INTRODUCTION

In response to the European Commission Directive on Data Protection that could interrupt transfers of personal information from Europe to countries whose privacy practices are not deemed "adequate," the U.S. Department of Commerce and the European Commission have developed a "safe harbor" framework that will allow U.S. organizations to satisfy the European Directive's requirements and ensure that personal data flows to the United States are not interrupted. On July 27, 2000, the European Commission issued its decision in accordance with Article 25.6 of the Directive that the Safe Harbor Privacy Principles provide adequate protection.  The safe harbor framework bridges the differences between the EU and U.S. approaches to privacy protection and ensures adequate protection for EU citizen's personal information.
 

SAFE HARBOR BENEFITS

The safe harbor provides a number of important benefits to U.S. and EU firms. Most importantly, it provides predictability and continuity for U.S. and EU companies that are sending and receiving personal information from Europe. All 15 member countries are bound by the European Commission's finding of adequacy. The safe harbor eliminates the need for prior approval to begin data transfers, or makes approval from the appropriate EU member countries automatic. The Safe Harbor Privacy Principles offer a simpler and cheaper means of complying with the adequacy requirements of the Directive, which should particularly benefit small and medium enterprises.
 

An EU organization can ensure that it is sending information to a U.S. organization participates in the safe harbor by viewing the public list of safe harbor organizations posted on the Department of Commerce’s website (www.ita.doc.gov/ecom). This list will become operational at the beginning of November 2000.  It will contain the names of all U.S. companies that have self-certified to the Safe Harbor Privacy Principles and any additional documentation.  This list will be regularly updated, so that it is clear who is in the safe harbor.
 

HOW DOES AN ORGANIZATION JOIN?

The decision by U.S. organizations to enter the safe harbor is entirely voluntary. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements and publicly declare that they do so. To be assured of safe harbor benefits, an organization needs to self certify annually to the Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements, which includes elements such as notice, choice, access, and enforcement. It must also state in its published privacy policy statement that it adheres to the safe harbor. The Department of Commerce will maintain a list of all organizations that file self certification letters and make both the list and the self certification letters publicly available.
 

To qualify for the safe harbor, an organization can (1) join a self-regulatory privacy program that adheres to the safe harbor's requirements; (2) develop its own self regulatory privacy policy that conforms to the safe harbor; or (3) be subject to a statutory, regulatory, administrative or other body of law (or rules) that effectively protects personal privacy.
 

WHAT DO THE SAFE HARBOR PRINCIPLES REQUIRE?

Organizations must comply with the seven safe harbor principles. The principles require the following:

Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
 

Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information is to be disclosed to a third party or to be used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
 

Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent⁽¹⁾, it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
 

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
 

Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
 

Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
 

Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.
 

To provide further guidance, the Department of Commerce has issued a set of frequently asked questions (FAQs) which clarify and supplement the safe harbor principles.
 

HOW AND WHERE WILL THE SAFE HARBOR BE ENFORCED?

In general, enforcement of the safe harbor will take place in the United States in accordance with U.S. law and will be carried out primarily by the private sector. Private sector self regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organization's safe harbor commitments the force of law vis a vis that organization.
 

Private Sector Enforcement As part of their safe harbor obligations, organizations are required to have in place a dispute resolution system that will investigate and resolve individual complaints and disputes and procedures for verifying compliance. They are also required to remedy problems arising out of a failure to comply with the principles. Sanctions that dispute resolution bodies can apply must be severe enough to ensure compliance by the organization; they must include publicity for findings of non-compliance and deletion of data in certain circumstances. They may also include suspension from membership in a privacy program (and thus effectively suspension from the safe harbor) and injunctive orders.
 

The dispute resolution, verification, and remedy requirements can be satisfied in different ways. For example, an organization could comply with a private sector developed privacy seal program that incorporates and satisfies the safe harbor principles. If the seal program, however, only provides for dispute resolution and remedies but not verification, then the organization would have to satisfy the verification requirement in an alternative way.
 

Organizations can also satisfy the dispute resolution and remedy requirements through compliance with government supervisory authorities or by committing to cooperate with data protection authorities located in Europe.
 

Government Enforcement Depending on the industry sector, the Federal Trade Commission, comparable U.S. government agencies, and/or the states provide overarching government enforcement of the safe harbor principles. Where a company relies in whole or in part on self regulation in complying with the safe harbor principles, its failure to comply with such self regulation must be actionable under federal or state law prohibiting unfair and deceptive acts or it is not eligible to join the safe harbor. An annex to the safe harbor principles contains a list of U.S. enforcement agencies recognized by the European Commission.
 

Under the Federal Trade Commission Act, for example, a company's failure to abide by commitments to implement the safe harbor principles would be considered deceptive and actionable by the Federal Trade Commission. This is the case even where an organization adhering to the safe harbor principles relies entirely on self-regulation to provide the enforcement required by the safe harbor enforcement principle. The FTC has the power to rectify such misrepresentations by seeking injunctive relief and civil penalties of up to $11,000 per day for violations of such injunctive relief.
 

Third party self regulatory programs, (such as BBB Online, TRUSTe, and WEBTrust) are also subject to enforcement under these unfair and deceptive statutes in many if not most instances if they claim to be enforcing the safe harbor framework for their safe harbor members but do not.
 

All fifty states plus the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted laws similar to the Federal Trade Commission Act to prevent unfair or deceptive acts. These are enforced by their Attorneys General, adding additional resources to government enforcement of the safe harbor.
 

Failure to Comply with the Safe Harbor Requirements If an organization persistently fails to comply with the safe harbor requirements, it is no longer entitled to benefit from the safe harbor. Persistent failure to comply arises where an organization refuses to comply with a final determination by any self regulatory or government body or where such a body determines that an organization frequently fails to comply with the requirements to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of Commerce of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001).
 

The Department of Commerce will indicate on the public list it maintains of organizations self certifying adherence to the safe harbor requirements any notification it receives of persistent failure to comply and will make clear which organizations are assured and which organizations are no longer assured of safe harbor benefits.
 

An organization applying to participate in a self-regulatory body for the purposes of re-qualifying for the safe harbor must provide that body with full information about its prior participation in the safe harbor.
 

CONTRACTS

Organizations can also meet the adequacy requirements of the Directive if they include the safe harbor requirements in written agreements with parties transferring data from the EU for the substantive privacy provisions, once the other provisions for such model contracts are approved by the Commission and the Member States.
 

FURTHER INFORMATION

The safe harbor principles, the FAQs, and other related documents are available at www.ita.doc.gov/ecom. For further information on the benefits and requirements of the safe harbor principles, please contact the International Trade Administration, 202-482-1614.
 

^1. It is not necessary to provide notice or choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. The onward transfer principle, on the other hand, does apply to such disclosures.