Privacy International continues anti-Google campaign [priv]

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject:        Gmail complaint text
Date:   Mon, 19 Apr 2004 18:02:40 +0100
From:   Simon Davies <s.g.davies () lse ac uk>
To:     declan.mccullagh


Full text of complaint




Privacy International


Complaints Filed in Sixteen Countries Against Google


Privacy watchdog vows to bring Gmail to heel


Monday, 19th April 2004

For immediate release

The watchdog group Privacy International has today simultaneously filed
complaints with privacy regulators in sixteen countries against Google's
controversial Gmail service.

The move creates Google's biggest challenge yet in the short but
turbulent public debate over its new email service.

Complaints have been filed with the privacy and data protection
regulators of France, Germany, the Netherlands, Greece, Italy, Spain,
Czech Republic, Belgium, Denmark, Sweden, Ireland, Portugal, Poland,
Austria, Australia and Canada along with the European Commission and the
EU Commissioners internal Article 29 Data Protection Working Group.

Privacy International alleges that the Gmail service violates privacy
law, both in Europe and in other countries. The complaint identifies a
wide range of possible breaches of EU law. The 4,000 word complaint
levels numerous charges against the new service, including:

... Inadequacy, unfairness and lack of safeguards or redress in the
Gmail Terms of Use

... An absence of contractual commitment to the security of data

... Breaches of law concerning the interception and scanning of emails

... Absence of adequate customer control over data

... Breaches of law concerning indefinite and unspecified retention of
deleted emails

... Confidentiality issues

... Violation of the rights of third parties

... Breaches of legal conditions relating to offshore processing of
personal data

... Fundamental problems in achieving lawful customer consent

... Problems relating to the processing of Sensitive personal
information

Privacy International had recently lodged a test complaint with the UK
Information Commissioner. The Commissioner last week decided to delay
taking action on the complaint after assurances from Google that the
company would "consult" with officials before it offered the service in
the UK.

Privacy International decided to take global action against Google after
it became clear that a similar assurance to meet US privacy advocates
was not honoured. The watchdog will lodge complaints with a further
thirteen countries in the next two weeks.

Privacy International's Director, Simon Davies, warned Google that it
should tread with great caution.

"Google is showing its true colours. The company pays lip service to
privacy but in this case has demonstrated no real commitment to it" he
said. "I am beginning to suspect that Google looks at privacy in the
same way that a worm looks at a fishhook".

"Google deservedly has a sound reputation for the quality and
functionality of its traditional products. It would be a pity to see
that reputation washed down the toilet because of hostility to privacy"
said Mr Davies.

Davies challenged Google to "come out from its bunker and meet the
advocates."

"Company reputations stand or fall at moments like this" he added.
"Google should face up to the privacy challenge and do the right thing
by its customers. Otherwise the companies reputation will soon turn to
dust".

___________________________ _

- Simon Davies of Privacy International can be reached for comment on
simon () privacy org.


- Privacy International (PI) www.privacyinternational.org is a human
rights group formed in 1990 as a watchdog on surveillance by governments
and corporations. PI is based in London, and has an office in
Washington, D.C.  Together with members in 40 countries, PI has
conducted campaigns throughout the world on issues ranging from
wiretapping and national security activities, to ID cards, video
surveillance, data matching, police information systems, and medical
privacy, and works with a wide range of parliamentary and
inter-governmental organisations such as the European Parliament, the
House of Lords and UNESCO.





Complaint filed with privacy & data protection regulators of France,
Germany, the Netherlands, Greece, Italy, Spain, Czech Republic, Belgium,
Denmark, Sweden, Ireland, Portugal, Poland, Austria, Australia and
Canada along with the European Commission and the EU Commissioners
internal Article 29 Data Protection Working Group (amended according to
the relevant national legal environment)


Privacy International

Complaint:  Google Inc - Gmail email service.

19th April 2004

I am writing with regard to a new Webmail service that is being
established at an international level by Google Inc, a US based company
that operates the world's most popular Internet search engine.

You may be aware that Google announced on April 1st this year that it
will offer an email service which will provide each customer with one
gigabyte of storage space. That is, around 500,000 pages of email per
user. The service is being promoted as a means of creating a centralised
and permanent archive of all email. Gmail says "Google believes people
should be able to hold onto their mail forever." (1) While this may not
currently be possible even at the one gigabyte level, the availability
of the Gmail service will entice many users to maintain a single
account, rather than having several, as many currently do.

