1. The UK Registrar has published an excellent "guidance" paper on assessing
adequacy including contractual arrangements. It is available under Guidance at
www.dataprotection.gov.uk
2. The Hong Kong Data Protection Commissioner also has posted a form of contract
for use from that jurisdiction, which I believe is generally considered
"adequate" in Europe. See www.pco.org.hk.
3. I would caution about use of the draft ICC contract posted on its website.
It is the subject of considerable negotiation by the ICC group, of which I am a
member, and the Article 29 Committee established by the Data Protection
Directive.
4. As far as the "adequacy of privacy protection" in the US is concerned, I
think this is a gross canard which ill-informed observers continue to repeat
without independent verification. I would observe that no government in Europe,
outside Spain, has officially stated this conclusion. In fact, the EC hired
two respected US legal scholars of privacy, Reidenberg and Schwartz, to study
whether the US was "adequate". These two professors very much advocate stronger
privacy protections in the US, but their work surveyed the vast variety and
scope of our legal protections and they specifically concluded that because
"adequate" was such a vague word, they could not honestly conclude that the US
laws were inadequate. (This book was never published by the EC, which wishes it
would sink out of sight, but it is still available in print. Search
Amazon.com.) I would also observe that as a practicing lawyer in the United
States with 20 years of experience around the world, citizens and individuals
have far more effective legal recourse against misuse of their personal
information in ways which our public policy has found harmful than anywhere else
on earth. Iit seems clear to me that the Article 29 paper on assessing adequacy
issued in 1998 was poorly researched (and perhaps not researched at all), and
progressed from presumptions and biases in favor of the more "statist" role of
government prevalent in Europe. For example, they made no study or our common
law doctrines on privacy, our legal system, or the ease of access to that system
by individuals, and in fact make gross errors of legal interpretation and build
to conclusions on the basis of those errors. Not having further resources to do
an intellectually-honest job, Article 29 ended up concluding that adequacy could
only be provided by a country having "a law like ours." And the US-EU
negotiations on the Safe Harbor concept have proceeded on the European side on
that basis. I.e., "you don't have an overarching law like ours, so prove you are
adequate." Lawmakers and scholars have tried to write a US Data Protection Law,
and repeatedly fail because an omnibus law inevitably runs afoul of our
Constitutional protection of freedom of speech and press. One omnibus confronts
another, and that creates a lot of conflict.
5. The Citibank model contract is notable in its provisions. It makes a very bad
and practically unusable model for 99% of business needs. It is also noteworthy
that the German authorities "monitor" the contract only in the sense that they
have an address and a phone number for German citizens to call to complain.
They have neither funds for nor interest in actually monitoring processing in
America.
Regards,
Yosi Margalit wrote:
> Dear Sally and Freinds,
> 1. Indeed the USA does not have an "adequate arrangement" within the spirit
> of the EU decree and UK DP law.
> 2. "Adquate Arrangements" exsists only in several countries outside EU e.g.,
> Israel (Privacy Protection LAw 1981 and Protection of Databases Regulations
> 1986).
> 3. True all of us have a problem of protection of privacy in cases where we
> need to use transborder dataflow for good reasons.
> 4. International Chamber of Commerce, has suggested contractual specific
> arrangements within a frame of contractual clauses. As the Decree enables to
> co-operate with entities in countries where the legak system is insufficient
> and does not ensure the principal rights.
> 5. A sample is a German special permit to process in USA the transaction by
> Credit Cards sold by a USA firm to German Citizens. The German Data
> Protection Registrar (the equivalent to UK DP R ) is supervsing regularly
> the site where such data processed for specific adequate arrangements of
> security as well as proper handling of customers complaints if any.
>
> The clauses are available in the ICC site.
> To learn more and get some real guidelines use
> :http://www.oecd.org//dsti/sti/it/secur/act/cont-e.htm
>
> Regards
>
> Yosi Margalit LL.B. CISA
> Member of the Public Council for Protection of Privacy
> Ministry of Justice, Government of Israel
> reply to: [log in to unmask]
> Tel ++972-3-5464642, Mobile :972-58-804368
> FAX : ++972-3-5463152
>
> ----- Original Message -----
> From: <[log in to unmask]>
> To: <[log in to unmask]>
> Cc: <[log in to unmask]>
> Sent: Thursday, February 17, 2000 4:14 PM
> Subject: US acts
>
> > Is it always been reported that the USA does not have a data proteciton
> > act and with our new Act we may have problems for transborder flow with
> > the US.
> >
> > However the following two Acts have come to light and I would appreciate
> > your comments on their status etc and how they affect the UK.
> >
> > I extract from the web site :-
> >
> > http://www.foipa.com/
> > The Freedom of Information Act
> > Public Law No. 104-231, 110 Stat. 3048
> >
> > he Freedom of Information Act establishes
> > the right of the public
> > to obtain information
> > maintained by the federal or state
> > government and their agencies
> >
> > and
> > http://www.foipa.com/PAText.html
> > THE PRIVACY ACT OF 1974
> >
> > which has many familiar terms and definitions
> >
> > Thanks in advance
> >
> > Sally Justice
> >
> >
--
Charles A. Prescott
Vice President, International Business Development
and Government Affairs
Direct Marketing Association
1120 Avenue of the Americas
New York, NY 10036
U.S.A.
Tel. (1) 212-790-1552
Fax. (1) 212-790-1499
e-mail: [log in to unmask]
website: www.the-dma.org
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|