Safe Harbor Workbook

This Safe Harbor workbook is designed to aid U.S. businesses assess their privacy policies and practices with respect to complying with the Safe Harbor privacy framework. Because implementation of the Safe Harbor will require you to consider your organization’s specific needs, practices, and objectives, this guide does not constitute legal advice and is not intended to substitute for the services of legal counsel or other qualified professionals. The information in this publication is provided on an "as is" basis, and no warranty of the suitability of the advice offered for your organization is made by this publication.

INTRODUCTION: PRIVACY AND THE SAFE HARBOR FRAMEWORK

Today’s information technologies allow information to be collected, compiled, analyzed, and delivered globally more quickly and inexpensively than ever before. Where it was once difficult, time-consuming, and expensive to obtain compile, and analyze information, it is now often available with a few simple clicks of a computer mouse. Increased access to information facilitates personal and political expression as well as commerce, education, and health care. Consumers benefit from the increased access to information. Organizations benefit through reduced costs and client-focused advertising.

The advent of global communications and information flows also raises new challenges and opportunities for building processes to effectively protect privacy. Multinational organizations may centralize all human resources data in one location from their constituent affiliates around the world for record keeping, benefits, and payroll purposes; credit card organizations may do the same with bankcard information for billing purposes and account management. Citizens of one country may easily visit web sites in other countries, transferring personal information across borders as they visit. Laws, which generally are limited by nations’ borders, may have little effect in a medium without borders.

Many nations share concerns about the impact of the expansion of electronic networks on information privacy. Indeed, converging technologies and mobile communications heighten the risk and the opportunity for accessing content, i.e., music downloads, text messaging, bill paying, and a host of other services now available on one’s mobile phone. Recognizing the importance information and communications technologies play in the global economy and the need to transfer data across national boundaries, The United States and the European Union (EU)1 address these concerns, but in markedly different ways. The European Commission proposes legislation, implements policy and enforces the Treaties. It has investigative powers and can take legal action against Member States or companies that violate Treaties or rules. The Commission manages the EC budget and represents the Union in trade negotiations. The terms of the EU Directive on Data Protection requires the Commission to determine the "adequacy" of data protection in third countries and to prohibit personal data flows to countries with privacy regimes that are not deemed "adequate." Organizations wishing to receive personally identifiable information from the European Union would have to provide "adequate" privacy protection.

The implications for countries such as the United States, which receive a significant number of data transfers EU Member States and, in 2002, had approximately $379 billion in trade with the EU, are serious. Data transfers are the lifeblood of many organizations and the underpinnings for all of electronic commerce. Multinational organizations routinely share among their different offices a vast array of personal information. This information can be as simple as personnel telephone directories to more sensitive information such as personnel records, insurance information needed to process medical claims, credit card billing information, or patient information essential for conducting pharmaceutical research on new drugs.

Accordingly, the United States initiated a high-level informal dialogue, led by the U.S. Department of Commerce’s International Trade Administration and the European Commission Directorate for Internal Market, with the goals of ensuring the free flow of data and effective protection of personal data. These discussions led to the development of a "Safe Harbor" framework based on principles that reflect the U.S. approach to privacy and, at the same time, meet the European Directive’s "adequacy" requirements. These principles were deemed "adequate" by the European Commission in July 2000. The Safe Harbor became effective on November 1, 2000.

This workbook provides further guidance on how U.S. organizations can comply with the Safe Harbor privacy principles. This is for information only and creates no legally binding effects.

SECTION I: PRIVACY IN THE UNITED STATES AND THE EUROPEAN UNION

Introduction

Objectives

At the end of this section, you should be able to

Many fear that privacy concerns can stunt the growth of electronic commerce. Without confidence that data provided on-line will be protected and used responsibly, users will not take full advantage of the benefits that electronic commerce offers. No amount of marketing, attractive pricing or convenience will spur on-line users to conduct business on-line if they believe that doing so will unduly compromise the privacy of their personal information.

