The Information and Privacy Commissioner for Ontario will be responsible for enforcing the new law which will give individuals choice over the use of their details for marketing, the right to access their personal data and to correct any inaccuracies. Individuals involved in the processing of health data that breach the law could receive fines of up to CAN$50,000, while organisations could be hit with penalties of up to CAN$250,000.

Full text of the Personal Health Information Protection Act (PHIPA)

Guidance from the Information and Privacy Commissioner for Ontario

For further details on the Privacy Laws & Business International Newsletter, please click here.

Copyright Privacy Laws & Business 2004