32
number of jurisdictions.23 Irrespective of the final institutional and legal
arrangement chosen by Botswana, experience indicates a clear role for
government in providing guidance and fostering self-assessment for
compliance with internationally accepted data privacy principles.
4.3.17 In the United States, the approach to privacy protection has been the
“Safe Harbor Privacy Principles”,24 which were accepted in part by the
European Parliament as an “adequate” means of protecting personal
privacy in trans-border data flows.25 The European Parliament noted that
“adequate” protection does not mean “per se that the third country
should have the same rules as the Union, but that, regardless of the type
of legislative protection in force in the third country, the data subject
must be effectively protected.” Objective criteria were to be used to
assess effectiveness, such as the possibility of identifying the person to
whom the data relates, the type of data being processed, and the
mechanisms used to guarantee protection. Although there was no single
piece of legislation governing the protection of personal privacy in the
United States, there were pending individual sectoral legislative
provisions and the US was a signatory to the OECD Ministerial
Statement ratified in 1998. Since the European Parliament resolution,
legislation has been passed to cover financial services, including
banks.26 In addition, over 150 companies have self-certified under the
Safe Harbour framework, including Microsoft, Intel, Hewlett-Packard,
and Proctor & Gamble.27 If an organisation leaves the Safe Harbor for
any reason, the obligation to continue to follow the Safe Harbor
Principles for data collected under the Principles continues. The
23
For example, Manitoba, Canada: Privacy Compliance Tool Checklist,
www.ombudsman.bc.ca; Hong Kong, Safe 2000, www.pco.org.hk; New Zealand Privacy
Commissioner, Privacy Impact Assessment Handbook, www.privacy.org.nz/comply/pia.html;
Australia, Federal Privacy Commissioner, www.privacy.gov.au; Indonesia,
www.gipi.or.id/page/php/Halaman%20Depan/Artikel/40.html
24
The phrase is taken from securities legislation and practice where a regulator could determine
that certain behaviour or actions constituted a “safe harbor” that was deemed to be compliant
with the law.
25
European Parliament resolution on the Draft Commission Decision on the adequacy of the
protection provided by the Safe Harbour Privacy Principles and related Frequently Asked
Questions issued by the US Department of Commerce (C5-0280/2000-2000/2144(COS)). See
www.epic.org/privacy/intl/EP_SH_resolution_0700.html
26
See, Gramm-Leach-Bliley Act (financial services); Fair Credit and Reporting Act (credit
reporting agencies); the Health Information Portability and Accountability Act (health records).
There is also federal U.S. legislation dealing with telemarketing, education records, and video
store records. In addition, there are federal and state laws dealing with mailing lists;
employment records; electronic surveillance; children’s websites (e.g., Children’s Online
Privacy Protection Act), and the use of Social Security numbers.
27
A list of “self-harborites” can be found on the website of the U.S. Department of Commerce.
http://web.ita.doc.gov/safeharbor/shlist/nsf/webPages/safe+harbor+list