Welcome to Benchmark!

Hal Licino

Achieving Compliance With The Transatlantic Safe Harbor Framework

Mar 10 2014, 09:00 AM by

Achieving Compliance With The Transatlantic Safe Harbor Framework


In maritime tradition a safe harbor is where a sailor would find refuge in a storm and in the digital world the definition is not that different. Whenever any netizen engages your brand they have to be assured that you will hold their personal information safe from the storms of undesired or outright illegal access. While U.S. personal data legislation is applicable whenever any American accesses a U.S. site, a far more rigorous standard is applied by the European Union and Switzerland to its citizens whenever they access any site, including those on this side of the pond. Benchmark Internet Group fully adheres to the U.S. Department of Commerce Safe Harbor framework for EU and Swiss citizens, and as an online marketer you should strongly consider adhering to this transatlantic program.

Different transatlantic standards
The U.S. applies a different standard of online privacy protection to its citizens than does the EU and Switzerland. This creates a problem when citizens access sites on the other side of the Atlantic as the rules don’t necessarily sync up. In order to provide a common online personal privacy framework the U.S. has created a streamlined process whereby American marketers can comply with the data protection laws of the EU and Switzerland known as the Safe Harbor program.
The 7 Principles
With very few exceptions, any for-profit online brand is eligible to participate in the program and thus implement the seven Safe Harbor Privacy Principles:
  1. Notice. Online brands must notify their customers about the reasons they are collecting their personal information, how it is going to be uses, the types of third parties which will have access to it, and a prominent contact where they may file inquiries or complaints

  2. Choice. The user must be given a choice to opt out of any disclosure of personal information that they do not agree with, and for sensitive information they must take a deliberate action to opt into the selection, especially if the information is destined for a third party or for a purpose which differs from the one divulged in the initial collection.

  3. Transfer. Any personal information can only be transferred to third parties if they also subscribe to the Safe Harbor principles, or has secured in writing an agreement that the third party will adhere the same level of personal privacy protection as if they were in full compliance with the principles.

  4. Access. Users must have access to all of the personal information your brand holds about them and be able to correct or even delete that information where it is not accurate, as long as that access does not violate the rights of anyone else or the costs are “disproportionate” to the risk to privacy.

  5. Data integrity.The personal data your brand has collected on your customers has to be accurate and current and must also be strictly relevant for the purposes which you intend to use it.

  6. Security. The personal information has to be secured from loss, misuse, unauthorized disclosure or alteration.

  7. Enforcement. The law has teeth, and your brand must be ready to provide complaint and dispute resolution through fully independent recourse mechanisms, verifications that the obligations you have made to the program are being implemented, and a commitment to fix any problems which may arise as a result of your non-compliance with the framework.
Self-certification necessary
Your participation in the Safe Harbor program between the U.S. and the EU and Switzerland is fully voluntary, but as an online marketer you should take this under serious consideration. In order to derive the benefits of the framework your company must self-certify in writing each year to the U.S. Department of Commerce that you intend to comply with the requirements. You must also clearly state in your online privacy policy that you are an adherent to the program.

You have the option to join in a self-regulatory privacy program which brings your brand into compliance with the Safe Harbor framework or you can develop your own separate policy which conforms to the regulations. Either way, it’s a program you would be well advised in joining.

Posted in Email Marketing News

Related Blogs