It’s now nearly four years since the European Commission and the US Department of Commerce agreed the ‘Safe Harbor’ gateway to compliant EU/US transfer of personal data. At last, it seems it’s catching on, a bit. We report this and other ways of getting data to the US compliantly.
Topic: Data protection
Who: US Department of Commerce
Where: Washington DC
When: May 2004
The US Department of Commerce announced that the number of US-based businesses who had signed up to "Safe Harbor" had jumped 50% in the last year.
This means that there are now around 450 companies on the Safe Harbor list.
Why "Safe Harbor"?
Safe Harbor came about following the implementation across the EU of the Directive on Data Protection of 1998. This introduced eight fundamental data protection principles. The eighth and last principle was that personal data should not be transferred out of the EEA (the EU plus Iceland, Liechtenstein and Norway) to countries which did not have "adequate" data protection laws unless certain requirements were satisfied.
So far, only the laws of Argentina, Hungary, Switzerland and Canada have been officially recognised by the European Commission as having "adequate data protection" levels.
No exemption for intra-group transfers
It is also worth bearing in mind that there is no special exemption for the transfer of personal data between companies in different countries that are members of the same corporate group. So how can ex-EEA transfers of personal data to, for example, the US be handled compliantly?
Compliant UK-US transfers
One way is by obtaining the individual's consent. In other words, if suitable disclosures are given to the individual as to where his or her data may be transferred and the implications for the protection of that data, and the individual has consented to the transfer nevertheless, then passing that data to the US, for example, will be acceptable under UK law.
Separately, if it can be established that the transfer out of the EEA was "necessary" for the purposes of performing a contract with the consumer, there will be no non-compliance. It should be remembered here, however, that purely because a company in the UK might decide, for its own commercial convenience, to work with and transfer its customer/prospect data to a company in the US, this is not necessarily enough to support an argument that the transfer was "necessary."
Another way of getting round the difficulty is to have bilateral contracts in place between the transferor company in the UK and the transferee entity in the US or wherever else. Model terms have been approved for such contracts. In essence, they impose on the transferee company similar obligations to those under which UK companies have to work as a result of the Data Protection Act 1998 and ensuing regulations and controls. The difficulty is that because these obligations are quite onerous, many non-EU companies baulk at entering into a contract containing them.
And then there's Safe Harbor
So is there any other way out? The US Department of Commerce felt it had supplied a solution in July 2000 when it agreed with the European Commission to develop the "Safe Harbor" framework. By this mechanism, recognised by the European Commission, a streamlined means for US organisations to comply with the Directive was set up.
In essence, US companies who believe they are compliant with the Safe Harbor requirements can self-certify that they do so and arrange to place themselves on the Department of Commerce's public list of all US companies who have signed up.
Safe Harbor is voluntary
If the relevant self-regulatory or government enforcement body finds an organisation has engaged in persistent failure to comply with the "safe harbor" principles, then the organisation is no longer entitled to the benefits. In this case, the organisation must properly notify the Department of Commerce of such facts either by email or letter and failing to do so may be actionable under the False Statements Act.
The Safe Harbor signatory list is, as we say, public and can be found at www.export.gov/safeharbor/
Companies on it include Acxiom Corporation, Adobe Systems Incorporated and Amazon.com, and that's just the As.
Safe Harbor principles
The Safe Harbor principles require that organisations notify individuals about the purposes for which they collect information about them, how they can contact the organisation with any enquiries or complaints, the types of third parties to which it discloses the information and the choices and means that the organisation offers for limiting its use and disclosures. Opt-out opportunities must be given to individuals in relation to disclosure of their personal information to a third party or its use for a purpose incompatible with the purpose for which it was originally collected.
Individuals are also allowed access to personal information about them held by organisations on the Safe Harbor list and they will be obliged to amend or delete that information where it is inaccurate. Safe Harbor companies also agree to keep data secure and to ensure that the information held is relevant for the purposes for which it was to be used. There must also be a readily available and affordable independent recourse mechanism so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiative so provides.
Why this matters:
Given these extensive obligations, it is perhaps hardly surprising that Safe Harbor got off to a slow start in 2000. However, as its reputation grows and companies in the EU transferring data are more and more advised about the difficulties of sending that data to countries with inadequate data protection laws, one anticipates that Safe Harbor's usage will continue to rise.
But as we have indicated above, there are other "gateways" to compliant international transfer of data and data transferors and transferees would be well advised to look at all options, including "consent" before making a decision.