However, the Gmail service will electronically scan the subject headers
and contents of all these private emails to generate targeted
advertisements relevant to the email content.

The Gmail service has already prompted substantial criticism from
privacy and consumer groups both in the US and in Europe. (2) It has
also generated a considerable amount of media controversy (3). Privacy
International and many of its members across Europe are concerned that
this service, currently in its Beta testing stage, violates a number of
elements of Data Protection law.

This complaint is made under subject rights set out in Data Protection
legislation, and also within the terms of Article 20 of Directive
95/46/EC of the European Parliament and of the Council (the Data
Protection Directive) that stipulates:

1. Member States shall determine the processing operations likely to
present specific risks to the rights and freedoms of data subjects and
shall check that these processing operations are examined prior to the
start thereof. (4)

The market for webmail services is substantial. The top three webmail
companies have well in excess of 250 million unique users worldwide with
a probable total market of a hundred million users in Europe. Google's
supremacy in the search market will ensure that it stands a strong
chance of challenging the major players.

While the majority of Gmail users are likely to be individuals, there
will be a substantial number of small businesses and other enterprises
using the system - in time possibly numbering in the millions within
Europe. These organisations are required to fulfil a range of conditions
under data protection law. It is our contention that the Gmail service
will not allow these requirements to be fulfilled.

The precedent set by Google is likely to lead to a global trend to
greater US based centralisation and storage of personal emails and a
more comprehensive linkage between content and advertising. Google's
competitors have already moved to increase their storage capacity.(5)
This increased storage and functionality will fundamentally change the
privacy expectation for electronic communication and will create
additional security and data protection threats.

You may be aware that data storage devices have been increasing in
capacity even faster than computing power. The capacity of underlying
recording media has been roughly doubling in size by area every 12
months . This should continue over the next few years, leading to an
approximate 30-fold increase in capacity over five years. The price of
storage has now dropped to the point where it has become at most a
secondary cost-factor in large systems. This is why the Gmail offering
is likely to eventually extend throughout the entire email market.

Such a large increase in storage space not only allows the creation of
greater reserves of data, but it will also facilitate the retention of
more precise and finely grained levels of data (e.g. higher resolution
and frame rate video).
Increased storage capacity will also make possible the retention of
entirely new types of data.(6)

Hence, we believe it is crucial at this stage to assess this type of
service with a view to ensuring that all necessary protections and
safeguards required by the EU Data Protection Directive and national
laws have been implemented. While we understand that the Gmail contract
may be freely entered into by customers, and that Google has provided a
degree of openness about its intentions, the conditions must be in place
to ensure that privacy rights are protected.

You may be aware that n its Working document "Privacy on the Internet",
the Article 29 Data Protection Working Party identified a clear need to
specify the concrete application of the rule on applicable law of the
general data protection directive (Article 4 paragraph 1 (c)), in
particular to on-line processing of personal data by a controller
established outside the Community. This complaint is pursuant to this
concern.

I am writing to set out our concerns and to ask that you investigate the
Gmail service with regard to compliance with Data Protection.

If you determine that the planned service violates Data Protection law I
would request that you notify Google that the service should be
modified, and that regulatory action may be taken to prevent the service
being offered. If the outcome of this process in not satisfactory I
would request that an order may be made to prohibit the export of
personal data to Google.

The Service

Google will offer users one gigabyte of email space. This is an
unprecedented level of storage. Costs of the service will be recovered
through the generation of targeted advertisements that will appear - as
they currently do with Google searches - in the right hand margin of the
page.(7)

The service employs technology that automatically scans the content of
emails and then uses a keyword-matching programme that sifts the
placements of Gmail advertisers. Relevant advertisements will appear not
just on the computers of Gmail account holders, but also on the
computers of other Gmail customers they communicate with.

The practicalities of the Gmail search & target system have been
described as follows:

A colleague who also got an early Gmail account received a link to
Newsday, apparently because an e-mail in his inbox had references to The
New York Times and National Public Radio. When he mentioned this to me
in yet another Gmail message, I received links to the New York Post
online edition and to a site called TheFirstTwins.com. As we continued
the dialogue, I got sponsored links to the Times, plus newspapers from
the United Kingdom. (8)

The service will utilise a unique combination of conventional
technologies and techniques already being employed both by Google and by
other search and email services.

