|
EU Privacy Directive |
:: Intro :: Safe Harbor :: Reference :: Eligible entities: Only US organization that fall under the jurisdiction of either the Federal Trade Commission or the Department of Transportation are eligible (this currently excludes financial services, telecommunications services, and non-profits, but check the Department of Commerce website to see if this has been revised). Be Careful! Eligibility in the Safe Harbor program is NOT the same as who falls under the EU Privacy Directive. Simply because you do not qualify for the Safe Harbor program does not mean you do not nevertheless fall under the EU Directive. Non-profits, for example, do not qualify under the Safe Harbor program but they do fall under the obligations of the EU Directive. Also, not qualifying for the Safe Harbor does not mean you cannot do business in the EU. It merely means that you will have to find another means of complying. In order to participate in the Safe Harbor, US entities must take the following steps:
The Privacy Policy: In order to be "adequate," privacy policies must reflect the following privacy principles: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement. The Department of Commerce describes these elements as follows: Derived From: Safe Harbor Workbook, Section II: Overview of the Safe Harbor Framework Safe Harbor Principles Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. Choice: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. [See Department of Commerce Safeguards FAQ 12 for an elaboration of the Choice Principle.] Safe Harbor Sensitive Information Principle: For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive. [Safeguards FAQ 1] Onward Transfer: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing. Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. Data Integrity: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. [Safeguards FAQ 8] Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. [Safeguards FAQ 11] Posting of Policy: Participants must publicly declare their participation, which means posting their privacy policy on their website. Certification: Participants must certify annually to the Department of Commerce that they are participating in the program. Certification can be done by having a corporate office send a letter to the Department of Commerce or file out the online form.
Certification should include the following information:
[Safeguards FAQ 6] Certifications will be reviewed only for completeness. [ITAA] The Department of Commerce keeps a publicly available list on its website of participating organizations. Note that entities must also provide notice to the Department of Commerce if their representations are no longer valid or if they withdraw from the program (withdrawing from the program merely terminates participation, it does not alter ones obligations with regard to the data already collected). Enforcement: While there is no U.S. law that requires U.S. companies to participate in the Safe Harbor program, once they participate, they are making a representation and disclosure to the public. Thus, like so many other ecommerce issues, Safe Harbor representations fall under the jurisdiction of the the Federal Trade Commission which has authority over unfair and deceptive representations and practices. The FTC has the authority to seek administrative orders and injunctive relief to rectify non compliance, and civil penalties of up to $12,000 per day. Entities no longer eligible to participate in the Safe Harbor program must promptly inform the Department of Commerce. Failure to do so is actionable under the False Claims Act. [18 U.S.C. § 1001] The Department of Commerce will indicate on its list those entities that are no longer eligible for the benefits of the safe harbor program, indicating any persistent failure to comply. Some exceptions are Journalistic Exception: "Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Safe Harbor Principles." [Safeguards FAQ 2] Internet networks and carriers: "To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable." [Safeguards FAQ 3] Non-EU Data: Remember that the Safe Harbor principles apply only to information from the EU. The Safe Harbor program is not relevant to non EU Data. [See also Safeguards FAQ 13 (travel info), 14 (medical info), 15 (public records)] :: Intro :: Safe Harbor :: Reference :: |