The United States, the E.U. and its member states are committed to making privacy protections available to their citizens without unnecessarily impeding the free flow of information. The United States has largely adopted a self-regulatory approach to the development of privacy protections in the private sector, addressing specific privacy concerns in the law as needed. The concern is that privacy issues differ across industry sectors, and that "a one size fits all" legislative approach would lack the necessary precision to avoid interfering with the benefits that result from the free flow of information. Nonetheless, the United States does address specific privacy concerns in the law as needed, particularly where sensitive information is involved or there have been cases of abuses. In Europe, however, privacy laws tend to be comprehensive, applying to every industry and closely regulating what data is collected and how it is used.

U.S. Approach to Privacy

In the United States, the importance of protecting the privacy of individuals’ personal information is a priority for the federal government and consumers. Consumers repeatedly cite fears that their personal information will be misused as a reason for not doing business online. In this way, moves to bolster on-line privacy protect consumer interests and fuel the broader growth of on-line communications, innovation, and business. Self-regulatory initiatives are an effective approach to putting meaningful privacy protections in place. In certain highly sensitive areas, however, legislative solutions are appropriate. These sensitive areas include financial and medical records, genetic information, Social Security numbers, and information involving children.

A self-regulatory initiative could involve a number of companies in the same line of business deciding that they will follow certain rules in handling information about their customers. These companies might also decide to display a seal that shows that they follow the rules. If one of the members of this "self-regulatory regime" breaks the rules, the company's membership and permission to display the seal will be revoked. Companies across industries -- and especially inInternet-related fields -- are increasingly hiring privacy experts and making the protection of consumer information a priority. The continuing introduction of new technologies designed to protect the privacy of personal information will have a profound effect on empowering consumers to control how their personal information is used. The federal government continues in its mission to be a model citizen of cyberspace in its information practices. The goal is for the government to serve as an example for private companies, as well as state and local governments.

The United States has supported legislative solutions in certain sensitive areas. In 1999, Congress passed and President signed into law the Financial Modernization Act which included significant new privacy protections for financial information. In addition, the Administration has issued rules guaranteeing the privacy of medical information under the Health Insurance Portability and Accountability Act of 1996. In 1998, the Administration worked with Congress to pass the Children’s Online Privacy Protection Act (COPPA). COPPA requires commercial web sites that target children under the age of 13 to obtain verifiable parental consent before they gather information from children under age thirteen.

The European Approach

While the United States and EU generally agree on the underlying fair information principles, they employ different means to achieve this goal. The EU’s approach to privacy grows out of Europe’s history and legal traditions. In Europe, protection of information privacy is viewed as a fundamental, human right. Europe also has a tradition of prospective, comprehensive lawmaking that seeks to guard against future harms, particularly where social issues are concerned.

The EU began examining the impact of technology on society over a fifteen years ago; the inquiry culminated in the adoption of a directive in July 1995 specifically addressing privacy issues. The European Community’s Directive on Data Protection took effect in October 1998. Member States were required to bring into force laws, regulations, and administrative provisions to comply with the Directive by its effective date.

The European Union Directive on Data Protection

A quick review of the Directive’s basic terms makes clear that, consistent with European tradition, the Directive takes a regulatory and comprehensive approach to privacy issues. It has two basic objectives: first, to protect individuals with respect to the "processing" of personal information; and second, to ensure the free movement of personal information within the EU through the coordination of national laws (Article 1).

Personal information is defined as information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Article 2).

The scope of the Directive is very broad. It applies to all processing of data, on-line and off-line, manual as well as automatic, and all organizations holding personal data. It excludes from its reach only data used "in the course of purely personal or household activity" (Article 3). The Directive establishes strict guidelines for the processing of personal information. "Processing" includes any operations involving personal information, except perhaps its mere transmission (Article 2). For example, copying information or putting it in a file is viewed as "processing." The substantive aspects of the Directive’s privacy protections are based on the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted by the Organization for Economic Cooperation and Development (OECD) in 1981.

Data Quality. The Directive requires that all personal information must be processed fairly and lawfully, so that, for example, a person whose personal information is at issue knows that it is being collected and used and must be informed of the proposed uses. Furthermore, the use of personal information must be limited to the purpose first identified and to other compatible uses, and no more information may be collected than is required to satisfy the purpose for which it is collected. In other words, the theory is that if a person provides information to obtain telephone service, that information should not be used to target that person for information about vacation trips, nor should information relevant to a customer’s interests in vacation trips be required to get, for instance, telephone service. Information must also be kept accurate and up to date (Article 6).