It should be remembered that a large amount of associated and
inferential information is connected to use of such services. Google
announced last week that it is now selling geographically targeted ads
for its search engine ad placements. So, if a user lives in London, then
London advertisers can purchase ads just for that geographic area. This
is being done through geographic analysis based upon the logged IP
address of the user. The point here is that Google is targeting ads
closely. Gmail will greatly help it in doing this via the cookie and IP
correlation.

Additionally, Google has a history of logging consumer information via
its search site. It logs users' search terms by IP address and unique
cookies. One can see this easily (at least the IP logging and keyword
logging) via Google Zeitgeist, a page where Google lists the most
popular terms that individuals across the world have used for the past
years. This data is aggregate. But the material they sell to advertisers
is quite sophisticated. Gmail would be no different, except that the
data could be tied to an individual for the first time on a mass scale.

The issues we raise in this complaint are not all unique to Gmail.
However, it is the scale and functionality of the Gmail service that
poses a heightened level of threat to the rights of individuals and to
the security and privacy of communications. At a more general level, the
service - like others of its type operating in the US where there is an
absence of equivalent legal protections - appears to violate EU data
protection law.


The Google Privacy Policy & Terms of Service

The Google Privacy Policy (9) and Terms of Use (10) provide an insight
into the environment in which Gmail will operate. These documents give
rise to a range of concerns about the ability of the Gmail service to
comply with European data protection provisions. While the privacy
policy appears to provide many of the conditions and notifications that
we would expect from such a service, the Terms of Use leave much to be
desired.

While a number of the issues below are outside the jurisdiction of most
data protection regulators, we feel they are important indicators to
establish the circumstances surrounding the operation and use of the
Gmail service.

Stability of the contract

The Google contract is unstable. Customers should be confident that the
safeguards and protections contained in a contract would be maintained.
However, the Gmail Terms of Use state:

Google may, in its sole discretion, modify or revise these terms and
conditions and policies at any time, and you agree to be bound by such
modifications or revisions. If you do not accept and abide by this
Agreement, you may not use the Gmail service.

This condition gives rise to some concern. A service that will create a
central reserve of a user's emails over many years must be afforded long
term protection. It is a highly sensitive, valuable and vulnerable
resource, and must be subject to a guarantee of long-term safeguards.

It is usual for companies offering "free" services to feel they can
impose such conditions. However, the Terms of Use represent an agreement
of mutual benefit to both the company and to the user. It is thus a
contract involving binding conditions. Under the traditional law of
contract there should be a minimum of disruption to these terms.
Certainly, any change should be conditional upon a degree of
foreseability. No such conditions exist in the contractual environment
set out by Google.

The following conditions also involves a serious degree of uncertainty
and unreliability:

Google also reserves the right to modify, suspend or discontinue the
Service with or without notice at any time and without any liability to
you.

And also:

Google reserves the right to refuse service to anyone at any time
without notice for any reason.

While we accept that similar conditions have been instituted by other
communications providers we feel the unequivocal nature of these clauses
require modification. It is certainly true that communications providers
in Europe have imposed similar conditions, but the rights of consumers
can be enforced through local law. Such is not the case when dealing
with a non-EU provider. This is why the Gmail contract must be more
detailed and rigorous than would be the case if it were based in the EU.
The contractual solutions pursued by the EU with regard to offshore
processing reflect this imperative.

Security of data

Under Section VIII article 17 of the EU Data Protection Directive a data
controller must take full responsibility and accept liability for the
security of personal information. This applies equally when the data is
processed outside the EU. However, the Gmail Terms of Use state:

Google disclaims all responsibility and liability for the availability,
timeliness, security or reliability of the Service.

This is an unacceptable condition. In our view security must be accorded
considerably greater weight within the contract.

Interception and disclosure of content

The privacy of the content of communications must be assured, and any
violation of privacy must be subject to due process. However, the Gmail
contract states:

Google reserves the right, but shall have no obligation, to investigate
your use of the Service in order to determine whether a violation of the
Agreement has occurred or to comply with any applicable law, regulation,
legal process or governmental request.

