The Safe Harbor framework deals with privacy protection around the transfer of personal data between organizations in European Union (EU) member states to organizations located in the United States. This article explores the purposes and requirements of the Safe Harbor framework. It also provides information for US-based organizations who may participate in the Safe Harbor framework.
What is Safe Harbor?
In October 1998, the European Commission Directive on Data Protection went into effect. The Directive prohibited the transfer of personal data from EU member states to non-EU nations that did not meet the adequacy standard of privacy protection. There are significant differences between the US and EU approaches to privacy protection. The US takes a sectoral approach to privacy protection that involves legislation, regulation and self-regulation. In contrast, the EU has enacted comprehensive privacy legislation that involves government data protection agencies, registration of databases with these agencies and pre-approval before the processing of personal data.
As the EU Directive is significantly more rigorous than the privacy protection system currently found in the United States, it was necessary to develop a streamlined and cost-effective means for organizations and businesses in the US to achieve compliance with the EU adequacy standard.
Seven Principles of Safe Harbor
The Safe Harbor Framework was thus developed as a joint effort between the US Department of Commerce and the European Commission. The Safe Harbor Principles were established in order to prevent accidental or unauthorized information disclosure or loss. US organizations can meet Safe Harbor requirements by adhering to the following seven principles:
1. Notice – Organizations are required to notify individuals of the purposes for collecting and using personal information. Individuals should also be provided with the organizations’ contact information, should they have inquiries or complaints. Individuals should be aware of third parties and methods for limiting use/disclosure of personal information.
2. Choice – Individuals should have the right to opt-out (to choose) whether they want their personal information to be disclosed to a third party or used for other purposes. Opt-in choice is required for sensitive information.
3. Onward Transfer – This principle refers to transfers of personal information to third parties. Notice and choice principles apply to third parties handling personal information. Organizations should ensure that the third party adheres to Safe Harbor principles, is subject to the EU Directive, or provides an adequate level of privacy protection.
4. Access – Individuals should have access to any personal information about them held by an organization, for the purposes of correction, amendment or deletion.
5. Security – Organizations are obliged to take reasonable precautions in order to protect personal information from loss; misuse; and unauthorized access, disclosure, alteration and destruction.
6. Data Integrity – Organizations are obliged to take reasonable steps in order to ensure that the personal information is reliable and relevant for its intended use. This means that the data should be accurate, complete and current.
7. Enforcement – This includes independent recourse mechanisms; procedures for verifying the organization’s commitments to the above principles; and obligations to remedy compliance failures.
Why Safe Harbor?
Safe Harbor participation offers several benefits to US-based organizations:
• EU member states are bound by the European Commission’s adequacy finding
• Organizations under Safe Harbor meet the adequacy standard, allowing data flows to continue
• EU member state requirements for approval of data transfers will be waived, or automatically approved
• Claims by EU citizens against US organizations will be heard in the US
The Safe Harbor framework also offers several benefits to EU-based organizations, as they can ensure privacy protection standards through a list of Safe Harbor-compliant organizations in the US
Participating in Safe Harbor?
The first step in participating in the Safe Harbor framework is determining if your organization is covered by the United States-European Union Safe Harbor framework. Businesses that are covered by the Safe Harbor framework must meet the following criteria:
1. Its business practices fall under the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DoT). Such organizations may include US air carriers and ticket agents.
Organizations that are usually not under the jurisdiction of the FTC include financial institutions (e.g. banks, investment houses, credit unions, savings and loan institutions, etc.); telecommunication common carriers; labor associations; non-profit organizations; agricultural cooperatives; and meat processing facilities.
2. It receives or processes personally identifiable information (PII) directly or indirectly from EU member states. This also includes subsidiaries and affiliates that process PII in the US.
These organizations may collect, store or process PII for a wide variety of reasons, including: determining, evaluating, or implementing employment-related actions or obligations; designing, evaluating or administering compensation, benefits, or other human resources programs; evaluating employee performance; maintaining business records that relate to past, present or potential employees; supporting relationships with clients and vendors; and facilitating business communications and compliance with contractual or legal obligations.
Developing & Establishing Safe Harbor Mechanisms
Prior to certifying to the Safe Harbor framework, organizations should also develop and implement supporting mechanisms. These are discussed below:
• Independent Recourse Mechanism – This step ensures compliance with the seventh Safe Harbor principle (enforcement). The organization’s independent recourse mechanism is responsible for investigating unresolved privacy complaints. This mechanism may be a private sector dispute resolution program, such as BBB OnLine, TRUSTe, Direct Marketing Association, AICPA WebTrust, etc. As an alternative, the organization may also cooperate with the European Data Protection Authorities (DPAs) for dispute resolution.
• Verification Mechanism – This mechanism verifies the organization’s compliance with the Safe Harbor framework. This may involve a self-assessment program, or a third-party assessment program.
• Contact Point – Organizations are obliged to provide an internal contact point responsible for questions, complaints, access requests, or other issues encompassed by Safe Harbor. For instance, this may be the corporate officer responsible for Safe Harbor, or the organization’s Chief Privacy Officer.
Safe Harbor Fees
As of March 1, 2009, the US Department of Commerce introduced fees meant to support the operation of the US-EU Safe Harbor framework. New registrants to the Safe Harbor framework must pay a fee of $200.00. Self-certified organizations are required to pay a $100.00 annual fee to recertify their compliance with the Safe Harbor framework.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam; the Certification Foundation (Foundations) exam; and the Certified Information Privacy Professional/Canada (CIPP/C) exam, a privacy professional should be comfortable with topics related to this post, including:
• E.U. Data Protection Directive (95/46/EC) (Foundations: I.D.a.ii.2.)
• E.U. Data Protection Directive – Safe Harbor Status (CIPP/C; II.A.b.iii.)
• International Data Transfers (CIPP; II.C.e.)
• Multinational Compliance – E.U. Data Protection (CIPP; II.C.f.)
• Regulatory Authorities – U.S. Department of Commerce (I.A.c.iii.)