Safe Harbor Workbook
This Safe Harbor workbook is designed to aid U.S. organizations to assess their privacy policies and practices with respect to complying with the Safe Harbor Frameworks. Implementation of the Safe Harbor Frameworks will require you to consider your organization’s specific needs, practices, and objectives; therefore, the guidance provided in this workbook does not constitute legal advice and is not intended as a substitute for the services of legal counsel or other qualified professionals. The information in this publication is provided on an "as is" basis, and no warranty of the suitability of the advice offered for your organization is made by this publication.
INTRODUCTION: PRIVACY AND THE SAFE HARBOR FRAMEWORKS
Today’s information technologies allow information to be collected, compiled, analyzed, and delivered globally more quickly and inexpensively than ever before. Where it was once difficult, time-consuming, and expensive to obtain compile, and analyze information, it is now often available with a few simple clicks of a computer mouse. Increased access to information facilitates personal and political expression as well as commerce, education, and health care. Consumers benefit from the increased access to information. Organizations benefit through reduced costs and client-focused advertising.
The advent of global communications and data flows also raises new challenges and opportunities for building processes to effectively protect privacy. Multinational organizations may centralize all human resources information in one location from their constituent affiliates around the world for record keeping, benefits, and payroll purposes; credit card organizations may do the same with bankcard information for billing purposes and account management. Citizens of one country may easily visit web sites in other countries, transferring personal information across borders as they visit. Laws, which generally are limited by national borders, may have little effect in a medium without borders.
Many countries share concerns about the impact of the expansion of electronic networks on information privacy. Indeed, converging technologies and mobile communications heighten the risk and the opportunity for accessing content (e.g. music downloads, text messaging, bill paying, and a host of other services) now available on one’s mobile phone. Recognizing the importance information and communications technologies play in the global economy and the need to transfer data across national borders, the United States, the European Union (EU)1, and Switzerland address these concerns, but in markedly different ways.
The terms of the EU Directive on Data Protection requires the European Commission2 to determine the "adequacy" of data protection in third countries and to prohibit personal data flows to countries with privacy regimes that are not deemed "adequate." Organizations wishing to receive personally identifiable information from the EU would have to provide "adequate" privacy protection. The Swiss Federal Act on Data Protection (FADP) imposes a similar prohibition on personal data flows to countries with privacy regimes that are not deemed “adequate”.
The implications for major trade partners, such as the United States, which receive a significant number of data transfers from EU Member States and Switzerland, are serious. In 2010, U.S.-EU trade was approximately $560 billion and U.S.-Swiss trade was approximately $40 billion. Data transfers are the lifeblood of many organizations and the underpinnings for all of electronic commerce. Multinational organizations routinely share among their different offices a vast array of personal information. This information can be as simple as personnel telephone directories or involve more sensitive information, such as personnel records, insurance information needed to process medical claims, credit card billing information or patient information essential for conducting pharmaceutical research.
Accordingly, the United States initiated a high-level informal dialogue, led by the U.S. Department of Commerce’s International Trade Administration and the European Commission, with the twin goals of ensuring the free flow of data and effective protection of personal data. These discussions led to the development of the "Safe Harbor" framework based on Safe Harbor Privacy Principles that reflect the U.S. approach to privacy and, at the same time, meet the EU Directive’s "adequacy" requirements. These principles were deemed "adequate" by the European Commission in July 2000. The U.S.-EU Safe Harbor Framework entered into effect in November 2000. The European Economic Area (EEA)3 also has recognized the U.S.-EU Safe Harbor Framework as providing adequate data protection. In 2009, the United States concluded another high-level informal dialogue, led by the U.S. Department of Commerce’s International Trade Administration and the Federal Data Protection and Information Commissioner of Switzerland. This dialogue resulted in the separate, but substantially similar U.S.-Swiss Safe Harbor Framework.
SECTION I: PRIVACY IN THE UNITED STATES AND EUROPE
At the end of this section, you should be able to
- Understand the impact of differing national laws and
- Know the differences between the U.S. and European approaches to privacy
Many fear that privacy concerns can stunt the growth of electronic commerce. Without confidence that information provided online will be protected and used responsibly, users will not take full advantage of the benefits that electronic commerce offers. No amount of marketing, attractive pricing or convenience will spur online users to conduct business online if they believe that doing so will unduly compromise the privacy of their personal information.