This condition, in our view, invites abuses. More attention to detail is
necessary. The word "request" implies a potential for omission of the
due process that would be required in the EU and in many other
countries.

Some clarification is offered in the following clause:

Google may monitor, edit or disclose your personal information,
including the content of your emails, if required to do so in order to
comply with any valid legal process or governmental request (such as a
search warrant, subpoena, statute, or court order), or as otherwise
provided in these Terms of Use and the Gmail Privacy Policy.

Note the use of the conjunctive "or". The word "request" remains
undefined. The conditions imposed by US legislation such as the PATRIOT
Act could provide a range of opportunities for US agencies to seize
content without judicial authority  (11)

Additional concerns arise from the following conditions:

Google also reserves the right to access, read, preserve, and disclose
any information as it reasonably believes is necessary to (a) satisfy
any applicable law, regulation, legal process or governmental request,
(b) enforce this Agreement, including investigation of potential
violations hereof, (c) detect, prevent, or otherwise address fraud,
security or technical issues (including, without limitation, the
filtering of spam), (d) respond to user support requests, or (e) protect
the rights, property or safety of Google, its users and the public.
Google will not be responsible or liable for the exercise or
non-exercise of its rights under this Agreement.

This sweeping condition should be contrasted with the view of the
Article 29 group:

The content of e-mail has to be kept secret and must not be read either
by any intermediary or by the Mail Service Provider, even for so called
"network security purposes". (12)

As noted by the Article 29 Group in its guidelines on privacy & the
Internet:

The confidentiality of communications is protected by Article 5 of
Directive 97/66/EC. Under this provision, no third party should be
allowed to read the contents of e-mail between two parties.

The Article 29 Group provided further elaboration on the question of
email interception:

The Article 29 Working Party has dealt with the privacy aspects of
interception of communications in its recommendation 2/9956. In this
recommendation, the Working Party points out that each interception of
telecommunications, defined as a third party acquiring knowledge of the
content and/or traffic data relating to private telecommunications
between two or more correspondents, and in particular of traffic data
concerning the use of telecommunications services, constitutes a
violation of an individual's right to privacy and of the confidentiality
of correspondence. It follows that interceptions are unacceptable unless
they fulfill three fundamental criteria, in accordance with Article 8
(2) of the European Convention for the Protection of Human Rights and
Fundamental Freedoms of 4 November 195057, and the European Court of
Human Rights' interpretation of this provision: a legal basis, the need
for such a measure in a democratic society, and conformity with one of
the legitimate aims listed in the Convention.

And:

Everyone has the right to send a mail to everybody else without that
mail being read by a third party. Article 5 of Directive 97/66/EC, which
covers communications and related traffic data for example sent by
e-mail, lays down obligations as to the confidentiality of
communications. In addition to these obligations, Article 4 of the same
directive obliges the providers of telecommunications services to take
appropriate technical and organisational measures to safeguard the
security of their services and to inform users about a particular risk
of a breach of security and any possible remedies, including the costs
involved.

The Gmail Terms of Use do not recognise these fundamental rights and
conditions, nor do the terms set specific parameters for the reading or
interception of email content.

Subject control over data

Data Protection law ensures that an individual will have the ability to
control her own data. The following clause indicates that this right may
breach the Terms of Use for Gmail:

Accordingly, you agree that you will not copy, reproduce, alter, modify,
or create derivative works from the Service. You also agree that you
will not use any robot, spider, other automated device, or manual
process to monitor, cache, or copy any content from the Service.

One Internet expert has interpreted this to mean:

You can't use a program -- or even a secretary, or a personal plan or
habit -- to pull your own email out of the service! If you want to
terminate and move your mail elsewhere, you can't extract or keep copies
of your own email. (13)

This condition would violate core principles of data protection.

Given the extremely valuable and extensive reserve of communications
data that Google wishes its target customers to amass, the following
conditions (while not unusual) are unacceptable:

Google may at any time and for any reason terminate the Services,
terminate this Agreement, or suspend or terminate your account. In the
event of termination, your account will be disabled and you may not be
granted access to your account or any files or other content contained
in your account although residual copies of information may remain in
our system.

The issue of data retention is dealt with below.


