Privacy Law and Policy Reporter
The European Union’s (EU) comprehensive privacy legislation, the Directive on Data Protection (the Directive), became effective on 25 October 1998. It requires that transfers of personal data take place only to non-EU countries that provide an ‘adequate’ level of privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. Given those differences, many US organizations have expressed uncertainty about the impact of the EU-required ‘adequacy standard’ on personal data transfers from the EU to the United States.
To diminish this uncertainty and provide a more predictable framework for such data transfers, the Department of Commerce is issuing this document and Frequently Asked Questions (‘the Principles’) under its statutory authority to foster, promote and develop international commerce. The Principles were developed in consultation with industry and the general public to facilitate trade and commerce between the United States and EU. They are intended for use solely by US organisations receiving personal data from the EU for the purpose of qualifying for the safe harbor and the presumption of ‘adequacy’ it creates. Because the Principles were solely designed to serve this specific purpose, their adoption for other purposes may be inappropriate. The Principles cannot be used as a substitute for national provisions implementing the Directive that apply to the processing of personal data in the Member States.
Decisions by organisations to qualify for the Safe Harbor are entirely voluntary, and organisations may qualify for the safe harbor in different ways. Organisations that decide to adhere to the Principles must comply with the Principles in order to obtain and retain the benefits of the Safe Harbor and publicly declare that they do so. For example, if an organisation joins a self-regulatory privacy program that adheres to the Principles, it qualifies for the Safe Harbor. Organisations may also qualify by developing their own self-regulatory privacy policies provided that they conform with the Principles. Where in complying with the Principles, an organisation relies in whole or in part on self-regulation, its failure to comply with such self-regulation must also be actionable under s 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts. (See the annex for the list of US statutory bodies recognised by the EU.) In addition, organisations subject to a statutory, regulatory, administrative or other body of law (or of rules) that effectively protects personal privacy may also qualify for Safe Harbor benefits. In all instances, Safe Harbor benefits are assured from the date on which each organisation wishing to qualify for the Safe Harbor self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth in the Frequently Asked Question on Self-Certification.
Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organisations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or US law, organisations are expected to opt for the higher protection law where possible.
Organisations may wish for practical or other reasons to apply the Principles to all their data processing operations, but they are only obligated to apply them to data transferred after they enter the Safe Harbor. To qualify for the Safe Harbor, organisations are not obligated to apply these Principles to personal information in manually processed filing systems. Organisations wishing to benefit from the Safe Harbor for receiving information in manually processed filing systems from the EU must apply the Principles to any such information transferred after they enter the Safe Harbor. An organisation that wishes to extend Safe Harbor benefits to human resources personal information transferred from the EU for use in the context of an employment relationship must indicate this when it self-certifies to the Department of Commerce (or its designee) and conform to the requirements set forth in the Frequently Asked Question on Self-Certification. Organisations will also be able to provide the safeguards necessary under art 26 of the Directive if they include the Principles in written agreements with parties transferring data from the EU for the substantive privacy provisions, once the other provisions for such model contracts are authorised by the Commission and the Member States.
US law will apply to questions of interpretation and compliance with the Safe Harbor Principles (including the Frequently Asked Questions) and relevant privacy policies by Safe Harbor organisations, except where organisations have committed to co-operate with European data protection authorities. Unless otherwise stated, all provisions of the Safe Harbor Principles and Frequently Asked Questions apply where they are relevant.
‘Personal data’ and ‘personal information’ are data about an identified or identifiable individual that are within the scope of the Directive, received by a US organisation from the European Union, and recorded in any form.
Notice: An organisation must inform individuals about the purposes for which it collects and uses information about them, how to contact the organisation with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organisation offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organisation or as soon thereafter as is practicable, but in any event before the organisation uses such information for a purpose other than that for which it was originally collected or processed by the transferring organisation or discloses it for the first time to a third party.
Choice: An organisation must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorised by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. For sensitive information (ie personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorised by the individual through the exercise of opt in choice. In any case, an organisation should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.
Onward transfer: To disclose information to a third party, organisations must apply the Notice and Choice Principles. Where an organisation wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organisation complies with these requirements, it shall not be held responsible (unless the organisation agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organisation knew or should have known the third party would process it in such a contrary way and the organisation has not taken reasonable steps to prevent or stop such processing.
Security: Organisations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorised access, disclosure, alteration and destruction.
Data integrity: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organisation may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by the individual. To the extent necessary for those purposes, an organisation should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current.
Access: Individuals must have access to personal information about them that an organisation holds and be able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organisation when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual’s complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organisations announcing their adherence to them and conse-quences for such organisations. Sanctions must be sufficiently rigorous to ensure compliance by organisations.
Issued by the US Department Of Commerce on 21 July 2000. The Safe Harbor Principles are available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/shprinciples.pdf>.