The United States, the EU and its member states, and Switzerland are committed to making privacy protections available to their citizens without unnecessarily impeding the free flow of data. The United States has largely adopted a self-regulatory approach to the development of privacy protections in the private sector, addressing specific privacy concerns in the law as needed. The concern is that privacy issues differ across industry sectors, and that "a one size fits all" legislative approach would lack the necessary precision to avoid interfering with the benefits that result from the free flow of data. Nonetheless, the United States does address specific privacy concerns in the law as needed, particularly where sensitive information is involved or there have been cases of abuses. In Europe, however, privacy laws tend to be comprehensive, applying to every industry and closely regulating what information is collected and how it is used.
U.S. Approach to Privacy
In the United States, the importance of protecting the privacy of individuals’ personal information is a priority for the Federal Government and consumers. Consumers repeatedly cite fears that their personal information will be misused as a reason for not doing business online. In this way, moves to bolster online privacy protect consumer interests and fuel the broader growth of online communications, innovation, and business. Self-regulatory initiatives are an effective approach to putting meaningful privacy protections in place. In certain highly sensitive areas, however, legislative solutions are appropriate. These sensitive areas include financial and medical records, genetic information, Social Security numbers, and information involving children.
A self-regulatory initiative could involve a number of companies in the same line of business deciding that they will follow certain rules in handling information about their customers. These companies might also decide to display a seal that shows that they follow the rules. If one of the members of this "self-regulatory regime" breaks the rules, the company's membership and permission to display the seal will be revoked. Companies across industries, especially in Internet-related fields, are increasingly hiring privacy experts and making the protection of customer information a priority. The continuing introduction of new technologies designed to protect the privacy of personal information will have a profound effect on empowering consumers to control how their personal information is used. The Federal Government continues in its mission to be a model citizen of cyberspace in its information practices. The goal is for the Federal Government to serve as an example for private companies, as well as state and local governments.
The United States has supported legislative solutions in certain sensitive areas. In 1999, Congress passed and the President signed into law the Financial Modernization Act which included significant new privacy protections for financial information. In addition, the Administration issued rules guaranteeing the privacy of medical information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In 1998, the Administration worked with Congress to pass the Children’s Online Privacy Protection Act (COPPA). COPPA requires commercial web sites that target children under the age of 13 to obtain verifiable parental consent before they gather information from children under the age of thirteen.
The European Approach
While the United States, the EU, and Switzerland generally agree on the underlying fair information principles, they employ different means to achieve this goal. The European approach to privacy grows out of Europe’s history and legal traditions. In Europe, protection of information privacy is viewed as a fundamental, human right. Europe also has a tradition of prospective, comprehensive lawmaking that seeks to guard against future harms, particularly where social issues are concerned.
The adoption of a directive in July 1995 marked the culmination of an examination, stretching over a period of fifteen years, of the impact of technology on society. The European Commission’s Directive on Data Protection entered into effect in October 1998, and would prohibit the transfer of personal data to non-EU countries that do not meet the EU “adequacy” standard for privacy protection. Member States were required to bring into force laws, regulations, and administrative provisions to comply with the Directive by its effective date.
The European Union Directive on Data Protection
A quick review of the EU Directive’s basic terms makes clear that, consistent with European tradition, the EU Directive takes a regulatory and comprehensive approach to privacy issues. It has two basic objectives: first, to protect individuals with respect to the "processing" of personal information; and second, to ensure the free movement of personal information within the EU through the coordination of national laws (Article 1).
‘Personal data’ is defined as information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Article 2).
The scope of the EU Directive is very broad. It applies to all processing of data, online and off-line, manual as well as automatic, and all organizations holding personal data. It excludes from its reach only data used "in the course of purely personal or household activity" (Article 3). The EU Directive establishes strict guidelines for the processing of personal data. "Processing" includes any operations involving personal data, except perhaps its mere transmission (Article 2). For example, copying data or putting it in a file is viewed as "processing." The substantive aspects of the EU Directive’s privacy protections are based on the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted by the Organization for Economic Cooperation and Development (OECD) in 1981.
Data Quality. The EU Directive requires that all personal data must be processed fairly and lawfully, so that, for example, a person whose personal data is at issue knows that it is being collected and used and must be informed of the proposed uses. Furthermore, the use of personal data must be limited to the purpose first identified and to other compatible uses, and no more data may be collected than is required to satisfy the purpose for which it is collected. In other words, the theory is that if a person provides information to obtain telephone service, that information should not be used to target that person for information about vacation trips, nor should information relevant to a customer’s interests in vacation trips be required to get, for instance, telephone service. Data must also be kept accurate and up to date (Article 6).