Legitimate Data Processing. The Directive sets forth rules for "legitimate" data processing. Most basically, this requires obtaining the consent of the data subject before information is processed unless specific exemptions apply (Article 7). In addition, certain information must be provided to data subjects when their personal information is processed (Article 10), such as whether they have rights to see the data, to correct any information that is inaccurate, or to know who will receive the data (Article 12).

Sensitive Data. "Sensitive" data, such as that pertaining to racial or ethnic origins, political or religious beliefs, or health or sex life, may not be processed at all unless such processing comes within limited exceptions, for example if the individual gives explicit consent (Article 8).

Security. The Directive requires that "appropriate technical and organizational measures to protect data" against destruction, loss, alteration, or unauthorized disclosure or access be taken(Article 17).

Data Controllers. The Directive requires those processing data to fulfill very specific requirements. Specifically, they must appoint a "data controller" responsible for all data processing, who must register with government authorities (Article 19) and notify them before processing any data (Article 18). Notification must at a minimum include: the purpose of the processing; a description of the data subjects; the recipients or categories of recipients to whom the data might be disclosed; proposed transfers to third countries; and a general description that would allow a preliminary assessment of whether requirements for security of processing have been met (Article 19).

Government Data Protection Authorities. The Directive also mandates a government authority to oversee data processing activities. Each Member State must establish an independent public authority to supervise the protection of personal data. These "Data Protection Commissions" must have the power to: (1) investigate data processing activities and monitor application of the Directive; and (2) intervene in the processing and to order the blocking, erasure, or destruction of data as well as to ban its processing. They must also be authorized to hear and resolve complaints from data subjects and must issue regular public reports on their activities (Article 28).

Transfers of Data Outside the EU. Most importantly from the U.S. perspective, the Directive requires that Member States enact laws prohibiting the transfer of personal data to countries outside the European Union that fail to ensure an "adequate level of [privacy] protection" (Article 25). Where the level of protection is deemed inadequate, Member States are required to take measures to prevent any transfer of data to the third country. Member States and their Data Protection Commissions must inform each other when they believe that a third country does not ensure an adequate level of protection.

SECTION II: OVERVIEW OF THE SAFE HARBOR FRAMEWORK

Objectives

At the end of this session, you should be able to:

Introduction

The Safe Harbor framework was developed by the U.S. Department of Commerce, in consultation with the European Commission, industry and non-governmental organizations to provide U.S. organizations with a streamlined means of satisfying the "adequacy" requirement under the European Directive on Data Protection. U.S. organizations wishing to legally receive personal information from European organizations legally either must join the safe harbor, satisfy one of the Directive’s other exceptions, or seek an "adequacy" determination. For example, personal data that is necessary to complete a contract between an individual and the company may be transferred without an "adequacy" determination, and data importing companies may receive such data if they enter into contracts with data exporting companies that bind the data importer to provide "adequate" privacy protection (See Article 26).

Description of the Safe Harbor Framework

The Safe Harbor framework is set forth in a set of seven privacy principles, 15 frequently asked questions and answers (FAQs), the European Commission’s adequacy decision, the exchange of letters between the Department and the European Commission, and letters from the Department of Transportation and Federal Trade Commission on their enforcement powers. Understanding the Safe Harbor requires familiarity with all of these documents. The Safe Harbor can apply to all personal information transferred from the European Union - whether collected on or off-line and whether it is within the scope of the Directive. Decisions by U.S. organizations to enter the Safe Harbor are entirely voluntary.

A "flexible implementation period", a political agreement by the EU to use discretion regarding enforcement to avoid disrupting data flows to U.S. organizations during the implementation period, remains in effect. A joint Department of Commerce and European Commission review of the implementation of the Safe Harbor was completed in January 2002. During this review, the Commission and Department officials discussed a range of implementation issues. In particular, they: 1) verified that all of the elements required by the framework are in place; 2) discussed the "visible compliance" of current safe harborites to the Safe Harbor privacy principles and Frequently Asked Questions; 3) discussed the progress of the Department's outreach and education plan; and 4) reviewed the alternative dispute resolution mechanisms named by current harborites.

