International Safe Harbor Privacy Principles
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data.
Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles and the 15 frequently asked questions and answers (FAQs) outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with the EU.
The European Union has for many years had a formalised system of Privacy legislation, which is regarded as more rigorous than that found in many other areas of the world.
Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive adequate levels of protection.
Such protection can either be at a country level (if the country's laws are considered to offer equal protection) or at an organizational level (where a multinational organization produces and documents its internal controls on personal data).
The Safe Harbor Privacy Principles allows US companies to register their certification if they meet the European Union requirements.
These principles must provide:
- Notice - Individuals must be informed that their data is being collected and about how it will be used.
- Choice - Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security - Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
- Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement - There must be effective means of enforcing these rules.
After opting in, an organization must re-certify every 12 months. It can either perform a self-assessment to verify that it complies with these principles, or hire a third-party to perform the assessment. There are also requirements for ensuring that appropriate employee training and an effective dispute mechanism are in place.
In a 2011 case, the Federal Trade Commission obtained a consent decree from a California-based online retailer that had sold exclusively to customers in the United Kingdom. Among its many alleged deceptive practices was representing itself as having self-certified under Safe Harbor when in fact it had not. It was barred from doing so in the future.
Criticism and evaluation
The EU-US Safe Harbor has been the subject of significant criticism regarding compliance and enforcement in three external evaluations:
- 2002 review by the European Union: The application of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles (2002)
- 2004 review by the European Union: The implementation of Commission Decision on the adequate protection of personal data provided by the Safe Harbor Privacy Principles (2004)
- 2008 review by Galexia: Chris Connolly (Galexia), US Safe Harbor - Fact or Fiction?, Privacy Laws and Business International, issue 96, December 2008
- "FTC Settlement Bans Online U.S. Electronics Retailer from Deceiving Consumers with Foreign Website Names" (Press release). Washington. Federal Trade Commission. June 9, 2011. Retrieved March 5, 2015.