Legitimate Data Processing. The EU Directive sets forth rules for "legitimate" data processing. Most basically, this requires obtaining the consent of the data subject before data is processed unless specific exemptions apply (Article 7). In addition, certain information must be provided to data subjects when their personal data is processed (Article 10), such as whether they have rights to see the data, to correct any data that is inaccurate, or to know who will receive the data (Article 12).
Sensitive Data. "Sensitive" data, such as that pertaining to racial or ethnic origins, political or religious beliefs, or health or sex life, may not be processed at all unless such processing comes within limited exceptions, for example if the individual gives explicit consent (Article 8).
Security. The EU Directive requires that "appropriate technical and organizational measures to protect data" against destruction, loss, alteration, or unauthorized disclosure or access be taken (Article 17).
Data Controllers. The EU Directive requires those processing data to fulfill very specific requirements. Specifically, they must appoint a "data controller" responsible for all data processing, who must register with government authorities (Article 19) and notify them before processing any data (Article 18). Notification must at a minimum include: the purpose of the processing; a description of the data subjects; the recipients or categories of recipients to whom the data might be disclosed; proposed transfers to third countries; and a general description that would allow a preliminary assessment of whether requirements for security of processing have been met (Article 19).
Government Data Protection Authorities. The EU Directive also mandates a government authority to oversee data processing activities. Each Member State must establish an independent public authority to supervise the protection of personal data. These "Data Protection Commissions" must have the power to: (1) investigate data processing activities and monitor application of the EU Directive; and (2) intervene in the processing and to order the blocking, erasure, or destruction of data as well as to ban its processing. They must also be authorized to hear and resolve complaints from data subjects and must issue regular public reports on their activities (Article 28).
Transfers of Data Outside the EU. Most importantly from the U.S. perspective, the EU Directive requires that Member States enact laws prohibiting the transfer of personal data to countries outside the EU that fail to ensure an "adequate level of [privacy] protection" (Article 25). Where the level of protection is deemed inadequate, Member States are required to take measures to prevent any transfer of data to the third country. Member States and their Data Protection Commissions must inform each other when they believe that a third country does not ensure an adequate level of protection.
The Swiss Federal Act on Data Protection
The Swiss Federal Act on Data Protection (FADP) went into effect in July 1993, followed by important modifications in January 2008. The FADP would prohibit the transfer of personal data to countries that do not meet Switzerland’s “adequacy” standard for privacy protection. The Swiss data protection legal framework relies on comprehensive legislation that requires an independent government data protection agency, registration of data bases with this agency, and in some cases prior approval before personal data processing may begin.
SECTION II: OVERVIEW OF THE SAFE HARBOR FRAMEWORK
At the end of this session, you should be able to:
- Describe the Safe Harbor program and its benefits;
- Determine what organizations may join the Safe Harbor program; and
- Understand how the program will be enforced.
The U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework were developed by the U.S. Department of Commerce, in consultation with the European Commission and the Swiss Federal Data Protection and Information Commissioner, industry, and non-governmental organizations to provide U.S. organizations with a streamlined means of satisfying the "adequacy" requirements under the EU Directive on Data Protection and the Swiss Federal Act on Data Protection (FADP). The Safe Harbor website was developed to provide the information an organization should need to evaluate – and then join – the Safe Harbor program.
Participation in the Safe Harbor program is entirely voluntary; nevertheless, U.S. organizations wishing to receive personal information from EU or Swiss organizations legally either must join the Safe Harbor program, satisfy one of the exceptions under the EU Directive or Swiss data protection law, or seek an "adequacy" determination. For example, under the EU Directive, personal data that is necessary to complete a contract between an individual and the organization may be transferred without an "adequacy" determination, and data importing organizations may receive such data if they enter into contracts with data exporting organizations that bind the data importer to provide "adequate" privacy protection (See Article 26).
Description of the Safe Harbor Frameworks
Although the respective sets of Safe Harbor Privacy Principles, frequently asked questions and answers (FAQs), and enforcement statements of the two Safe Harbor Frameworks are similar, they differ in a number of ways. Understanding the Safe Harbor Frameworks requires familiarity with all of the relevant documents.
