Summary of Self-certification Under the US-EU Safe Harbor Framework

June 2, 2009

The European Union prohibits the transfer of personal data to countries whose laws do not afford adequate protection unless certain exceptions apply. Such exceptions may be the data subject’s consent or the adoption of binding corporate rules by the data controller approved by an EU member state. Another exception is compliance with the Safe Harbor Framework. The Safe Harbor Framework was established by the European Union and the US to allow US companies to comply with EU data protection laws in a simple and cost-effective way. Once a US company commits to the Safe Harbor Framework, it may receive personal data from all 27 EU member states.

A company complies with the Safe Harbor Framework either by joining a self-regulating privacy program or by developing its own self-regulating privacy policy. The first step towards compliance under either method is to develop a privacy policy statement and program that complies with the seven EU privacy principles: Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement. The seven principles are meant as privacy guidelines and are adaptable to the particular business and privacy needs of individual companies.

  1. Notice – Companies must notify individuals about the purposes for which they collect and use information about them. For example, “When we collect your personal information, we’ll give you timely and appropriate notice describing what personal information we’re collecting, how we’ll use it, and the types of third parties with whom we may share it.”
  2. Choice – Companies must give individuals the opportunity to choose whether their personal information will be disclosed to a third party or used for a purpose other than for which it was originally collected. For example, “We’ll give you choices about the ways we use and share your personal information, and we’ll respect the choices you make.”
  3. Onward Transfer (to Third Parties) – To disclose information to a third party, organizations must apply the notice and choice principles. If the third party is acting as an agent of the company, the company must ensure that the third party adheres to safe harbor principles. For example, “Except as described in this policy, we won’t share your personal information with third parties without your consent.”
  4. Access – Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information. Exceptions to this rule include instances where the burden of providing access outweigh the risks to an individual’s privacy and where the rights of persons other than the individual would be violated. For example, “We’ll provide ways for you to access your personal information, as required by law, so you can correct inaccuracies.”
  5. Security – Companies must take reasonable precautions to protect personal information. For example, “We’ll take appropriate physical, technical, and organizational measures to protect your personal information from loss, misuse, unauthorized access or disclosure, alteration, and destruction.”
  6. Data Integrity – Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, and is accurate, complete, and current. For example, “We’ll collect only as much personal information as we need for specific, identified purposes, and we won’t use it for other purposes without obtaining your consent.”
  7. Enforcement Companies must establish independent procedures to address complaints and disputes, implement procedures for ensuring adherence to Safe Harbor principles, and make obligations to remedy problems arising out of a failure to comply with the principles. For example, “We’ll regularly review how we’re meeting these privacy promises, and we’ll provide an independent way to resolve complaints about our privacy practices."

The remaining steps to comply with the Safe Harbor regulations are fairly easy to accomplish: the company publishes its privacy statement, designates a contact person that is responsible for any issues arising under the Safe Harbor, establishes a recourse mechanism to investigate and handle unresolved complaints, and establishes verification procedures to ensure compliance with Safe Harbor provisions. The final step is to self-certify to the Department of Commerce annually in a letter stating that the company agrees to adhere to the Safe Harbor Framework’s requirements.

Please note that the Safe Harbor Framework only applies with respect to data maintained in countries that are subject to the EU Data Privacy Directive. The EU permits its member states to stipulate additional requirements, which may impose further restrictions.