Many U.S. organizations doing business in the European Union (EU) via the Internet are still unaware of the EU's comprehensive privacy legislation that affects trans-Atlantic online transactions. The European Commission Directive on Data Protection (EU Directive) prohibits on-line transfers of personally identifiable information to non-EU countries unless an "adequate" level of privacy protection is observed.
Because the EU Directive applies to personal data about EU nationals collected over the Internet by any organization, it applies to every e-commerce organization or web site operator in the U.S., where privacy laws do not conform to the EU's privacy standards and therefore are not deemed to provide an "adequate" level of protection. As a result, the EU Directive poses problems for U.S. organizations, potentially exposing them to interruptions in the flow of critical business data and/or to prosecution by European authorities for failure to protect the privacy of EU nationals.
Recognizing the potential impact on trade with EU countries, the U.S. Department of Commerce, in cooperation with the EU, however, developed a "Safe Harbor" program in which U.S. organizations can participate on a voluntary basis and thereby create a presumption that they provide a level of "adequate" data protection to receive personal data transferred from the EU. The Safe Harbor program is designed to bridge the differences between EU and U.S. approaches to privacy protection and to ensure adequate protection of the personal information of EU nationals.
Organizations whose business activities are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation (the two government agencies that have so far assumed responsibility for monitoring compliance) are eligible to participate in the Safe Harbor program.
In order to participate in the Safe Harbor program, U.S. organizations are required to self-certify annually to the U.S. Department of Commerce compliance with seven privacy principles:
Notice. Organizations must notify individuals about the purpose for which they collect and use personal information about them, to whom it is disclosed, and how to contact the organization with inquiries and complaints.
Choice. Individuals must have the option to choose whether their personal information is to be disclosed to a third party or to be used for a purpose different than that for which it was originally collected or subsequently authorized by the individual. For sensitive information, an affirmative "opt in" choice is required.
Onward Transfer. Organizations must adhere to the notice and choice principles with regard to disclosure of personal information to third parties. Where a organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor principles or is subject to the EU Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant privacy principles.
Access. Organizations must provide individuals reasonable access to their personal information in order to correct, amend, or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy, or where the rights of persons other than the individual would be violated.
Security. Organizations are required to take reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Data integrity. Personal information must be relevant for the purposes for which it is to be used. Organizations must take reasonable steps to ensure that data collected is accurate, complete, current and reliable for its intended use.
Enforcement. Independent recourse mechanisms for complaint and dispute resolution as well as procedures for verification of adherence to the Safe Harbor principles must be available.
A decision to certify adherence to the Safe Harbor principles is not one to be made lightly. Compliance with these principles requires, among other things, the drafting and implementation of a detailed privacy policy. Organizations that decide to certify adherence to the Safe Harbor principles, therefore, should make sure that they can meet all of the requirements.
U.S. organizations that decide to join the Safe Harbor program may do so via the Department of Commerce's web site at www.export.gov/safeharbor or by sending a self-certification letter. The Department of Commerce maintains a list of all organizations that self-certify and make the list and self-certification related information publicly available on its web site.
Once a U.S. organization self-certifies its compliance with the Safe Harbor principles to the Department of Commerce, it is deemed in each of the EU countries to provide "adequate" protection to receive personal information from the EU. In addition, all EU countries will be bound by the finding of adequacy, and any EU country requirements for prior approval of personal information transfers will be either waived or automatically approved.
An organization may choose to withdraw from the Safe Harbor program at any time by notifying the Department of Commerce. Failure to comply with the Safe Harbor principles without officially withdrawing from the program, however, will expose the organization to liability.
Additional information about the Safe Harbor program, including self-certification procedure, can be found on the Department of Commerce's website at www.export.gov/safeharbor. The EU Web Page on Data Protection, http://europa.eu.int/comm/justice_home/fsj/privacy/index_en.htm, also provides helpful information.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
|