The U.S.-EU Safe Harbor Framework is comprised of 7 Safe Harbor Privacy Principles, 15 FAQs, letters from the Federal Trade Commission and the Department of Transportation on their enforcement powers, the exchange of letters between the U.S. Department of Commerce and the European Commission, and the European Commission’s adequacy decision.
The U.S.-Swiss Safe Harbor Framework is comprised of 7 Safe Harbor Privacy Principles, 15 FAQs, letters from the Federal Trade Commission and the Department of Transportation on their enforcement powers, and the exchange of letters between the U.S. Department of Commerce and the European Commission.
The U.S. Department of Commerce holds regular discussions with the European Commission and the Swiss Federal Data Protection and Information Commissioner regarding the administration of the Safe Harbor program. All parties concerned emphasize the importance of bilateral cooperation in order to ensure continued data flows and have committed to keep each other informed of any actions that may interrupt data flows.
Benefits of Implementing the Safe Harbor Frameworks
The Safe Harbor program provides predictability and continuity for those EU and Swiss organizations that send personal information to the United States and U.S. organizations that receive personal information from the EU and Switzerland. All 28 EU Member States are bound by the European Commission’s finding of adequacy and Iceland, Liechtenstein, and Norway are bound by the EEA’s recognition of adequacy. Participation in the Safe Harbor program either eliminates the need for prior approval to begin data transfers or provides for automatic approvals. The program also provides for a flexible privacy regime more congenial to the U.S. approach to privacy and, subject to certain limitations, enforcement will be conducted in the United States (i.e. as opposed to in Europe). The Safe Harbor Privacy Principles offer a simple and efficient means of complying with the EU and Swiss adequacy requirements, which should particularly benefit small and medium enterprises.
Which Organizations May Join the Safe Harbor Program
U.S. organizations subject to the jurisdiction of the Federal Trade Commission (FTC) and U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DoT) may participate in the Safe Harbor program. The FTC and the DoT have both stated in letters that they will take enforcement action against organizations that state that they are in compliance with one or both of the Safe Harbor Frameworks, but then fail to live up to their statements. Please note that certain sectors are not subject to the jurisdiction of either the FTC or the DoT, and thus may not be eligible for Safe Harbor. Organizations generally not subject to FTC jurisdiction include certain financial institutions, such as banks, investment houses, credit unions, and savings & loan institutions, as well as telecommunication common carriers, labor associations, non-profit organizations, agricultural co-operatives, and meat processing facilities. In addition, the FTC’s jurisdiction with regard to insurance activities is limited to certain circumstances. If your organization is considering joining Safe Harbor, but you are not certain whether it falls within the jurisdiction of either the FTC or the DoT, it is recommended that you contact those agencies for further guidance.
Which Organizations Should Join the Safe Harbor Program
Organizations that receive personally identifiable information from EU Member States or Switzerland are required to demonstrate that they provide "adequate" privacy protections. Organizations that receive personally identifiable information and have not identified either another basis for demonstrating "adequacy" or a relevant exception under the EU Directive or Swiss data protection law should consider joining the Safe Harbor program as one means of meeting these "adequacy" requirements. Though not necessary to comply with U.S. law, organizations that wish to demonstrate to their customers that they provide a high level of privacy protection may also consider joining the Safe Harbor program, recognizing that the Safe Harbor program is only applicable to transfers of personally identifiable data from the EU and Switzerland to the United States.
How Do Organizations Join the Safe Harbor Program
The Department of Commerce maintains lists of all organizations that register through its Safe Harbor website (http://business.usa.gov/export/safeharbor) or through a letter. An EU or Swiss organization can ensure that it is sending information to a U.S. organization participating in the Safe Harbor program by viewing the public lists of Safe Harbor organizations posted on the Safe Harbor website. These lists, which became operational in 2000 and 2009, are updated regularly, so that it is clear which organizations participate in the Safe Harbor program.
