Safe Harbor Principles
Encyclopedia
US
-EU
Safe Harbor
is a streamlined process for US companies to comply with the EU
Directive 95/46/EC on the protection of personal data
.
Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with the EU.
legislation, which is regarded as more rigorous than that found in many other areas of the world.
Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area
unless there is a guarantee that it will receive equivalent levels of protection.
Such protection can either be at a country level (if the country's laws are considered to offer equal protection) or at an organizational level (where a multinational organization produces and documents its internal controls on personal data).
The Safe Harbor Privacy Principles allows US companies to register their certification if they meet the European Union requirements.
The Federal Trade Commission
theoretically oversees this program but, to date, no company's procedures have been challenged as failing to meet these guidelines.
European Commission, The application of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles (2002)
European Commission, The implementation of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles (2004)
Chris Connolly (Galexia), US Safe Harbor - Fact or Fiction?, Privacy Laws and Business International, issue 96, December 2008
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
-EU
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
Safe Harbor
Safe harbor
The term safe harbor has several special usages, in an analogy with its literal meaning, that of a harbor or haven which provides safety from weather or attack.-Legal definition:...
is a streamlined process for US companies to comply with the EU
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
Directive 95/46/EC on the protection of personal data
Directive 95/46/EC on the protection of personal data
The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union...
.
Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with the EU.
Background
The European Union has for many years had a formalised system of PrivacyPrivacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
legislation, which is regarded as more rigorous than that found in many other areas of the world.
Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area
European Economic Area
The European Economic Area was established on 1 January 1994 following an agreement between the member states of the European Free Trade Association and the European Community, later the European Union . Specifically, it allows Iceland, Liechtenstein and Norway to participate in the EU's Internal...
unless there is a guarantee that it will receive equivalent levels of protection.
Such protection can either be at a country level (if the country's laws are considered to offer equal protection) or at an organizational level (where a multinational organization produces and documents its internal controls on personal data).
The Safe Harbor Privacy Principles allows US companies to register their certification if they meet the European Union requirements.
Principles
These principles must provide:- Notice - Individuals must be informed that their data is being collected and about how it will be used.
- Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security - Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
- Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement - There must be effective means of enforcing these rules.
Certification
After opting in, an organization must re-certify every 12 months. It can either perform a self-assessment to verify that it complies with these principles, or hire a third-party to perform the assessment. There are also requirements for ensuring that appropriate employee training and an effective dispute mechanism are in place.The Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
theoretically oversees this program but, to date, no company's procedures have been challenged as failing to meet these guidelines.
Criticism and Evaluation
The EU-US Safe Harbor has been the subject of significant criticism regarding compliance and enforcement in three external evaluations:- 2002 review by the European Union:
European Commission, The application of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles (2002)
- 2004 review by the European Union:
European Commission, The implementation of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles (2004)
- 2008 review by Galexia:
Chris Connolly (Galexia), US Safe Harbor - Fact or Fiction?, Privacy Laws and Business International, issue 96, December 2008
See also
- Binding Corporate RulesBinding corporate rulesBinding Corporate Rules or "BCRs" were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- PrivacyPrivacyPrivacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
- Safe harborSafe harborThe term safe harbor has several special usages, in an analogy with its literal meaning, that of a harbor or haven which provides safety from weather or attack.-Legal definition:...