Both sides were pleased to see that membership has grown significantly in recent months, but efforts need to continue to explain the advantages of joining the Safe Harbor. In addition, the importance of future cooperation between the U.S. and the EU in order to ensure continued data-flows was emphasized. Furthermore, the Commission reaffirmed its commitment to inform the Department if it becomes aware of any actions that may interrupt data flows to the U.S. and stated that it sees no reason to expect any change in policy regarding the "flexible implementation period".

Benefits of Implementing the Safe Harbor Framework

The Safe Harbor provides predictability and continuity for those EU organizations that send personal information to the United States and U.S. organizations that receive personal information from the EU. All 15 Member States are bound by the European Commission’s finding of adequacy. The Safe Harbor either eliminates the need for prior approval to begin data transfers or provides for automatic approvals. It provides for a flexible privacy regime more congenial to the U.S. approach to privacy and, for the most part, enforcement will be conducted in the United States (as opposed to Europe). The Safe Harbor privacy principles offer a simpler and more efficient means of complying with the adequacy requirements of the Directive, which should particularly benefit small and medium enterprises.

In addition to the specific benefits that flow from joining the Safe Harbor, developing a privacy policy can be a good business decision for U.S. organizations. By developing a well-thought out, carefully implemented privacy policy, and a policy that is compliant with the Safe Harbor, if your organization receives personally identifiable information from the EU, such a policy will, increase its customers’ confidence. A privacy policy should be seen as a critical piece of any overall business strategy, particularly an international business strategy, as well as a critical piece of its electronic commerce strategy.

For example, by providing customers with choice about how your organization uses their personal information, you can reduce the possibility that you will lose sales because your customers are concerned about use of their data.

What Organizations May Join the Safe Harbor

Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DoT) may participate in the Safe Harbor. The Federal Trade Commission and the Department of Transportation have both stated in letters to the European Commission that they will take enforcement action against organizations that state that they are in compliance with the Safe Harbor framework but then fail to live up to their statements. Please note that certain sectors are not subject to the jurisdiction of either the FTC or the DoT, and thus may not be eligible for Safe Harbor. Organizations that are telecommunications common carriers, meat packers, banks, insurance companies, credit unions or not-for-profits may not be eligible for Safe Harbor. If you are considering joining Safe Harbor, but are not certain whether your organization falls within the jurisdiction of either the FTC or the DoT, it is recommended that you contact those agencies for further guidance.

What Organizations Should Join the Safe Harbor

Organizations that receive personally identifiable information from EU Member States are required to demonstrate that they provide "adequate" privacy protections. Organizations that receive personally identifiable information and have not identified either another basis for demonstrating "adequacy" or a relevant exception in the Directive should consider joining the Safe Harbor as one means of meeting the Directive’s "adequacy" requirements. Though not necessary to comply with U.S. law, companies that wish to demonstrate to their customers that they provide a high level of privacy protection may also consider joining the Safe Harbor, recognizing the the Safe Harbor is only applicable to transfers of personally identifable data from the European Union to the United States.

How Do Organizations Join the Safe Harbor

Organizations that decide to participate in the Safe Harbor must comply with the Safe Harbor’s requirements and publicly declare that they do so. To be assured of Safe Harbor benefits, an organization needs to reaffirm its self-certification annually to the Department of Commerce, incidcating that it continues to adhere to the Safe Harbor’s requirements, and of course, it must continue to abide by the Safe Harbor requirements. As set forth in FAQ 6, it also required that the organization state in its published privacy policy statement that it adheres to the Safe Harbor privacy principles.

The Department of Commerce maintains a list of all organizations that register through the website or through a letter. An EU organization can ensure that it is sending information to a U.S. organization participating in the Safe Harbor by viewing the public list of Safe Harbor organizations posted on the Department of Commerce’s website (http://export.gov/safeharbor). This list became operational in November 2000. The list is updated regularly, so that it is clear who is in the Safe Harbor.