How and Where Will the Safe Harbor Program be Enforced
In general, enforcement of the Safe Harbor program takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. Safe Harbor private sector enforcement has three components: verification, dispute resolution, and remedies. Organizations are required to have procedures for verifying compliance, either independent or self-assessment, to have in place a dispute resolution system that will investigate and resolve individual complaints and disputes, and to remedy problems arising out of a failure to comply with the Safe Harbor Privacy Principles. (See U.S.-EU Safe Harbor Framework FAQ 11 and U.S.-Swiss Safe Harbor Framework FAQ 11) Organizations that receive human resources data from the EU and/or Switzerland regarding their own employees must cooperate and comply with the EU data protection authorities and/or the Swiss Federal Data Protection and Information Commissioner with respect to such data, but provision is also made for organizations to choose to cooperate with the appropriate data protection authorities in order to satisfy the dispute resolution and remedy requirements even where organization human resources data is not involved. (See U.S.-EU Safe Harbor Framework FAQ 5 and FAQ 9, and U.S.-Swiss Safe Harbor Framework FAQ 5 and FAQ 9)
Private sector self-regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive trade practices statutes. The effect of these statutes is to give an organization’s Safe Harbor commitments the force of law vis-a-vis that organization.
Depending on the industry sector, the FTC or the DoT provide overarching government enforcement of the Safe Harbor Frameworks. Where an organization relies in whole or in part on self-regulation in complying with the Safe Harbor Privacy Frameworks, its failure to comply with such self-regulation must be actionable under federal or state law prohibiting unfair and deceptive acts or it is not eligible to join the Safe Harbor program. (Note: It is possible that an annex to the Safe Harbor Privacy Principles will contain a list of additional U.S. governmental enforcement agencies recognized by the European Commission and the Swiss Federal Data Protection and Information Commissioner. It is possible that this list will expand as more agencies declare their willingness to enforce the Safe Harbor program).
Failure to Comply with the Safe Harbor Program Requirements
If a U.S. Safe Harbor organization persistently fails to comply with the Safe Harbor program requirements, it is no longer entitled to benefit from the Safe Harbor program. ‘Persistent failure to comply’ arises where an organization refuses to comply with a final determination by any self-regulatory or government body or where such a body determines that an organization frequently fails to comply with the requirements to the point where its claim to comply is no longer credible. In these cases, the U.S. Safe Harbor organization must promptly notify the Department of Commerce, either by e-mail or by letter, of such facts. The Safe Harbor List(s) will indicate that there has been a persistent failure to comply and the communication from the enforcement body will be made public 30 days after the Department of Commerce receives the notification.
The lists maintained by the Department of Commerce will indicate any notifications that the Department of Commerce receives of persistent failure to comply and will make clear which organizations are assured and which organizations are no longer assured of Safe Harbor benefits.
Safe Harbor Privacy Principles
Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, the choices and means the organization offers individuals for limiting its use and disclosure, and how it is secured. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
Choice: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.
For ‘sensitive information’ (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), individuals must be given an affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.
Onward Transfer: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it first either ascertains that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the EU Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor Privacy Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.
This principle is intended to ensure that there is as little leakage of data from Safe Harbor protections as possible. In certain circumstances, if you know someone is doing wrong, such as misusing property for which you are responsible or misbehaving in a situation for which you have responsibility and you do not stop them, you bear some responsibility for the consequences. This principle provides some on-going responsibility for data transferred pursuant to the Safe Harbor. In Europe, this responsibility would be provided by data protection laws. Since omnibus data protection laws do not exist in the United States, we have adopted this principle.
This concept is neither new nor novel in the U.S. legal system. An employer’s responsibility to provide a workplace free from hazardous situations, including careless or reckless employees, is one example. An employer’s responsibility to provide a workplace free from a hostile atmosphere of sexual harassment is another example. Senior officers of organizations can be held personally responsible for the acts of lower-level employees for certain violations of the laws. What is novel is the application of this concept to personal information.
Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Organizations must take special care to protect sensitive information, as defined in the Safe Harbor Privacy Principles (See Choice Principle).
Data Integrity: Consistent with the Safe Harbor Privacy Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
This principle minimizes the risk that personal information would be misused, because the organization is collecting only relevant information. You also avoids the risk that decisions will be based upon erroneous or inappropriate information.
Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
Customers are concerned not only about what data is being collected about them, but also that this information is correct and timely. Providing access to the data that your organization has collected about an individual allows that person to check the stored information and ensure that it is up-to-date and correct, and that your organization is doing what it says it is doing about collecting and retaining data.
Allowing customers to access and correct information collected about them can greatly increase customer confidence by assuring them that they will only receive further information about other goods and services that are of interest to them (if your organization re-markets goods and services either internally or through the sale of information to third parties) or that their goods will be delivered promptly and properly. At the same time, your organization benefits from having accurate customer information.
