THE U'S'EU SAFE HARBOR Framework: Data Protection

1
THE U.S.-EU SAFE HARBOR Framework Data
Protection Cross Border Personal Data Transfers

• Damon C. Greer
• U.S. Department of Commerce
• International Trade Administration
• Office of Technology E-Commerce

2
The Data Protection Directive and Implications
for Cross Border Transfers of Personal Data -
Introduction

• The U.S. and the EU have different approaches to
  data privacy protection
• U.S. System based on
• - Self-regulation (such as via privacy codes,
  seal programs)
• - Sector specific legislation in highly
  sensitive areas such as financial,
  medical, childrens and genetic information
• - Enforcement (FTC Section 5 Authority)
• - Outreach and awareness

3
Implications of the different approaches to data
flows and trade

• European Data Protection Authorities have broad
  legal authority to stop data flows.
• Implications of EU Directive
• According to the U.S. Census Bureau, Foreign
  Trade Division, in 2004, the U.S. and its top six
  European trade partners shared approximately 400
  billion in trade.
• Most of this trade could be dependent on the
  exchange of personally identifiable information.

4
Finding a Solution

• U.S. and EU expressed commitment to bridge their
  different approaches to privacy while maintaining
  data flows and high level of privacy protection
• FTC Act permitted each side to maintain their
  position
• U.S. companies made voluntary commitments
• EU satisfied because FTC Act made those
  commitments legally binding

5
Finding a Solution

• Safe Harbor registration is a voluntary
  representation to European business partners
  and European citizens that U.S. companies will
  comply with the framework.
• Failure to comply with Safe Harbor could
  constitute an unfair or deceptive trade practice
  under FTC Act
• Could result in injunctions and redress

6
Finding a Solution

• July 2000 U.S. Receives adequacy determination
  from European Commission for the Safe Harbor
  framework
• However, U.S. companies only eligible if their
  regulator (i.e., FTC or DoT) agrees to enforce
  their commitments

7
The Safe Harbor Framework

• November 1, 2000
• Safe Harbor becomes effective
• DoC launches Safe Harbor website at
  http//export.gov/safeharbor

8
What Is the Safe Harbor Framework?

• Safe Harbor framework includes
• 7 privacy principles
• 15 FAQs
• EUs adequacy determination
• Letters between DoC and European Commission (EC)
  the Federal Trade Commission and the Department
  of Transportation and the EC etc.

9
Where Can We Find Information About It?

• Safe Harbor website includes
• Safe Harbor List (currently more than 1,030
  organizations, including multinationals and SMEs)
• Safe Harbor Workbook
• Compliance Checklist/Helpful Hints
• Safe Harbor Documents (including principles,
  FAQs, correspondence, etc.)
• Historical documents (including public
  comments)

10
Helpful Hints

• Confirm the jurisdiction of FTC or DOT
• Establish independent recourse mechanism
• Ensure verification mechanism
• Designate contact point
• Develop Compliant Privacy Statement
• Conforms to principles
• Makes specific reference to SH adherence
• Provide accurate privacy policy statement
  location, available to the public

11
Benefits of the Safe Harbor

• Benefits of Implementing the Safe Harbor
  Framework
• Predictability and Continuity (all 25 Member
  States, plus EEA countries, bound by adequacy
  determination)
• Eliminates need for prior approval to begin data
  transfers
• Flexible privacy regime congenial to U.S.
  approach
• Simpler/more efficient means of compliance

12
Who may join the Safe Harbor?

• What organizations may join Safe Harbor?
• U.S. Organizations subject to jurisdiction of the
  Federal Trade Commission with respect to unfair
  or deceptive acts or practices under Section 5 of
  the Federal Trade Commission Act or the U.S.
  Department of Transportation
• Companies that are uncertain as to whether they
  fall under the jurisdiction of these agencies may
  seek clarification from the agencies.

13
Who should join the Safe Harbor?

• What organizations should join Safe Harbor?
• Organizations that receive personally
  identifiable information from EU member states
  must demonstrate adequate privacy protections
• Organizations that have not identified another
  basis for demonstrating adequacy should
  consider joining Safe Harbor

14
Compliance Enforcement

• How and where will Safe Harbor be enforced?
• In general, enforcement will take place in the
  U.S., in accordance with U.S. law, and will rely,
  to a great extent, on private sector enforcement.
• Private sector enforcement has three components
  verification, dispute resolution, and remedies.

