• PC World
• » Tech Industry

Hewlett-Packard is signing up to adopt the U.S.-Europe "safe-harbor" provisions on data privacy, making it the largest company to do so thus far and providing the struggling privacy effort with its biggest boost since the arrangement took effect last November.

Moreover, the computer and software vendor says the safe-harbor privacy protections negotiated by the U.S. Department of Commerce and European officials will now be applied to all of its data transactions--a vow that could lend credence to the idea that the accord may help raise privacy standards in the United States in addition to its main goal of providing a self-regulatory framework for companies doing business in Europe.

The safe-harbor agreement provides a manageable "legal and ethical" means to move data between the United States and Europe, says Barbara Lawler, HP's consumer privacy manager. "If corporations are serious about following the self-regulation approach, rather than having to deal with privacy regulations, then this is what they should be looking at," she adds.

Many Companies Slow to Adopt

But to date, only 21 companies have signed up for the voluntary safe-harbor certification program, which provides legal protection from Europe's tough privacy laws to U.S. companies that transfer information about employees or customers out of European databases. Commerce Department officials have been trying to boost that number in order to bolster the legitimacy of the safe-harbor deal.

Companies that agree to adhere to the safe-harbor provisions have to promise to give European Union residents some basic privacy protections, such as notices about how personal information will be used and the ability to opt in or opt out from having sensitive data disclosed to other businesses. Access to personal data is also guaranteed, as is the right to amend and correct the data.

Most of the companies that have signed up, with the exception of HP and Dun & Bradstreet, are small to medium-size businesses. Many Fortune 500 companies are still "investigating their options or taking a wait-and-see approach," says Jeff Rohlmeier, a trade official at the Commerce Department.

American companies have been "sort of reluctant to be first out of the box" for fear of being singled out for scrutiny by European authorities, says Barbara Wellbery, who was the principal negotiator of the agreement while she worked at the Commerce Department. "So the more big companies on the list, the better," adds Wellbery, who is now an attorney in the Washington office of Morrison & Foerster.

Adopters See Benefits

But Jean Cantrell, Dun & Bradstreet's director of government affairs, says the company has realized immediate benefits by agreeing to the safe-harbor provisions. For example, by consolidating a U.K.-based data center with one in New Jersey, the company was able to save a significant amount of money in legal expenses by gaining a waiver for the required data transfers. "I think [the accord is] working in terms of its objective," Cantrell says.

However, the clock is ticking on the agreement. European authorities plan to review U.S. corporate compliance with the provisions this summer, and they possibly could begin enforcement actions against companies that haven't agreed to comply shortly thereafter, according to people familiar with the process.

The safe-harbor pact isn't the only option for U.S.-based companies that want to comply with Europe's data protection laws. Companies can also use a "model contract" that guarantees adherence to the regulations and is signed either by a European country's data protection authorities or by individual workers or customers whose data is being transferred to the United States.

But European officials are still negotiating the wording of the model contracts with the Commerce Department, and an official at the U.S. agency says a final version may not be ready until June.

In addition, the model contracts may turn out to be a less desirable option for companies than the safe-harbor provisions, because it's possible that the compliance standards built into the contracts "will be tougher," says Donald Harris, president of HR Privacy Solutions, a consulting firm.

Does Safe Harbor Fall Short?

Although the safe-harbor provisions come close to meeting the data-protection standards that some privacy advocates would like to see U.S. companies adopt in general, the self-regulatory approach still falls short of providing adequate safeguards, says Marc Rotenberg, executive director of the Electronic Privacy Information Center.

The safe-harbor agreement "lacks an adequate means of enforcement," Rotenberg says. "We think this needs some legal bite. Right now, it's a system that basically allows companies to self-certify without any real expectation of government oversight."

• See more like this:
• safe harbor,
• privacy protections,
• data privacy,
• self-regulatory,
• Electronic Privacy Information Center