How and Where will the Safe Harbor be Enforced

In general, enforcement of the Safe Harbor takes place in the United States in accordance with U.S. law and relies, to a great degree, on enforcement by the private sector. The Safe Harbor private sector enforcement has three components: verification, dispute resolution, and remedies. Organizations are required to have procedures for verifying compliance; to have in place a dispute resolution system that will investigate and resolve individual complaints and disputes; either independent or self-assessment; and to remedy problems arising out of a failure to comply with the principles. Provision is also made for U.S. organizations to cooperate with European Data Protection Authorities to satisfy the dispute resolution and remedy requirements or where human resources data is involved. (See introductory paragraph of the principles for further guidance).

Private sector self regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive trade practices statutes. The effect of these statutes is to give an organization’s Safe Harbor commitments the force of law vis-a-vis that organization.

Depending on the industry sector, the Federal Trade Commission or the Department of Transportation provide overarching government enforcement of the Safe Harbor principles. Where an organization relies in whole or in part on self regulation in complying with the safe harbor principles, its failure to comply with such self regulation must be actionable under federal or state law prohibiting unfair and deceptive acts or it is not eligible to join the safe harbor. (Note: It is possible that an annex to the Safe Harbor principles will contain a list of additional U.S. governmental enforcement agencies recognized by the European Commission. It is possible that this list will expand as more agencies declare their willingness to enforce the Safe Harbor).

Failure to Comply with the Safe Harbor Requirements

If a U.S. Safe Harbor organization persistently fails to comply with the Safe Harbor requirements, it is no longer entitled to benefit from the Safe Harbor. Persistent failure to comply arises where an organization refuses to comply with a final determination by any self regulatory or government body or where such a body determines that an organization frequently fails to comply with the requirements to the point where its claim to comply is no longer credible. In these cases, the U.S. Safe Harbor organization must promptly notify the Department of Commerce [by letter or by email] of such facts. The Safe Harbor list will indicate that there has been a persistent failure to comply and the communication from the enforcement body will be made public 30 days after the Department of Commerce receives the notification.

The list maintained by the Department of Commerce will indicate any notifications the Department receives of persistent failure to comply and will make clear which organizations are assured and which organizations are no longer assured of Safe Harbor benefits.

Determining what your privacy policy should contain

In order for a privacy policy to be compliant with the Safe Harbor, the policy must address the seven privacy principles and any relevant points that are covered in the frequently asked questions (FAQs) and reflect the organization's actual and anticipated information handling practices. For instance, FAQ 6 requires that you state that you are in compliance with the Safe Harbor privacy principles. Please note that important exceptions are contained in the introductory paragraphs of the principles (as well as in other Safe Harbor documents) and your organization needs to takes these into account as well. It is important to write a policy that is clear, concise, and easy to understand.

Safe Harbor Principles

Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.

Notice is a key element of any privacy policy. In order for consumers to make informed decisions about what information they provide, they must understand what data is being collected, for what purposes the data is being collected, how that data is used, how to contact the organization with inquiries or complaints, the types of third parties to which the information may be disclose, the choices and means the organization offers individuals for limiting its use and disclosure, and how it is secured. By providing notice to customers about your data collection practices, you enable consumers to make informed decisions about their on-line activities. Note that for a third party which is acting as an agent, notice and choice do not need to be provided.

Choice: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

Choice ensures that consumers have choices regarding the collection of their personal data. For example, individuals who do not wish that their data be used as described in the privacy policy can choose not to have their data shared, have complimentary goods and services marketed to them, have their data sold to third parties or used in other ways. By providing customers the option of choice, you can also reduce the possibilities that you will lose sales because your customers are concerned about the use of their data. An organization must offer individuals the opportunity to opt out of two situations: if an organization discloses personal information to third parties, even for the same purpose for which it was originally collected or subsequently authorized; or where the information may be used by the collecting organization for a purpose which is "incompatible" with the purpose for which it was originally collected or subsequently authorized by the individual.

Safe Harbor Sensitive Information Principle: For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Onward Transfer: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

This principle is intended to assure that there is as little "leak-out" of data from Safe Harbor protections as possible. In certain circumstances, if you know someone is doing wrong, such as misusing property for which you are responsible, or misbehaving in a situation for which you have responsibility and you don’t stop them, you bear some responsibility for the consequences. This principle provides some on-going responsibility for data transferred pursuant to the Safe Harbor. In Europe, this responsibility would be provided by data protection laws. Since omnibus data protection laws do not exist in the United States, we have adopted this principle.

