US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data.
Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with EU.
Background
The European Union has for many years had a formalized system of Privacy legislation, which is regarded as more rigorous than that found in many other areas of the world.
Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive equivalent levels of protection.
Such protection can either be at a country level (if the country's laws are considered to offer equal protection) or at an organizational level (where a multinational organization produces and documents its internal controls on personal data).
The Safe Harbor Privacy Principles allows US companies to register their certification if they meet the European Union requirements.
Principles
These principles must provide:
· Notice - Individuals must be informed that their data is being collected and about how it will be used.
· Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
· Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
· Security - Reasonable efforts must be made to prevent loss of collected information.
· Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
· Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
· Enforcement - There must be effective means of enforcing these rules.
Certification
After opting in, an organization must re-certify every 12 months. It can either perform a self-assessment to verify that it complies with these principles, or hire a third-party to perform the assessment. There are also requirements for ensuring that appropriate employee training and an effective dispute mechanism are in place.
The Federal Trade Commission theoretically oversees this program but, to date, no company's procedures have been challenged as failing to meet these guidelines.
For more information please see the full text here: http://www.icfi.com/safeharbor
These materials were obtained directly from the International Government public websites and public websites and are posted here for your review and reference only. No Claim to Original International Government Works or public websites. These may not be the most recent versions. The International Governments and public websties may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.
Download:
| Attachment | Size |
|---|---|
 icf_safe_harbor_privacy_policy_08132013.pdf | 118.35 KB |