The issue of "safe harbour" in EU - USA personal data exchange seems to be
new... but it is as old as "out-sourcing" and data comm.

In 1981 Israel has passed a EU compliant Privacy Protection Law...
immediately came up the issue of IBM, DEC, INTEL, Nat-Semi etc. - all the
big multi-nationals who are anchored in Israel ... IBM (Israel) Ltd., is a
legal entity subsidiary, registered in Israel - BUT... Human Resources of
IBM Israel are utilized by the world wide IBM affiliated enterprises. This
could not be achieved without transborder sharing of data. Same applied to
DEC, Intel etc.

When a USA company elects to process its employees payroll in CANADA
(Service bureau) it is "transborder data flow - to a country considered to
have "adequate legal arrangements" - the opposite way is legally a
transborder data flow which is going to a country which lacks arrangements.
There is no other way to protect the rights but via Inter Company agreements
(proposed by ICC about 2-3 years ago).

A directive which is impractical and impossible to preserve - must be
declared null and void - since no legal idealism can be allowed to make the
majority of the public criminals with a swipe of vote in Parliaments.

What seems to be the root of the matter is not the mere Transborder data
flow... it is the rights of the individual to address the culprit in case of
breach of his rights... we must remember that the bi-partisan agreements are
geared just for this purpose.

The enforcement of data protection is yet another issue - agreements are
printed words if they are not implemented in real life. There was a case
which involved German individuals - who were offered to use Credit Cards by
a firm whose clearing centre was in the USA. (I am unable to recall the
name). The Data Protection Commissionaire of Germany insisted the company
shall be allowed to market its CC services to German persons ONLY IF IT
ALLOWS GERMAN INSPECTORS to visit its site of processing and inspect that
all the security measures required by the agreement are constantly in place
and effective.

So, there is a way and NEED to ADVISE generally an employee of transborder
data flow (general contents??) and intended use but it is not necessary to
seek  the "informed consent". Moreover I agree that any consent which is
given by an employee, under these circumstances is flimsy, since it is
almost a coerced consent - "you do not accept my business practices - you
can loose your job, or never start one in my office".

Thus the Country and the executive branch should actually take care of their
citizens in such a case. Yet I wonder to what extent the Commissionaire's UK
team is prepared and available for the German like inspection.

It is still a riddle for many why are the USA Federal Government and
Legislative Bodies avoiding the issue and does not promote legislation to
complement and replace the only source of the right a decision of Judge
Brandies of the USA supreme court that Privacy is a constitutional right
although it is not spelled out in the USA Constitution. Furthermore that
breach of the right is a Federal Crime also when it was committed by a
non-government entity.  Nonetheless, it seems impractical to expect the
European Union and other countries who follow the Convention and EU
Directives principals - shall BAN transborder data flow to USA about their
citizens, when business, welfare or other reasons serve as a good \
reasonable cause for it.

Let us remember that the Global Village in which we live today - is GLOBAL
and a Village - some houses and facilities are better built, some under
construction and some need refurbishing ... it is still the same village.
"Safe Harbour is better then nothing, enforcement is required and more
pressure on USA business and government is to be continued.


Yours

Yosi Margalit
Tel: ++972-3-5464642, FAX ++972-3-5463152
Mobile: ++972-58-804368
reply to : [log in to unmask]

-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]]On Behalf Of Donald Harris
Sent: Friday, April 20, 2001 1:50 PM
To: [log in to unmask]
Subject: Re: 8TH PRINCIPLE/SAFE HARBOUR AGREEMENT


A company that relies upon employee consent to the transfer, coupled with an
inter-company contract, as the legal basis for moving employee data from the
EU to the U.S. has a LOT to worry about!

The Directive requires consent to be specific, informed and freely-given,
conditions that are rarely met in the workplace.  Consent does make sense
there in limited circumstances, such as "Do you want your home address
included on the list that will be circulated in the office for the mailing
of holiday greeting cards?"  However, that is precisely because one has
specificity, clear understanding, and an utter lack of interest on the part
of the 800-lb gorilla in this exchange, i.e., the employer.

If these conditions, which are required for genuine consent, are not
satisfied, the value of any "consents" obtained is drastically diminished.
They are certainly subject to legal challenge.  Furthermore, the practice
hardly contributes to positive employee relations.  Employees are very adept
at picking up clues as to when being "asked" if they want to do something is
really being "told" to do it.

Are there companies out there relying upon employee consent and
inter-company contracts?  Absolutely.  Will they be found to be in
compliance in the months and years ahead?  Stay tuned.

Don

* * * * * * * * * * * * * * * * * *
Dr. Donald F. Harris
Chair, IHRIM's Privacy Committee
President, HR Privacy Solutions
1202 Lexington Ave., Suite 318
New York, NY 10028
Phone/Fax:  (212)396-1184
E-Mail:  [log in to unmask]
Website: www.hrprivacy.com
* * * * * * * * * * * * * * * * * *

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^