This concept is neither new nor novel in the U.S. legal system. An employer’s responsibility to provide a workplace free from hazardous situations, including careless or reckless employees, is one example. An employer’s responsibility to provide a workplace free from a hostile atmosphere of sexual harassment is another example. Senior officers of organizations can be held personally responsible for the acts of lower-level employees for certain violations of the laws. What is novel is the application of this concept to the personal information relating to individuals.

A Safe Harbor participant will not be deemed to violate the principles if a transferee misuses data, provided the Safe Harbor transferor has satisfied the requirements of the principle.

Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

The principle of security applies to how your organization stores, processes, maintains and protects customer information. Organizations should take steps to secure personally identifiable information. It does little good to have a strict privacy policy if personal data is available to any employee or if your computer systems and paper files are not secured.

Organizations must take more care to protect sensitive information, as it is defined in the principles.

Data Integrity: Consistent with the Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

The data integrity principle minimizes the risk that personal information would be misused or abused because the organization is collecting only relevant information, there is less opportunity to misuse and abuse personal information. You also avoid the risk that decisions will be based upon erroneously or inappropriate information.

Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. See FAQ 8

Customers are not only concerned about what data is being collected about them, they are also concerned that this information is correct and timely. Providing access to the data that you have collected about an individual allows that person to check the stored information and ensure that it is up-to-date and correct, and that the organization is doing what it says it is doing about collecting and retaining data.

Allowing customers to access and correct information collected about them can greatly increase customer’s confidence by assuring users that they will only receive further information about other goods and services that are of interest to them (if your organization re-markets goods and services either internally or through sale of information to third parties) or that their goods will be delivered promptly and properly. At the same time, your organization benefits from having accurate customer information.

The question of how and to what extent a customer should have access to their data requires a nuanced response. The obligation of an organization to provide access to the personal information it holds about an individual is subject to the principle of proportionality or reasonableness and has to be tempered in certain instances. Expense and burden are important factors and should be taken into account but they are not controlling in determining whether providing access is reasonable. The sensitivity of the data is also important in considering whether access should be provided. See FAQ 8 for additional information about when access must be provided.

Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. (See FAQ 11 for additional information about enforcement required under the Safe Harbor.)

The Safe Harbor private sector enforcement has three components: verification, dispute resolution, and remedy. Organizations are required to have procedures for verifying compliance, either independent or self-assessment, to have in place a dispute resolution system that will investigate and resolve individual complaints and disputes, and to remedy problems arising out of a failure to comply with the principles.

Verification

To meet the second requirement of the enforcement principle, verification, an organization may use a self-assessment or an outside/third-party assessment program

Self -Assessment. Under the self-assessment approach, verification would indicate that an organization's published safe harbor privacy policy is accurate, comprehensive, prominently displayed, completely implemented, accessible and conforms to the Safe Harbor principles. It would also need to indicate that appropriate employee training is in place and that internal procedures for periodically conducting objective reviews of compliance are in place. A statement verifying the self- assessment should be signed by a corporate officer or other authorized representative of the organization at least once a year.

Outside Assessment. Where the organization has chosen outside compliance review, the review needs to demonstrate that its privacy policy regarding personal information received from the EU conforms to the Safe Harbor privacy principles, that it is being complied with and that customers are informed of the mechanisms through which they may pursue complaints. The methods of review may include without limitation auditing, random reviews, use of "decoys," or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed should be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year.

The method of verification should be included in the privacy statement. For additional guidance on verification see FAQ 7.

Dispute Resolution Mechanism

By providing a means of redress, organizations assure consumers that they are committed to resolving any privacy concerns that they may have. Organizations should clearly state how consumers who feel that their privacy may have been violated based on the Safe Harbor privacy principles should contact the organization and what steps the organization will take to resolve such issues.