15
Compliance Enforcement, contd

• Failure to comply with Safe Harbor requirements
• If an organization persistently fails to comply
  with Safe Harbor requirements, it is no longer
  entitled to Safe Harbor benefits.
• Independent recourse mechanisms are required to
  notify DoC of such facts. Safe Harbor list will
  indicate failure to comply.
• Failure to comply may also result in an
  enforcement action by the FTC or DoT.

16
The Safe Harbor Principles

• An organization entering the Safe Harbor must
  adhere to seven privacy principles
• Notice
• Choice
• Onward Transfer
• Security
• Data integrity
• Access
• Enforcement

17
The Safe Harbor Principles

• (7) Enforcement Organizations must have the
  following enforcement mechanisms in place
• follow-up procedures for verifying that safe
  harbor policies and mechanisms have been
  implemented
• readily available and affordable independent
  recourse mechanisms to investigate and resolve
  complaints brought by individuals
• obligations to remedy problems arising out of a
  failure by the organization to comply with the
  principles

18
The Safe Harbor Principles

• Verification
• An organization may use a self-assessment
  (in-house) or an outside/third-party assessment
  program.
• Under self-assessment, a statement verifying the
  assessment should be signed by a corporate
  officer or other authorized representative at
  least once a year.
• Under outside assessment, a verification
  statement should be signed either by the reviewer
  or by the corporate officer/authorized
  representative at least once a year.

19
The Safe Harbor Principles

• Dispute Resolution
• Organizations may choose to have disputes
  resolved by third-party dispute resolution
  programs (such as TRUSTe, BBBOnLine, DMA, AICPA
  WebTrust, JAMS, Entertainment Software Rating
  Board, etc.), or they may choose to cooperate and
  comply with the European Data Protection
  Authorities (DPAs).
• In the case of human resources data, the
  organization must agree to cooperate and comply
  with the DPAs (See FAQ 9).

20
The Safe Harbor Principles

• Human Resources Data
• See FAQ 9
• Organizations transferring employee data from
  Europe to the U.S. must
• Submit to the EU DPAs for purposes of dispute
  resolution and
• Comply with member state law regarding the use of
  information (i.e. processing requirements) as
  well as any restrictions under national law for
  transfer of such data.
• Access Employers in the EU must comply with
  member state regulations and ensure that
  employees have access to such information.
  Organizations processing such data in the U.S.
  must provide access either directly or through
  the EU employer.

21
The Safe Harbor Self-Certification Procedure

• How do organizations join Safe Harbor?
• Organizations must comply with the frameworks
  requirements and publicly declare that they do so
  (see FAQ 6).
• Organizations that decide to join the Safe Harbor
  may do so by
• Self-certifying via the Safe Harbor website at
  http//www.export.gov/safeharbor or
• Sending a letter to the Department of Commerce.

22
The Safe Harbor Self-Certification Procedure
(cont.)

• Once received, the DoC reviews the information
  submitted for completeness and to verify that the
  information submitted is consistent.
• To be assured of Safe Harbor benefits, an
  organization needs to reaffirm its
  self-certification annually to the DoC.
• The Safe Harbor website includes a searchable
  list with compliance status.

23
Since Then and Moving Forward

• January 2002 First joint EC/DOC review of Safe
  Harbor completed
• February 2002 EC submits interim report on
  functioning of the Safe Harbor
• March 2002 Data Protection Authorities visit
  Washington
• Late 2003 DoC and EC resume dialogue and review
  implementation of the Safe Harbor
• October 2004 EC releases second report/staff
  working paper on Safe Harbor compliance/implementa
  tion
• December 7, 2005 DoC and EC Workshop on Safe
  Harbor, Washington, D. C. the dialogue
  continues.

24
Other Options for Meeting the EU Directives
Requirements

• Joining Safe Harbor is not the only means of
  meeting the EU Directives requirements
• Other alternatives include
• Unambiguous consent
• Necessary to perform contract
• Codes of Conduct
• Model Contract Clauses
• Direct compliance/registration with EU Authorities

25
For additional information or questions,

• Contact me at
• Damon C. Greer
• U.S. Department of Commerce
• International Trade
  Administration
• HCHB 2003
• 1401 Constitution Avenue, NW
• Washington, DC 20230
• Telephone (202) 482-5023
  Fax (202) 482-5522
• E-mail Damon.Greer_at_mail.doc.g
  ov