Any company looking to transfer data about users from the European Union region to the United States will likely need to familiarize itself with the U.S.-EU Safe Harbor Framework. This article covers three topics: what is the U.S.-EU Safe Harbor, what are its advantages and disadvantages, and how to comply with the Safe Harbor. UPDATE: Since this article was drafted, the US-EU Safe Harbor program has been shut down. There is now a new regime in place named Privacy Shield. Please see this article for more information.
The Safe Harbor Framework is a program available for organizations seeking to retain healthy business partnerships with European clientele. The product of extensive negotiation between the U.S. Department of Commerce and the European Commission, the Safe Harbor Framework allows companies supervised by the Federal Trade Commission to self-certify compliance with the European Commission’s 1998 Directive on Data Protection, which governs personal data law for all 28 EU Member States. Under the Directive, Member States are forbidden from transferring collected personal data to any sovereign country whose privacy laws do not meet the Directive’s standard of “adequacy." Although the U.S., as a sovereign entity, does not live up to EU standards on data protection, U.S. companies can nonetheless take advantage of the Safe Harbor Framework to comply with the Directive. Conforming entities are listed in the Safe Harbor Framework database, and their published privacy policies are e-stamped for dramatic effect.
To self-certify under the Framework, companies must adhere to the seven Safe Harbor Privacy Principles.
Safe Harbor organizations are required to provide notice to individual clients regarding the purposes for which their personal data is collected, used, shared and otherwise manipulated. The notice must be given in a clear and conspicuous fashion, and must include information on third-party users, complaint mechanisms, and ways to limit the participating organization’s ability to use and disclose personal information.
The Safe Harbor requires that organizations provide their clients with clear opt-outs in the event that any personal data is shared with third parties or used for unauthorized purposes. Sensitive information touching topics such as race, ethnic origin, political opinions, and religious beliefs may not be passed on to third parties or used for unauthorized purposes without the client's affirmative consent.
Third parties acting as agents to Safe Harbor-certified companies must agree to abide by the same privacy guidelines in order to receive personal data, either through their own privacy policies or by written agreement requiring them to follow “at least the same level of privacy protection.”
Organizations trafficking in personal information must take “reasonable precautions” to protect such information from “loss, misuse and unauthorized access, disclosure, alteration and destruction.”
Personal data collected by companies in compliance with the Safe Harbor Framework must be relevant for the intended use, and must not fall outside the scope authorized by the client.
In general, individuals must have the ability to access their personal data stored by companies, as well as the ability to modify, amend, and correct their data. This requirement does not apply in cases where the “burden and expense of providing access” outweighs the threat to a client’s privacy, or where access to data would violate the rights of other individuals.
All Safe Harbor-certified companies must build adequate enforcement mechanisms into their privacy policies. A minimum level of enforcement must include independent dispute resolution mechanisms, procedural verification, and obligatory remedies for failure to abide by the Principles, as well as sufficient sanctions to ensure compliance.
Self-certifying as a Safe Harbor participant can open the gates on a series of distinct advantages.
Safe Harbor membership is not a golden ticket to transnational success. Companies interested in self-certifying must build acceptable policies, make public declarations of their willingness to abide by stringent Directive standards, and make annual written submissions affirming their continued compliance. The organizational mandates inherent in the Framework’s seven Principles are stiff standards to live up to, and the penalties for non-compliance could be severe. European public sentiment is also a concern, as the fallout from the Snowden leaks, largely swept under the domestic rug, continue to sound alarm bells across the continent. The European Commission is pushing reforms to the Safe Harbor Framework, and the European Court of Justice recently heard arguments on Facebook’s use (and alleged abuse) of the agreement. With the privacy furor unlikely to subside in the near future, one wonders whether the Safe Harbor Framework can continue long in its current form.
If your company is ready to take advantage of the Safe Harbor, the U.S. Department of Commerce offers a helpful guide to achieving compliance. For starters, you will have to confirm that your organization is subject to FTC or DOT jurisdiction. Once you have answered this question, you will need to develop a privacy policy statement that meets all Safe Harbor requirements. This can be done by adhering to the Principles, incorporating specific references to your Safe Harbor self-certification, providing an accurate location for your privacy policy, and ensuring that it is made available and accessible to the public. Your company will also have to develop independent mechanisms for dispute resolution, ensure verification procedures, and create a specific inter-organizational contact for all Safe Harbor-related matters.
For detailed advice on how to navigate the Safe Harbor self-certification process, please contact us.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.