The question of how and to what extent customers should have access to their data requires a nuanced response. The obligation of an organization to provide access to the personal information it holds about an individual is subject to the principle of proportionality or reasonableness and has to be tempered in certain instances. Expense and burden are important factors and should be taken into account, but they are not controlling in determining whether providing access is reasonable. The sensitivity of the data is also important in considering whether access should be provided. (See FAQ 8 for additional information about when access must be provided.)
Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Safe Harbor Privacy Principles, recourse for individuals to whom the data relate affected by non-compliance with the Safe Harbor Privacy Principles, and consequences for the organization when the Safe Harbor Privacy Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Safe Harbor Privacy Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Safe Harbor Privacy Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. (For additional information about enforcement required under the Safe Harbor Frameworks see U.S.-EU Safe Harbor Framework FAQ 11 and U.S.-Swiss Safe Harbor Framework FAQ 11.)
Safe Harbor private sector enforcement has three components: verification, dispute resolution, and remedy. Organizations are required to have procedures for verifying compliance, either independent or self-assessment, to have in place an independent dispute resolution system that will investigate and resolve individual complaints and disputes, and to remedy problems arising out of a failure to comply with the Safe Harbor Privacy Principles.
Dispute Resolution Mechanism
By providing a means of redress, organizations assure customers that they are committed to resolving any privacy concerns that the customers may have. An organization should state clearly how customers who believe that their privacy has been violated in contravention of the Safe Harbor Privacy Principles should contact the organization and what steps the organization will take to resolve such issues.
Selecting a Dispute Resolution Mechanism
A dispute resolution mechanism, which meets the minimal requirements described in the Safe Harbor Enforcement Principle, assures your customers that your organization is complying with its stated privacy policies.
While private sector developed mechanisms vary, organizations such as the Council of Better Business Bureaus (BBB), TRUSTe, the Direct Marketing Association, and the Entertainment Software Rating Board have indicated that they have developed privacy programs that allow companies to comply with the Safe Harbor Enforcement Principle. Other programs, such as outside arbitration and mediation services (e.g. JAMS or the American Arbitration Association) may also be used, so long as every complaint is heard in compliance with the Enforcement Principle and FAQ 11. (Note: An organization self-certifying compliance with one or both of the Safe Harbor Frameworks is responsible for ensuring that it has chosen a dispute resolution provider that will satisfy the requirements of the Safe Harbor Framework(s). The Department of Commerce does not certify programs to serve as dispute resolution mechanisms under Safe Harbor; therefore, the Department of Commerce cannot guarantee that a particular program will meet all Safe Harbor requirements, including those under FAQ 11).
Organizations that receive human resources data from the EU and/or Switzerland regarding their own employees (i.e. organization human resources data) must cooperate and comply with the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner with respect to such data, but provision is also made for organizations to choose to cooperate with the appropriate data protection authorities in order to satisfy the dispute resolution and remedy requirements even where organization human resources data is not involved. (See U.S.-EU Safe Harbor Framework FAQ 5 and FAQ 9, and U.S.-Swiss Safe Harbor Framework FAQ 5 and FAQ 9)
Please note that organizations that utilize the EU data protection authorities for dispute resolution will be required to pay an annual fee of US $50 in order to cover the operating costs of the data protection authorities' panel. This fee is payable to the United States Council for International Business (U.S. Council for International Business c/o Safe Harbor – EU DPAs; 1212 Avenue of the Americas, 21st Floor; New York, NY 10036), which has agreed to act as trusted third party for this purpose. If you require further information on how to carry out the payment, please see: http://uscib.org/index.asp?documentID=4495. If, on the other hand, you require further information on how the cooperation / compliance with the EU DPAs works, you may refer to the resources concerning the EU DPAs' panel (e.g., the Standard Complaint Form and Internal Operating Procedures) that are available on the European Commission’s website, contact the panel secretariat at: email@example.com, and/or contact the DPAs directly (see http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm).
Evaluating a Dispute Resolution Mechanism
Remedies and Sanctions
The dispute resolution body that is chosen must provide sufficiently rigorous sanctions to ensure compliance by organizations. The remedies should be such that noncompliance is reversed or corrected and future processing is in conformity with the Safe Harbor Privacy Principles. Sanctions should include both publicity for non-compliance and deletion in certain instances. In instances of persistent failure to comply, the dispute resolution body must have the ability to notify such failures to a governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department of Commerce.
