Safe Harbor

The Problem:

Enshrined in the European Union’s Data Protection Directive on Data Privacy which came into effect in October 1998, is the provision that data collected in the EU and thus legally protected, cannot be passed to any non European country that does not meet the European “adequacy” standard for privacy protection.

This means that data can only be transferred to and used within the states comprising the European Union, as well as those other countries outside the EU that the EU deems to have equivalent or “adequate” data protection laws. EU data cannot be lawfully passed to any other country.

Unfortunately, the United States is not listed as a country to which data can be legally passed from the EU, as the United States does not have Federal Data Protection Laws, nor does the US intend to enact such laws.

Considering the enormous trade flow between the EU and the US, any restrictions on the flow of data raise serious problems, especially if many in commerce on both sides of the Atlantic are not aware of the existence of these restrictions.

As the European Union is no more likely to abandon their Data Protection legislation than the United States is to adopt it, some means of bridging that gap had to be found.

The Solution:

The answer came in the form of the Safe Harbor agreement between the European Union and the United States, approved by the EU in July 2000. Under its provisions, the transmission of data from the EU to the US was legitimized as long as the US recipient had solemnly and bindingly agreed to handle such data in compliance with seven Safe Harbor principles, thus meeting EU data protection requirements.

Safe Harbor does not oblige US law to be changed to meet EU criteria, as it is the individual US recipient company that voluntarily undertakes to meet the seven principles. For its part, the US Department of Commerce maintains a list of US organization that file self certification letters and makes both the self certification letters and the list itself publicly available. In this way both the interests of international data transfer and data protection are ensured.

The Seven Principles:

The Seven Principles referred to above are:

1. Notice: Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any enquiries or complaints, the type of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
2. Choice: Organizations must give individuals the opportunity to chose (opt out) whether their personal information will be disclosed to any third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
3. Onward Transfer (Transfer to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent (1), it may do so it it makes sure that the third party subscribes to the safe harbor principles or is subject to the (EU)Directive or other adequacy finding. As an alternative, the organization can enter into a written agreement with such a third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
4. Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated.
5. Security: Individuals must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
6. Data Integrity: Personal information must be relevant for the purposes for which it is going to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current.
7. Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

It is worth bearing in mind that the requirements of the first six principles listed above are already required for compliance with the Codes of Conduct of E.S.O.M.A.R. and the National Market Research Professional Bodies in both Europe and the United States, so, as a code-compliant professional market researcher, you will already be complying with safe harbor principles.

How To Find Out More:

The best source of further information about Safe Harbor is to log on to the US Department of Commerce website at:

http://www.export.gov/safeharbor/

This will give you the home page and more detail about documents, workbook, the Safe Harbor list of compliant US companies, information about obtaining certification and a helpful range of most frequently asked questions (FAQs).

Will Compliance Cost Me a Fortune?

No. The costs of self-certification are minimal. Details are available from the US Department of Commerce.

What Should I Do Now?

If you represent a European Market Research organization you will already be subject to the EU Directive but you should try to make sure that your US Clients are aware of Safe Harbor, not least because it will affect your ability to supply EU data to them.

If you represent a US company wishing to access data collected in the EU, compliance with Safe Harbor is the only way you will legitimately be able to do so. So, check out the Safe Harbor website and obtain the necessary certification.

Additionally, CASRO, the Council of American Survey Research Organizations, is putting together a Privacy Protection Program, which addresses the regulatory requirements of the EU Safe Harbor Program established by the US Department of Commerce. For more details, contact CASRO at:

http://www.casro.org

As main database holders and suppliers of sample to US clients, Sample Answers has the “Access” responsibility to correct, amend or delete inaccurate data when this fact is reported to Sample Answers.

About

• Overview
• Clients
• Feedback
• Safe Harbor
• Terms & Conditions
• Data Protection

Search

•  
• Log in