After more than two years of negotiations with the US Department of Commerce, the European Commission approved the Safe Harbor scheme which sets out a framework of data protection standards which allow the free flow of personal data from EEA data controllers to the US organisations which have joined the scheme.
US companies that adhere to the Safe Harbor data protection standards, principles and procedures will be deemed to provide an adequate level of protection which satisfies, in UK terms, the requirements of Principle 8.
For international companies with subsidiaries or trading partners in the US and the EEA the Safe Harbor scheme is designed to reduce the administrative burden of complying with the Data Protection Directive and to ensure that data flows to Europe are uninterrupted. However, due to the limited take up, it is questionable whether this has been achieved in practice.
The Safe Harbor scheme applies only to the transfer of personal data from a data controller in the UK to a data controller in the US. It does not apply to transfers of personal data from a UK data controller to a US data processor that processes personal data in the US or the EEA, nor is the scheme applicable where data is obtained directly from individuals via a website.
At present, US businesses in sectors such as telecommunications and financial services are not able to take advantage of the scheme.
In order to be eligible to join the Safe Harbor scheme, a US organisation must be monitored or regulated by an independent statutory body which can protect personal privacy effectively and has jurisdiction to investigate complaints. The Federal Trade Commission ('FTC') and the Department of Transportation ('DOT') are such statutory bodies recognised by the European Commission. For example, air carriers may participate as they are subject to the jurisdiction of the DOT. Voluntary compliance, monitored by the FTC, therefore allows, for example, the transfer of customer details from a US company's European offices or subsidiaries into the US.
To qualify for the Safe Harbor scheme, a US organisation has three options. It can:
- join a self-regulatory privacy programme which adheres to the requirements, organised by firms such as VeriSign and TRUSTe; or
- be subject to a statutory or other body of law or rules which effectively achieves the same standards.
Organisations must commit to a data protection and privacy notice which complies with all seven Safe Harbor principles, set out below.
The Safe Harbor scheme establishes seven principles which are broadly equivalent to the standards established by the principles of the Act.
- Notice: giving individuals notice of the purposes for which their data are collected, notice of the third parties to whom the data may be disclosed, information to enable the individuals to contact the organisation for enquiries or complaints and the means offered for limiting use and disclosure.
- Choice: offering individuals the choice of opting out of disclosure to third parties and the choice of whether or not to allow the organisation to use the data for purposes other than those for which they were originally collected. An opt-in approach is required if sensitive data are involved.
- Onward transfers: data may be disclosed only to third parties who either subscribe to the Safe Harbor principles, or who are subject to the Data Protection Directive, or who enter into a written agreement to provide the equivalent level of privacy protection.
- Access: providing the individual with access to his data and giving him the right to have the information corrected upon request, unless the burden or expense of doing so is disproportionate or would violate the rights of another individual.
- Security: taking reasonable precautions to protect personal data from loss or misuse and from unauthorised access, disclosure, alteration and destruction.
- Data integrity: ensuring that data are accurate, up-to-date, relevant and reliable for their intended use.
- Enforcement: providing effective enforcement mechanisms and dispute resolution procedures.
The Safe Harbor principles require that an organisation’s policy be enforceable. How does the law apply to ensure that those who self-certify do not merely pay lip-service to data protection principles? There are several ways in which enforcement can be achieved.
Once on the register of Safe Harbor, the organisation must self-certify annually. It does this by verifying its compliance with the principles by means of internal or external audits. At least once a year a statement must be signed by a corporate officer, or other authorised representative of the organisation, to the effect that the organisation has conducted an assessment which verifies the organisation's compliance. This statement must then be made available upon request or whenever the organisation's compliance is being investigated.
- the statutory body which has jurisdiction to hear complaints against it;
- the names of any privacy programs of which it is a member; and
- the independent dispute resolution mechanism by which complaints may be investigated.
This ensures that any member of the public can find out where to address complaints. The dispute resolution mechanism can be provided by private sector self-regulatory bodies such as TRUSTe, through legal or regulatory supervisory authorities or by committing to co-operate with data protection authorities in the EEA. The US organisation must also be able to remedy problems arising out of a failure to comply with Safe Harbor principles.
Sanctions for non-compliance include publicising non-compliance, deletion of data, compensation and injunctive orders. If the recourse mechanism provided is a private sector dispute self-regulating body, then any failure to comply with its ruling must be notified either to the courts, the FTC or DOT (as appropriate) and, in the case of persistent failure to comply with the Safe Harbor requirements, to the Department of Commerce.
The FTC and DOT are committed to taking action against companies who fail to live up to their self-certified privacy policies. Under the Federal Trade Commission Act ('FTCA'), "unfair or deceptive acts or practices in or affecting commerce" are illegal and the FTC is empowered to take action to prevent them. If an organisation signs up to the Safe Harbor principles and then fails to comply, it has misrepresented its practice on the treatment of personal information.
After a formal hearing the FTC may impose sanctions for breach of the FTCA. Sanctions available to the FTC to stop processing include cease and desist orders, restraining orders and injunctions.
Non-compliance with such an order attracts a further penalty of $12,000 for each day of the period of non-compliance.
The DOT also has the power to stop unfair and deceptive practices in relation to carriage by air.
In addition to the recourse mechanism under the scheme and to the power of the statutory overseer, organisations which fail to comply with their own Safe Harbor promises may be open to claims made directly by individuals for misrepresentation. Individuals may also claim for breaches of privacy under common law and under some federal and state statutes.