1. Privacy and data protection in the United States is found in a complex fabric of sectoral regulation, at both federal and state level, combined with industry self-regulation. Considerable efforts have been made during recent months to improve the credibility and enforceability of industry self-regulation, particularly in the context of the Internet and electronic commerce. Nevertheless, the Working Party takes the view that the current patchwork of narrowly-focussed sectoral laws and voluntary self-regulation cannot at present be relied upon to provide adequate protection in all cases for personal data transferred from the European Union.

2. Given the complexity of the US system of privacy and data protection, the establishment in the US of an agreed "benchmark" standard of protection in the form of a set of "safe harbor" principles offered to all economic actors and US operators is a useful approach which might need to be complemented by contractual solutions in certain specific cases. However, further improvements are needed if free movement of data to the United States is to be ensured on the basis of these privacy principles. In addition, it might be necessary to provide for a methodology which makes clear which companies are covered by the "safe harbor" principles.

3. It has to be noted that the decision to adhere to the set of principles belongs solely to the individual company, and so the problem of those companies which do not wish to apply the principles remains whilst no overall legislation exists.

4. Generally, the status of these principles needs to be clarified. Whilst adherence to the principles in the first instance can be voluntary, once a company does decide to adhere and thereby to claim the benefit of "safe harbor", compliance must be compulsory.

5. The credibility of the system is seriously weakened by the lack of a requirement for independent compliance monitoring and by relying solely on company self-certification. Independent verification would need to be serious but could at the same time be practicable, even for small companies. Models currently being developed in the US by the Better Business Bureau OnLine and Trust-E are going in the right direction.

6. It must be possible for complaints from individuals whose data have been transferred from the EU to be dealt with in a practical and effective manner, and adjudicated upon, in the final instance, by an independent body. A key issue in this regard is the identification of one or more independent public bodies or third party organisations in the US that are willing and able to act as contact points for EU data protection authorities and to co-operate in the investigation of complaints. Care must be taken to ensure that practical arrangements are in place for all relevant US sectors. Existing regulatory agencies, such as the Federal Trade Commission and the Office of the Comptroller of the Currency can perform such a role in the areas for which they have competence.

7. In terms of its substantive content, any acceptable set of "safe harbor" principles must, as a minimum requirement, include all the principles set out in the OECD Privacy Guidelines of 1980, adopted amongst others by the United States and recently re-endorsed at the OECD's Ottawa Conference on Electronic Commerce. These principles are also applied by Directive 95/46/EC as well as by national legislation of the Member States of the European Union. In this regard, the above mentioned consultative text of principles published by the US Department of Commerce on 4 November 1998 raises some concerns, in particular: