By Scott Hervey

In October, 1998 the EU enacted the European Commission’s Directive on Data Protection (“Directive”) which, among other things, established a comprehensive approach to the protection of various forms of data, and prohibits the transfer of an individual’s personal data to non-EU nations that fail to meet the EU’s “adequacy” standard for privacy protection. The U.S is one such nation. 

To reconcile these differences, the US Department of Commerce, in consultation with the European Commission, industry and non-governmental organizations developed a “safe harbor” framework in 2000. This framework would allow US companies to avoid interruptions in their transatlantic dealings with European companies, provided they certified to the safe harbor. Certification to the safe harbor provides an assurance to EU organizations that the US organization with whom they are dealing with provides “adequate” privacy protection. By certifying to the safe harbor, US organizations effectively avoid interruptions in business dealings and additionally avoid prosecution by European authorities under their privacy laws.   The safe harbor framework applies to all information obtained from third parties.

What organizations may join Safe Harbor?

Only organizations subject to the jurisdiction of the Federal Trade Commission (“FTC”), or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (“DoT”) may participate in the Safe Harbor. Organizations in certain sectors that are not subject to the jurisdiction of either the FTC or the DoT, including telecommunications common carriers, meat packers, banks, insurance companies, credit unions or not-for-profits, may not be eligible for Safe Harbor.

How does an organization join Safe Harbor?

An organization who wishes to participate in the safe harbor must comply with the safe harbor’s principles and publicly declare it does so by annually self certifying to the U.S. Department of Commerce in writing that it agrees to adhere to the safe harbor’s principles.   The principles provide guidance for US organizations on how to provide “adequate protection” for personal data from Europe. The organization must also state in its published privacy policy statement that it adheres to the safe harbor. principles. 

What are the Safe Harbor’s Principles?

– Notice: Notice is a key element of any privacy policy. Organizations collecting and using information about individuals must inform those individuals, in clear and conspicuous language, about the purposes for which the organization is collecting and using the information. The organization must also inform individuals how they can contact the organization with any inquiries or complaints, the types of third parties the organization discloses the information to, and the choices and means the organization offers individuals for limiting its use and disclosure. Organizations cannot use such information unless they provide this notice when individuals are first asked to provide personal information, or as soon as practicable.

– Choice: Before using an individual’s personal information in any manner for a purpose other than that for which the information was originally collected, an organization must provide such individual with the opportunity to opt out. Thus, the individual must be given the opportunity to decide whether his or her personal information is to be disclosed to a third party, or used in a way not previously authorized by the individual. For sensitive information (personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), the organization must provide the individual with an affirmative or explicit opt in choice before disclosing that information to a third party or using it for a purpose other than as originally authorized.

– Onward Transfer: An organization may disclose information to a third party so long as it follows the notice and choice principles summarized above. The transferring organization should first verify that the third party subscribes to the Safe Harbor principals, is subject to the Directive, or enters into a written agreement with the third party requiring the third party to provide the same level of protections as the privacy principles require.

– Security: Organizations must take reasonable precautions to protect the creation, maintenance, use or dissemination of personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Organizations should particularly take more care to protect personally identifiable information.

– Data Integrity: Organization must make sure that the personal information they request is relevant for the purposes for which it is to be used. If an organization if collecting only relevant data, there is less of an opportunity for the data to be misused or abused.

– Access: Organizations who collect information from an individual must provide such individual with access to their personal information so that the individual may correct, amend, or delete inaccurate information. Organizations need not provide such access if the burden or expense of providing access would be disproportionate to the risk to the individual’s privacy in the case in question, or where other person’s rights would be violated.  

– Enforcement: An organization must provide mechanisms for assuring compliance with the principles, recourse for individuals who have had their information misused, and face some consequence when the principles are not followed. Specifically, such mechanisms must include, at the very least (1) readily available and affordable independent recourse mechanisms by which each individual’s complaints are investigated and resolved by reference to the Principles and damages awarded to the individual where the applicable law or private sector initiatives so provide, (2) follow up procedures for verifying the assertions business make about their privacy practices are true, and that such privacy practices are implemented, and (3) obligations to remedy problems arising out of an organizations failure to comply with the Principles, whereby the organization also faces consequences.

Governmental Action

The Federal Trade Commission and the Department of Transportation have stated in letters to the EU that they will take enforcement action against organizations that state they are in compliance with the Safe Harbor framework but who fail to adhere to the principles. In September of 2009, the FTC announced the first enforcement action against a U.S. company for violating the Safe Harbor Program. The FTC brought suit because the company, which mislead consumers into believing that the company was based in the EU, falsely claimed in its privacy policy that it was certified under the Safe Harbor program when it was not.

Last year’s FTC action is a clear message to U.S. businesses importing personally identifiable information from EU into the US – get compliant with the Safe Harbor Program now, or be prepared to face the consequences.