Frequently Asked Questions (FAQs)

FAQ 5 The Role of the Data Protection Authorities ¹

Q: How will companies that commit to cooperate with European Data Protection Authorities make those commitments and how will they be implemented?

A: Under the safe harbor, US organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the safe harbor principles. More specifically as set out in the enforcement principle, they must provide (a) recourse for individuals to whom the data relate, (b) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true, and (c) obligations to remedy problems arising out of failure to comply with the principles and consequences for such organizations. An organization may satisfy points (a) and (c) of the Enforcement Principle if it adheres to the requirements set out in of this FAQ for cooperating with the DPAs.

An organization may commit to co-operate with the DPAs by declaring in aits safe harbor notification certification to the Department of Commerce (see FAQ 6 on self-certification) that the organization:

1. elects to satisfy the requirement in points (a) and (c) of the safe harbor enforcement principle by committing to co-operate with the DPAs ;

2. will co-operate with the DPAs in the investigation and resolution of complaints brought under the safe harbor; and

3. will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the safe harbor principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the principles, and will provide the DPAs with written confirmation that such action has been taken.

The co-operation of the DPAs will be provided in the form of information and advice in the following way :

- The advice of the DPAs will be delivered through an informal panel of DPAs established at the European level, which will inter alia help ensure a harmonised and coherent approach.

- The DPAs panel will provide advice to the US organizations concerned on unresolved complaints from individuals about the handling of personal information that has been transferred from the EU under the safe harbor  arrangements. This advice will be designed to ensure that the safe harbor principles are being correctly applied and will include any remedies for the individual(s) concerned that the DPAs consider appropriate.

- The panel will provide such advice in response to referrals from the organizations concerned and/or to complaints received directly from individuals against organizations thatwhich have committed to cooperate with them DPAs for safe harbor purposes, while encouraging and if necessary helping such individuals in the first instance to use the in-house complaint handling arrangements that the organization may offer.

- Advice will be issued only after both sides in a dispute have had a reasonable opportunity to comment and toprovide any evidence they wish to. The panel will seek to deliver advice as quickly as this requirement for due process allows. As a general rule, the panel will aim to provide advice within 60 days after receiving a complaint or referral and more quickly where possible.

- The panel will make public the results of its consideration of complaints submitted to it, if it sees fit.

- The delivery of advice through the panel will not give rise to any liability for the panel or for individual DPAs.

As noted above, organizations choosing this option for dispute resolution must undertake to comply with the advice of the DPAs. If an organization fails to comply within 25 days of the delivery of the advice and has offered no satisfactory explanation for the delay, the DPAs' panel will give notice of its intention either to submit the matter to the Federal Trade Commission or other US federal or state body with statutory powers to take enforcement action in cases of deception or misrepresentation, or to conclude that the agreement to co-operate has been seriously breached and must therefore be considered null and void. In the latter case, the DPAs' panel will inform the Department of Commerce (or its designee) so that the list of safe harbor participants can be duly amended. Any failure to fulfill the undertaking to co-operate with the DPAs, as well as failures to comply with the safe harbor principles, will be actionable as a deceptive practice under Section 5 of the FTC Act or other similar statute.

Organizations choosing this option will be required to pay an annual fee which will be designed to cover the operating costs of the panel, and they may additionally be asked to meet any necessary translation expenses arising out of the panel's consideration of referrals or complaints against them. The annual fee will not exceed $500 and will be less for smaller companies.

The option of co-operating with the DPAs will be available to organizations joining the safe harbor during a three-year period. The DPAs will reconsider this arrangement before the end of that period if the number of US organizations choosing this option proves to be excessive.
 

1. The inclusion of this FAQ in the package depends on the agreement of the DPAs. They have discussed the present text in the Article 29 working party and a majority find it acceptable, but they are only prepared to take a definitive view in the context of the overall opinion which the Working Party will issue on the final package.