The following are the 13 recommendations identified by the European Commission:
Transparency:
1. Self-certified companies should publicly disclose their privacy policies.
2. Privacy policies of self-certified companies’ websites should always include a link to the Department of Commerce Safe Harbor website which lists all the ‘current’ members of the scheme.
3. Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
4. Clearly flag on the website of the Department of Commerce all companies which are not current members of the scheme.
Redress:
1. The privacy policies on companies’ websites should include a link to the alternative dispute resolution (ADR) provider.
2. ADR should be readily available and affordable.
3. The Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
Enforcement:
1. Following the certification or recertification of companies under Safe Harbor, a certain percentage of these companies should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements).
2. Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year.
3. In case of doubts about a company's compliance or pending complaints, the Department of Commerce should inform the competent EU data protection authority.
4. False claims of Safe Harbor adherence should continue to be investigated
Access by US authorities:
1. Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
2. It is important that the national security exception foreseen by the Safe Harbor Decision is used only to an extent that is strictly necessary or proportionate.
Any company that collects and transfers any EU citizen's personal information to the U.S., whether it is via a website or a mobile app, must comply with the EU Safe Harbor privacy principles. This includes cloud-based services and data processing companies that process personal information from the EU.
Businesses that fit the above description should ensure that their annual self-certifications are current. In addition, privacy policies and practices should adhere to the seven principles as outlined by the European Commission: notice, choice, onward transfer, security, data integrity, access, and enforcement.
These materials were obtained directly from the International Government public websites and are posted here for your review and reference only. No Claim to Original International Government Works. These may not be the most recent versions. The International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.