Specific data protection issues in the complaint

Searching of email content

The core sniffing and searching function of Gmail gives rise to a range
of concerns. The Article 29 Group has observed:

If sniffing is carried out at central knots or junctions in the Internet
this could allow for large-scale interception and surveillance of e-mail
content and/or traffic data by choosing certain characteristics,
typically the presence of keywords. Sniffing, as a general and
exploratory surveillance activity, even if conducted by government
agencies, can only be allowed if it is carried out in accordance with
the conditions imposed by Article 8 of the European Convention on Human
Rights.

Users have come to expect that the content of their emails may be read
to detect spam. The Gmail process does not merely extend this function,
it takes it into a new context. We believe that the sifting of email
content, whether achieved manually or automatically, raises a number of
serious data protection concerns.

Indefinite Retention

Gmail's Terms of Use state:

In the event of termination, your account will be disabled and you may
not be granted access to your account or any files or other content
contained in your account although residual copies of information may
remain in our system.

No time frame for the retention of deleted files is mentioned. It is
common for email providers to maintain back-up copies to protect against
technical failure, though the backup for a system as large as Gmail
should operate close to real-time. Nothing in the Terms of Use limit
Google's retention of emails to this specific circumstance. As currently
stated, the Terms of Use imply that the retention is indefinite.

Article 6 of the Directive states that data should be:

1 (e) kept in a form which permits identification of data subjects for
no longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States shall
lay down appropriate safeguards for personal data stored for longer
periods for historical, statistical or scientific use.

The Article 29 Group has observed:

Another privacy risk associated with e-mail is related to the inability
of a user to easily and effectively remove an e-mail message that has
either been sent or received as the operation of the delete function
will not necessarily expunge a mail from the system. It can in that case
be relatively easy for another user of the same machine or a system
manager in the case of a networked machine to retrieve a message that
the original user intended to delete and believes has been removed from
the system. This issue is obviously not confined to e-mail but it is
particularly significant in this context. In order to address this issue
systems should be designed so that the operation of the delete function
actually expunges information from the system.


Confidentiality

Section VIII, article 16 of the Directive (Confidentiality of
processing) requires that:

Any person acting under the authority of the controller or of the
processor, including the processor himself, who has access to personal
data must not process them except on instructions from the controller,
unless he is required to do so by law.

The Gmail Terms of Use are in conflict with this provision.

Third party issues

The Gmail system does not operate within a closed universe. Anyone can
communicate with a Gmail customer. The emails of third parties will be
subject to the same conditions as those applying to Gmail customers.
That is, the email will be scanned and indefinitely retained. This
raises a wide spectrum of issues.

Article 14 of the Directive (The data subject's right to object)
stipulates:

Member States shall grant the data subject the right:

(a) at least in the cases referred to in Article 7 (e) and (f), to
object at any time on compelling legitimate grounds relating to his
particular situation to the processing of data relating to him, save
where otherwise provided by national legislation. Where there is a
justified objection, the processing instigated by the controller may no
longer involve those data;

(b) to object, on request and free of charge, to the processing of
personal data relating to him which the controller anticipates being
processed for the purposes of direct marketing, or to be informed before
personal data are disclosed for the first time to third parties or used
on their behalf for the purposes of direct marketing, and to be
expressly offered the right to object free of charge to such disclosures
or uses.

These conditions cannot be guaranteed by Google. They are even more
uncertain for third parties who communicate with a Gmail user.

Article 12 of the Directive has particular application. It stipulates
that data should be subject to certain controls:

(b) as appropriate the rectification, erasure or blocking of data the
processing of which does not comply with the provisions of this
Directive, in particular because of the incomplete or inaccurate nature
of the data;


Offshore processing of data

As evidenced by the analysis above, there are grounds for concluding
that the processing of data by Google may not achieve the standards
required within the EU. Article 25 of Chapter IV of the Directive
(Transfer Of Personal Data To Third Countries) states:

1. The Member States shall provide that the transfer to a third country
of personal data which are undergoing processing or are intended for
processing after transfer may take place only if, without prejudice to
compliance with the national provisions adopted pursuant to the other
provisions of this Directive, the third country in question ensures an
adequate level of protection,

We would like to draw your attention to the Article 29 Working Group
paper "Working document on determining the international application of
EU data protection law to personal data processing on the Internet by
non-EU based web sites". (14) This document clearly identifies the legal
right of the EU to establish criteria for processing of data via non-EU
websites.

