The Data Protection law formulated by the European Commission in 1998 prohibits the transfer of personal data of European citizens to other countries that do not meet privacy protection standards. To comply with this directive, the U.S. Department of Commerce and the EU developed the Safe Harbor Program. It was designed to help to protect the privacy and integrity of the personal information collected and processed by U.S. companies. It allowed companies to self-certify that they would protect EU citizens’ data when transferred to servers and data centers located in U.S.

U.S companies should adhere to 7 principles for Safe Harbor certification:

    • Must inform customers the purpose of collecting information about them and the choices and means the organization offers individuals for limiting its use and disclosure. They should also inform the type of third parties they share their information with and how to contact the organization with any inquiries or complaints.
    • Provide clear and affordable mechanism for the users to choose how the information they provide will be disclosed to third parties.
    • Before sharing any personal information with a third party, an organization must see to it that they follow the above two principles. They must also ensure that the third party subscribes to the Safe Harbor Principles.
    • Organizations involved in collecting, processing and the maintenance of users personal data should protect it from misuse, loss, alteration and unauthorized access.
    • An organization should use the information only for the purpose for which it has been collected and should be responsible for keeping it updated and current.
    • Individuals should also have access to the information they provide to the company to an extent. The access may depend on the nature and sensitivity of the information collected.
    • Companies must also include the mechanism for assuring compliance with Safe Harbor Principles and a course of action for the organizations not following it.

How does it help with doing business?

Curious why so many companies joined Safe Harbor? Or why they chose Safe Harbor over other cross-border data transfer restrictions? Brian Hengesbaugh, a partner in the Chicago office of Baker & McKenzie, said, “It is better suited for online data transfer as it doesn’t require to obtain the consent from the website visitors or enter into bilateral agreements again and again.“ It also helps to avoid the administrative burden of maintaining model contracts and executing new contracts to cover new affiliates for business. Some of the key factors that drove U.S companies to join Safe Harbor were increased demand of cross-border data transfer and reliable solution for implementing data scrutiny. Among other benefits, it also enhanced brand reputation and EU customer satisfaction.