Selecting a dispute resolution mechanism

A third-party dispute resolution mechanism assures your customers that your organization is complying with its stated policies. While programs vary, organizations such as BBBOnLine,the Direct Marketing Association, the Privacy Council and the Entertainment Software Rating Board have indicated that they have developed privacy programs that allow companies to comply with the Safe Harbor privacy principle on enforcement. Other programs such as an outside arbitration and mediation service (e.g. JAMS or the American Arbitration Association) may also be used, so long as every complaint is heard in compliance with the enforcement principle and FAQ 11. (Note: Organizations self-certifying to the Safe Harbor are responsible for ensuring that they have chosen a dispute resolution provider that will satisfy the requirements of the framework. The Department of Commerce does not certify programs in order to serve as dispute resolution mechanisms under Safe Harbor. Therefore, the Department of Commerce cannot guarantee that a particular program will meet all Safe Harbor requirements, including those under FAQ 11).

Alternatively, organizations may choose to cooperate with the European Data Protection Authorities. In this instance an organization must comply with procedures outlined in FAQ 5. In the instance of human resources data, the organization must agree to cooperate with the data protection authority for handling complaints. Moreover, this option is necessary in situations where a transfer is to a business that is not regulated. Additional guidance in provided in FAQ 9 for the handling of human resources data.

Please note that organizations who choose to utilize the European Data Protection Authorities for dispute resolution will be required to pay an annual fee of US $50 in order to cover the operating costs of the Data Protection Authorities' panel. This fee is payable to the United States Council for International Business (c/o Mr. Paul Cronin, U.S. Council for International Business (USCIB); 1212 Avenue of the Americas; New York, NY 10036), which has agreed to act as trusted third party for this purpose.

Please see FAQ 5 for more details regarding the role of the Data Protection Authorities. Should you need further information on how to carry out the payment, please contact Mr. Paul Cronin, USCIB, at 212-354-4480, or pcronin@uscib.org. If, on the other hand, you require more information on how the cooperation/compliance with the EU DPAs works, you can contact the Secretariat of the Data Protection Panel at the following web address: http://ec.europa.eu/justice_home/fsj/privacy/.

Characteristics of effective dispute resolution mechanisms

Whatever type of service is selected, it must meet certain basic criteria. The Safe Harbor privacy principles identify the following as necessary elements for any effective dispute mechanisms: readily available and affordable independent recourse mechanisms by which individual’s complaints and disputes are investigated and resolved by reference to the principles; damages awarded where the applicable law or private sector initiatives so provide; obligations to remedy problems arising out of failure to comply with the principles; sanctions that are sufficiently rigorous to ensure compliance by organizations; and notification of persistent failures of Safe Harbor organizations to comply with their rulings to governmental body with applicable jurisdiction or to the courts, as appropriate, and the Department of Commerce.

Evaluating a dispute resolution mechanism

When evaluating a third-party service, keep your own business processes in mind. Make sure that the services offered provide your customers the assurance that they seek and your organization the support it needs without impeding your regular operations. As with any service, take care to clarify the services that will be provided to you, spell out the terms of use of any icons or graphics that identify your organization as a subscriber, and understand what your obligations are before entering into any binding arrangement.

Once an organization has selected an appropriate dispute resolution mechanism, this information should be made readily available to the consumer through the privacy policy. For additional requirements pertaining to dispute resolution, see FAQ 11.

Remedies and Sanctions

The dispute resolution body that is chosen must provide sufficiently rigorous sanctions to ensure compliance by organizations. The remedies should be such that noncompliance is reversed or corrected and future processing is in conformity with the safe harbor principles. Sanctions should include both publicity for non-compliance and deletion in certain instances. In instances of persistent failure to comply the dispute resolution body must have the ability to notify such failures to a governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department of Commerce.

Review of FAQs

In addition to the principles there are 15 FAQs. It is important to review these 15 FAQs to see if any of the sector specific FAQs apply to your organization. For example, FAQ 2 provides an explanation of the exceptions for journalists, FAQ 14 provides additional guidance for handling information dealing with pharmaceuticals and medicals products, and FAQ 15 provides additional guidance on how publicly available information should be handled. Familiarize yourself with the contents of these FAQs generally and make sure your policies conform with these as well.

Safe Harbor List Procedures

Last updated on June 8, 2007.