It should be noted that according to the list provided by the US
Department of Commerce, Google has not joined the Safe Harbor scheme.
(15) Nor, in our view, has the company satisfied many of the
requirements contained in the EU Directive or in the law of EU member
states.

Consent issues

Article 7 of the Directive requires that Member States shall provide
that personal data may be processed only if the data subject has
unambiguously given his consent. This consent, as you will understand,
must be given in full knowledge of the circumstances of the processing.

We believe that such informed consent cannot be possible under the
current Gmail contract. Customers must be explicitly warned that their
data will not be afforded the level of protection that applies in the
EU.

It appears that the Gmail service is in material breach of the consent
provisions of data protection law. As mentioned above, consent can only
be given by a Gmail account-holder. Those who send email to a Gmail
customer will have no opportunity to consent to having their email read
for keywords.

Sensitive data

Article 8 of the Directive (The processing of special categories of
data) stipulates:

1. Member States shall prohibit the processing of personal data
revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership, and the processing of
data concerning health or sex life.

2. Paragraph 1 shall not apply where:

(a) the data subject has given his explicit consent to the processing of
those data, except where the laws of the Member State provide that the
prohibition referred to in paragraph 1 may not be lifted by the data
subject's giving his consent;

(-)

These provisions raise important and complex questions. To what extent
can or should Gmail (or any other email service provider) conform to
these requirements? Because of its scale, Gmail can be used by a range
of organisations as the primary communications medium.


Conclusion

We believe the Gmail service involves significant and far-reaching
privacy implications. The precedent set by the service, its enhanced
functionality and the likelihood of unexpected future changes to the
system require serious consideration of data protection issues. We urge
you to prospectively investigate this system with a view to establishing
appropriate privacy safeguards.

Yours sincerely

Simon Davies
Director
Privacy International

________________ _


References

1) Google press release, April 1, 2004
http://www.google.com/press/pressrel/gmail.html

2) See letter signed by 28 advocates and organisations at
http://www.privacyrights.org/ar/GmailLetter.htm

3) A selection of coverage can be viewed at
http://news.google.com/news?q=gmail+privacy&num=30&hl=en&lr=&ie=UTF-8&sa
fe=off&sa=N&tab=nn

4) The text of the Directive can be read at
http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnu
mdoc&lg=EN&numdoc=31995L0046&model=guichett

5) Four days after the announcement of the Gmail service spymac.com
launched a free one gigabyte service
http://www.spymac.com/news/index.php?contentid=274

6) The UK "Memories for life" research challenge, for example, has
proposed a system that would store and index users' "digital memories" -
photographs, videos and communications - over their entire lifetime .
http://www.csd.abdn.ac.uk/~ereiter/memories.html

7) A snapshot of the ad placement can be seen at
http://gmail.google.com/gmail/help/screen2.html

8) Edward C Baig, Targeted ads tied to Gmail's super space, USA Today,
14th April 2004.
http://www.usatoday.com/tech/columnist/edwardbaig/2004-04-14-baig_x.htm

9) Google's Privacy Policy
http://www.google.com/gmail/help/privacy.html


10) Gmail's Terms of Use
http://www.google.com/gmail/help/terms_of_use.html

11) The potential for interference with US based communications services
under the provisions of the PATRIOT and other Acts has been the subject
of media commentary. See, for example,
http://www.eurweb.com/articles/columns/04082004/columns1398904082004.cfm
and http://www.fortwayne.com/mld/newssentinel/news/editorial/8439289.htm

12) Article 29 Data Protection Working Party; Working Document: Privacy
on the Internet- An integrated EU Approach to On-line Data Protection-
5063/00/EN/FINAL WP 37. November 2000
http://europa.eu.int/comm/internal_market/privacy/workingroup/wp2000/wpd
ocs00_en.htm

13) John Gilmore; assessment of Gmail Terms of Use, 7 April 2004
http://craphound.com/gilmoreongmail.html

14) ARTICLE 29 - DATA PROTECTION WORKING PARTY 5035/01/EN/Final WP 56
Working document on determining the international application of EU data
protection law to personal data processing on the Internet by non-EU
based web sites Adopted on 30 May 2002


15) US Department of Commerce; Safe Harbor list
http://web.ita.doc.gov/safeharbor/SHList.nsf/WebPages/Safe+Harbor+List!O
penDocument&Start=175

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)