24 June 2019
In October of 1998, the European Commission's Directive on Data Protection went into effect and started to prohibit any transfer of personal data about any European citizen to any non-European Union countries that fail to meet the European Union's standard for what is considered to be adequate privacy protection.
The approach to privacy that the United States takes is different than that of the EU, so something had to be done to bridge the differences to allow a transfer of personal data to the United States.
The U.S. Department of Commerce got together separately with both the European Commission and the Federal Data Protection and Information Commissioner of Switzerland to develop 2 separate "Safe Harbor" frameworks: the U.S.-EU Safe Harbor program and the U.S.-Swiss Safe Harbor program.
Note that while these are two separate Safe Harbor frameworks, they essentially have the same requirements and purposes.
Participation in the Safe Harbor is limited to businesses and organizations that fall under the jurisdiction of the Federal Trade Commission (FTC), or U.S. ticket agents and air carriers that fall under the jurisdiction of the Department of Transportation (DoT).
What industries fall under FTC jurisdiction?
FTC jurisdiction tends to cover areas where consumers are spending large amounts of money. Some industries that fall under the jurisdiction of the FTC, and thus can participate in the Safe Harbor, include food, energy, healthcare, computer technology companies, and others.
If you aren't certain whether your industry falls under FTC jurisdiction, you should find this out by contacting the FTC or researching through reputable sources.
Why should your business join the Safe Harbor?
If you wish to collect personal information from any European citizen via a website, mobile app or another form of the business outlet and wish to not be in violation of European laws, you will want to become Safe Harbor compliant.
Without joining the Safe Harbor, you would have to obtain consent from each individual country in the EU before collecting any personal data from any of their citizens.
Safe Harbor is a convenient way to stay compliant.
There are a number of benefits to joining the U.S.-EU and U.S. Swiss Safe Harbors. Some key benefits include:
How to join
Joining is completely voluntary. Organizations and businesses that wish to join must:
A business or organization must disclose information to individuals about how data and information collected from these individuals are used, as well as about what types of third parties have access to this data.
Any information about ways that users can limit the use and disclosure of information collected from them must be provided. Individuals must also be provided with information about how to contact the business or organization with any questions or complaints.
Choices for opting-in and opting-out of the disclosing of personal information to third parties for purposes not compatible with the original purpose of collecting the information must be provided.
When sensitive personal information is involved, such as home address, users must be presented with a choice to opt-in to having this data shared with third parties for other purposes before any data is shared, and the user must affirmatively opt-in before any data can be shared.
Requiring a user to check a box that says they agree to allow their personal data to be shared with third parties, and for alternative purposes, is a great way to meet this requirement.
When transferring information to a third party that is acting as an agent of the business or organization, one of two requirements must be met by the third party.
Either the third party must also subscribe to and apply the Safe Harbor Privacy Principles or be found to be adequate by the EU Commission, or the organization or business can create a written agreement with the third party that requires the third party to act in a way that provides at a minimum the level of privacy protection for data that the Safe Harbor framework requires.
When a business or organization keeps personal information about individuals, these individuals must be given access to a way to edit or delete this information when it is inaccurate or outdated.
This requirement is excepted if there is a high burden or expense in providing this access and the risk of the privacy of the individual being violated is low.
Reasonable precautions must be taken and put in place to protect the personal information of individuals from unauthorized access, misuse, loss, disclosure, destruction, and alteration. The more sensitive the data is, the stronger the precautions taken must be.
Only collect information that is relevant for the purposes you will be using the data for, and take steps to make sure that any data you use is reliable and accurate, complete and current.
You can't just do the above steps. You have to be able to prove that you're doing them.
To finalize compliance with the Safe Harbor Privacy Principles you must do the following:
In the example below, note how Zoho makes it clear that they comply with the Safe Harbor requirements and that they have certified this:
Basecamp also provides information about their Safe Harbor certification, as seen below:
Note the thorough way that Asana details compliance with Safe Harbor and provides an email address for communication about questions and privacy concern inquiries.
Asana also addresses the first enforcement requirement by stating that they have "committed to refer unresolved privacy complaints under the US-EU and US-Swiss Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus."
There are a number of requirements that must be met before Safe Harbor certification can be obtained, but most all of them are best practices and generally good ideas for website and mobile app developers to use.
The benefits of being Safe Harbor certified far outweigh the efforts that must be put into obtaining the certification.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.