EU Privacy Directory and Safe Harbors
January 1, 2003
During this period of globalization and the increased frequency of transactions between countries, the European Commission ("EC") has established a framework to aid in the transfer of data. Pursuant to Directive 95/46/EC of October 24, 1995, Member States of the European Union ("EU") must ensure that the transfer of personal data to a country outside of the EU will receive an adequate level of protection.
A Commission Decision of July 26, 2000 presents an opportunity for countries that desire to share data with Member States to do so without being required to provide additional guarantees with the data transfer, provided they ensure an adequate level of protection. The proposed method for providing adequate protection is through compliance with the safe harbor privacy principles ("the principles") for the protection of personal data transferred from a Member State to the United States. In order for a Member State to transfer data to the United States, the principles must be met in all instances, except for a limited number of exemptions that exist for situations such as pre-contractual measures (i.e., credit checks) and obtaining legal advice. However, for daily transactions occurring between companies, whether related or unrelated, the principles will provide the necessary protection to allow uninterrupted data transfer between the United States and the EU.
The benefits of the safe harbor are readily apparent for companies that are in the e-commerce business, where the transfer of data is vital for the success of the business. However, any company engaging in trade with the EU can benefit from participation in the safe harbor. Activities such as the following all indicate why a company should consider signing up on the DOC’s list of organizations that comply with the safe harbor: (1) hiring or promoting personnel from the EU, (2) acquiring a subsidiary based in the EU, (3) gathering personal income tax information from EU employees, (4) setting up a retirement plan for EU employees, or (5) gathering personal data for a specific medical or pharmaceutical research study that will be transferred to the U.S. Obviously, based on a company’s particular needs, there may be numerous other reasons that it would be beneficial for the company to join the safe harbor.
The safe harbor principles require the following:
1. Notice. Organizations must notify individuals about the purposes for which they collect and use information about them.
2. Choice. Organizations must allow individuals to opt out from the disclosure of personal information to a third party.
3. Transfers to Third Parties. In order to disclose information to third parties, organizations must apply the notice and choice principles. In the alternative, organizations can enter into a written agreement with third parties to provide at least the same level of protection as is required by the principles.
4. Access. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information if it is inaccurate. An exception exists where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated.
5. Security. Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration or destruction.
6. Data Integrity. Organizations should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current.
7. Enforcement. There must be readily available and affordable dispute mechanisms for the investigation and resolution of complaints; procedures must be in place to verify that the companies on the list adhere to the principles; and, an obligation must exist to remedy problems arising out of the failure to comply.
Through the joint effort of the U.S. Department of Commerce ("DOC") and the EC, a safe harbor framework has been developed to allow U.S. organizations to comply with the EU Directive’s adequate protection requirements for any personal data flowing to the U.S. The principles are a necessary step in bridging the differences between the EU and U.S. approaches to data privacy protection. The U.S. safe harbor eliminates the need for approval from EU member countries prior to the transfer of data. As a result of the safe harbor principles, compliance with the adequacy requirements will be cheaper and simpler, which will particularly benefit small and medium-sized companies. Despite the obvious benefits of participating, the decision to enter the safe harbor is entirely voluntary.
The Department of Commerce will publish a list of safe harbor organizations on its website as of November 1, 2000. The organizations on the list will be those that have self-certified to the principles. The organization will remain on the list for 12 months, at which time it will need to reaffirm its continued adherence to the principles. It should be noted that an organization’s absence from the DOC’s list is not an indication of non-compliance.
In general, enforcement of the safe harbor will be carried out by the private sector, through a dispute resolution system put in place by the organizations. Enforcement will be in the form of sanctions imposed by dispute resolution bodies, publicity for findings of non-compliance, deletion of data in certain circumstances, suspension from membership in a privacy program (and the safe harbor) and injunctive orders. In addition, the Federal Trade Commission ("FTC") will provide government enforcement of the safe harbor by imposing injunctive relief for violations of the principles that would be considered unfair and deceptive acts, as defined in the Federal Trade Commission Act. In addition, the FTC will impose civil penalties of up to $11,000 per day for violations of injunctive orders.
For more information on this program, the ITA can be contacted at (202) 482-1614. The Commerce Department maintains useful information on its website.