By Scott Hervey
In October, 1998 the EU enacted the European Commission’s Directive on Data Protection (“Directive”) which, among other things, established a comprehensive approach to the protection of various forms of data, and prohibits the transfer of an individual’s personal data to non-EU nations that fail to meet the EU’s “adequacy” standard for privacy protection. The U.S is one such nation.
To reconcile these differences, the US Department of Commerce, in consultation with the European Commission, industry and non-governmental organizations developed a “safe harbor” framework in 2000. This framework would allow US companies to avoid interruptions in their transatlantic dealings with European companies, provided they certified to the safe harbor. Certification to the safe harbor provides an assurance to EU organizations that the US organization with whom they are dealing with provides “adequate” privacy protection. By certifying to the safe harbor, US organizations effectively avoid interruptions in business dealings and additionally avoid prosecution by European authorities under their privacy laws. The safe harbor framework applies to all information obtained from third parties.
What organizations may join Safe Harbor?
Only organizations subject to the jurisdiction of the Federal Trade Commission (“FTC”), or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (“DoT”) may participate in the Safe Harbor. Organizations in certain sectors that are not subject to the jurisdiction of either the FTC or the DoT, including telecommunications common carriers, meat packers, banks, insurance companies, credit unions or not-for-profits, may not be eligible for Safe Harbor.
How does an organization join Safe Harbor?
What are the Safe Harbor’s Principles?
– Choice: Before using an individual’s personal information in any manner for a purpose other than that for which the information was originally collected, an organization must provide such individual with the opportunity to opt out. Thus, the individual must be given the opportunity to decide whether his or her personal information is to be disclosed to a third party, or used in a way not previously authorized by the individual. For sensitive information (personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), the organization must provide the individual with an affirmative or explicit opt in choice before disclosing that information to a third party or using it for a purpose other than as originally authorized.
– Onward Transfer: An organization may disclose information to a third party so long as it follows the notice and choice principles summarized above. The transferring organization should first verify that the third party subscribes to the Safe Harbor principals, is subject to the Directive, or enters into a written agreement with the third party requiring the third party to provide the same level of protections as the privacy principles require.
– Security: Organizations must take reasonable precautions to protect the creation, maintenance, use or dissemination of personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Organizations should particularly take more care to protect personally identifiable information.
– Data Integrity: Organization must make sure that the personal information they request is relevant for the purposes for which it is to be used. If an organization if collecting only relevant data, there is less of an opportunity for the data to be misused or abused.
– Access: Organizations who collect information from an individual must provide such individual with access to their personal information so that the individual may correct, amend, or delete inaccurate information. Organizations need not provide such access if the burden or expense of providing access would be disproportionate to the risk to the individual’s privacy in the case in question, or where other person’s rights would be violated.
– Enforcement: An organization must provide mechanisms for assuring compliance with the principles, recourse for individuals who have had their information misused, and face some consequence when the principles are not followed. Specifically, such mechanisms must include, at the very least (1) readily available and affordable independent recourse mechanisms by which each individual’s complaints are investigated and resolved by reference to the Principles and damages awarded to the individual where the applicable law or private sector initiatives so provide, (2) follow up procedures for verifying the assertions business make about their privacy practices are true, and that such privacy practices are implemented, and (3) obligations to remedy problems arising out of an organizations failure to comply with the Principles, whereby the organization also faces consequences.
Last year’s FTC action is a clear message to U.S. businesses importing personally identifiable information from EU into the US – get compliant with the Safe Harbor Program now, or be prepared to face the consequences.