Review of FAQs
In addition to the shared set of Safe Harbor Privacy Principles, each of the Safe Harbor Frameworks include 15 FAQs. Although there is considerable overlap between the two sets of FAQs, there are also important differences (e.g. FAQs 5, 9, and 11). It is important to review the relevant 15 FAQs to see if any of the sector specific FAQs apply to your organization. For example, FAQ 2 provides an explanation of the exceptions for journalists, FAQ 14 provides additional guidance for handling information dealing with pharmaceuticals and medicals products, and FAQ 15 provides additional guidance on how publicly available information should be handled. Familiarize yourself with the contents of these FAQs generally and make sure that your organization’s policies conform with these as well.
Safe Harbor List Procedures
- To be included on one or both of the Safe Harbor Lists (U.S.-EU Safe Harbor List and/or U.S.-Swiss Safe Harbor List), an organization must notify the Department of Commerce that it adheres to the Safe Harbor Privacy Principles.
- An organization interested in participating in the Safe Harbor program must complete the self-certification application, keep a copy for its records, and submit the application to the Department of Commerce’s Safe Harbor Team. An organization corporate officer may register and submit the application via the Safe Harbor website (http://business.usa.gov/export/safeharbor/). The Safe Harbor Team strongly recommends that an organization register and submit the application via the Safe Harbor website, as this option is the one best suited to process submissions in a timely and accurate manner. A self-certification submission must include all of the information required by FAQ 6.
- Although participation in the U.S.-EU Safe Harbor program and/or the U.S.-Swiss Safe Harbor program and self-certification to the list(s) are voluntary, once an entity elects to participate in the Safe Harbor program, it is legally required to comply with the Safe Harbor Privacy Principles. An organization’s absence from the list(s) does not mean that it does not provide effective protection for personal data or that it does not qualify for the benefits of the Safe Harbor program.
- In order to keep the lists current, a notification will be effective for a period of twelve months; therefore, organizations must notify the Department of Commerce every twelve months to reaffirm their continued adherence to the Safe Harbor Framework(s).
- Organizations should notify the Department of Commerce either by e-mail or letter if their representation to the Department is no longer valid. Failure by an organization to so notify the Department could constitute a misrepresentation of its adherence to the Safe Harbor Frameworks and may be actionable under the False Statements Act (18 U.S.C. § 1001).
- An organization may withdraw from the list(s) at any time by notifying the Department of Commerce by e-mail or letter. Withdrawal from the list(s) terminates the organization’s representation of adherence to the Safe Harbor Framework(s), but this does not relieve the organization of its Safe Harbor obligations with respect to personal information received during the time that the organization was on the list(s).
- If a relevant self-regulatory or government enforcement body finds that an organization has engaged in a persistent failure to comply with the Safe Harbor Privacy Principles, then the organization is no longer entitled to the benefits of the Safe Harbor program. In this case, the organization must promptly notify the Department of Commerce of such facts either by e-mail or letter. Failure to do so may be actionable under the False Statements Act (18 U.S.C. 1001). That organization must also provide the Department with a copy of the decision letter from the relevant self-regulatory or government enforcement body.
1 The European Union (EU) is a regional, treaty-based organization that manages economic and political cooperation among its 28 Member States. The countries that belong to the EU are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
2 The European Commission proposes legislation, implements policy, and enforces the EU treaties. It has investigative powers and can take legal action against Member States or companies that violate EU treaties or rules. The European Commission manages the EU budget and represents the EU in trade negotiations.
3 The Agreement on the European Economic Area (EEA), which entered into force on January 1, 1994, brings together the 28 EU Member States and three EFTA countries — Iceland, Liechtenstein and Norway — in a single internal market. Switzerland, which is an EFTA country, is not part of the EEA Agreement, but has a bilateral agreement with the EU. The EEA Agreement also states that when a country becomes a member of the EU, it shall also apply to become party to the EEA Agreement (Article 128), thus leading to an enlargement of the EEA.
The EEA Agreement provides for the inclusion of EU legislation covering the four freedoms — the free movement of goods, services, persons and capital — throughout the 31 EEA States. In addition, the Agreement covers cooperation in other important areas, such as consumer protection. The Agreement guarantees equal rights and obligations within the Internal Market for citizens and economic operators in the EEA.