Safe Harbor is an advantageous agreement between the United States and the European Union that governs the protection of data during transfer from the E.U. to the U.S. American companies wishing to do business with companies in the E.U. may receive certification, stating they have implemented data protection principles that are similar and equal to those of the E.U. Data Protection Directive, and are then allowed unrestricted data transfers with entities in the E.U. Recently, the FTC– the U.S. body governing enforcement of Safe Harbor– has begun to crack down on U.S. companies claiming Safe Harbor compliance, but failing to implement the required protection standards. Multi-national companies must now take a strong look at their privacy policies and notices to ensure they are Safe Harbor compliant and avoid Federal scrutiny.
What is Safe Harbor?
In 1995, the E.U. implemented a comprehensive law, the Data Protection Directive, which created strong standards and principles governing the use and protection of data. Any data transferred within the E.U. or the European Economic Area would be protected under the law. However, personal data transferred to other countries would not be guaranteed the same protection. The Data Protection Directive restricts the transfer of data with other countries unless they meet a comparable level of data protection.
Data protection in the United States, which is more commonly known as information privacy, is governed by a number of sectoral laws that protect data within specific industries, ie: HIPAA protects personal health information, FACTA protects personal information in the financial sector. The U.S. has no central or comprehensive data protection regime and therefore, the E.U. finds data protection in the U.S. to be inadequate.
To facilitate unrestricted, data transfer between the United States and the European Union, the Safe Harbor agreement was created to allow U.S. companies the opportunity to raise their level of data protection and achieve “adequate” status, thus meeting the restriction rules for onward transfer to third parties under the E.U. Data Directive.
The Benefits of Safe Harbor Compliance
In 2000, when the Safe Harbor agreement was developed between the E.U. and the U.S., data transfers accounted for over $ 300 Billion dollars in trade. Safe Harbor allows such exportation and importation of data to continue while still protecting the personal data of European citizens. Though the Safe Harbor agreement requires stricter privacy standards for U.S. companies, than is required by U.S. law it is really to the benefit of both sides that such an agreement exists.
Participating U.S. companies enjoy the privilege of the Safe Harbor Agreement which demands that all E.U. member states allow unrestricted data transfers with any and all Safe Harbor certified participants. This means that certified companies may not be denied transfers by individual data controllers or Data Protection Authorities according to their own agendas.
Furthermore, complaints brought against a U.S. entity by European citizens regarding the protection of their personal data are heard in U.S. courts and the Safe Harbor program is under U.S. enforcement.
Safe Harbor also eliminates the need, or grants automatic approval for, data transfers creating a more cost and time efficient system. Companies may choose not to join the Safe Harbor agreement and make individual agreements or model contracts with a Data Protection Authority, but this may increase the time and energy needed to allow for the unrestricted transfer of data.
How Does a Company Become Safe Harbor Compliant?
- The data subject must be notified about the purposes for which personal information is collected and used.
- The data subject must be notified about contact methods to file inquiries and complaints.
- The data subject must be notified about the types of third parties to whom personal information may be disclosed.
- The data subject must be provided with their choices and means of limiting disclosure of their personal data.
- Notice should be provided at the time when information is first collected or shortly thereafter and must be provided before data is processed or disclosed.
- The data subject must be able to opt-out of third party disclosures.
- The data subject must be able to opt-out of secondary usage of information.
- The data subject must give affirmative consent (opt-in) for the disclosure or use of sensitive information.
- All third parties to whom data may be transferred must follow the Safe Harbor principles or Data Directive compliant. The same level of protection must be guaranteed no matter how many times data is transferred.
- Entities that process data in any stage of its life cycle (collection, use, analysis, storage) must take reasonable measures to protect against data loss, destruction, misuse and unauthorized access.
- Data may only be processed or used as it is related and proportional to the purposes for which it was originally collected.
- An entity should take reasonable steps to ensure data is accurate, timely and complete.
- Data subjects must be able to view the information an organization holds about them.
- Data subjects must be able to correct, add to, or delete inaccurate information.
- A recourse mechanism must be in place for data subjects to file complaints, have disputes investigated, and resolved.
- It is the obligation and responsibility of the entity to remedy any problems with compliance in a timely fashion.
Enforcing Safe Harbor
U.S. compliance with Safe Harbor is largely self regulated. Entities may choose to complete self verification of compliance and investigate complaints internally. Companies also have the option of using private, third party dispute resolution mechanisms, that have gained a reputation of trustworthiness to verify their compliance and investigate disputes.
Some well known, third party dispute resolution service providers include:
- The Better Business Bureau Online
- The Direct Marketing Association
- The Entertainment Software Rating Board
Third party dispute resolution providers are self regulated and not certified by the Department of Commerce or the FTC. Therefore, it is the legal responsibility of the entity to choose a program that is Safe Harbor compliant.
Though, Safe Harbor has not been strictly enforced in the past, there are regulations within the privacy and trade law to punish violators. Misuse of the Safe Harbor agreement can qualify as “unfair or deceptive trade practices” under Section 5 of the Federal Trade Commission Act. The FTC may take action against offenders including conducting formal hearings, and issuing cease and desist or temporary restraining orders. Failing to comply with an FTC order may carry a penalty of up to $11,000 for every day of continued violation and any entity that knowingly violates an FTC rule may be subject to the same penalty.
Safe Harbor in the News
Then, in October 2009, the FTC filed settlement complaints against six multinational companies that had lapsed in their compliance but failed to alter their privacy policies to notify data subjects of the change. The recent enforcement has sent the message to business owners that the FTC may no longer rely on private, self-regulation to provide adequate enforcement. Since Safe Harbor compliance requires a public statement in privacy notices stating participation in the program, the FTC needs only to compare their current list of Safe Harbor participants with the privacy notice of an entity to gain evidence of unfair or deceptive trade practices. There is also speculation that the audits may be conducted in the future for companies with current certifications, to verify full compliance with all Safe Harbor regulations.
Data protection, especially with regard to onward transfer, continues to remain a significant issue in International politics. In the first week of November 2009, the United States and European Union, recognizing the weaknesses in current regulation, joined together to create a common set of principles to govern the transfer of personal data. That same week, privacy representatives from around the world met in Madrid for the International Data Protection and Privacy to create a universal standard of privacy and data protection, in the hopes of eventually creating a universal data protection law.
Companies wishing to conduct legal and successful business on a multinational level must be concerned with the protection of data both when it is transferred to and from the United States. Agreements, like Safe Harbor, allow the United States and the European Union to continue a mutually beneficial trade relationship, however, the agreement alone does not guarantee data protection. Participating U.S. companies need to ensure Safe Harbor compliance to build trust in their organization, as well as in the program to allow such agreements to continue in the future, despite the differing approaches the U.S. and the E.U. take regarding data protection.
CIPP Candidate Preparation
In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:
- The Collective View of Privacy Principles (Foundations I.E) including Notice, Consent, Access, Security, and Quality
- Privacy and Data Protection Regulation (Foundations: I.F) including Onward Transfer, Safe Harbor, and the E.U. Data Protection Directive