< Back

Share |

The Role of Safe Harbor schemes

January 2013

EU: US Safe Harbor scheme

The US Department of Commerce has developed, together with the European Commission, a "Safe Harbor" framework. This is a self-certifying process that is available to companies where the data processing activity or operations are capable of falling under the supervisory jurisdiction of the US Federal Trade Commission (FTC) and the Department of Transportation (DOT).

The framework requires the US data importer to certify to the US Department of Commerce and to the public that it will conform to certain data protection requirements. These requirements are reflected in a set of seven principles (see below).

Flag

In order to adhere to the Safe Harbor framework, the US importer must declare in its privacy policy statement that it conforms to the framework.

The seven US Safe Harbor principles that should be met by the US data importer entity are:

  • Notify individuals about the purposes for which information is collected and used.
    The level of supervisory jurisdiction does not extend to activity regulated by the Securities and Exchange Commission (SEC), so any transfer in relation to processing covered directly by the SEC regulated activity will not benefit from the US Safe Harbor scheme. This can be problematic for the financial services sector. However, there are many elements of the processing activity not directly related to regulated financial services activities where US Safe Harbor may be a viable solution.
  • Give individuals the choice ("opt-out") of whether their information can be disclosed to a third party or is to be used for a purpose that is incompatible with the purpose for which it was originally collected. For sensitive personal information an affirmative or explicit "opt-in" must be provided if the information is to be disclosed to a third party or used for a purpose which is incompatible for that which it was originally collected.
  • In the event of a transfer to a third party ("re-export"), that third party must offer the same level of privacy protection.
  • Allow individuals access to their personal information.
  • Take reasonable precautions to protect collected personal data from loss, misuse or disclosure.
  • Take reasonable steps to ensure integrity of personal data collected.
  • Have in place adequate enforcement mechanisms to deal with breaches.

Adherence must be certified annually — this is done in writing to the US Department of Commerce. The US data importer entity is also required to make a public declaration that they comply with the Safe Harbor framework and also can back up its safeguard promise with internal audits.

The key advantages and disadvantages of using US Safe Harbor are:

Advantages

  • GuardSafe Harbor can, in theory, be quick to adopt as there is "deemed" approval.
  • It avoids most issues on adequacy with regard to complying with individual regulatory authorities in the EU.
  • It is a regime based in the US and supervised by the US authorities - culturally this may be more acceptable for the US data importer entity.
  • Enforcement by the US authorities for non-compliance appears to be rare in practice on the basis of information available to date.

Disadvantages

  • It only covers the registered US data importer entity, so care is required in a "group" scenario.
  • The certification process requires an internal/external audit, and this will require appropriate resources (both in respect of time and costs).
  • Annual renewal of registration is required, which means there is an annual obligation to conduct and review the audit, thereby requiring ongoing resources.
  • There will be a direct exposure to the FTC/DOT.
  • This is only a solution for US data importers that have signed up to the Safe Harbor framework and for the data that falls within the specific self-certification — in practice this means that other solutions will still be needed for other forms of transfer.

Switzerland: US — Safe Harbor framework

February 2009 saw the introduction of a new safe harbor framework to facilitate the international transfer of data between Switzerland and the US (Swiss Safe Harbor). This new arrangement was designed to address the issues raised under the Swiss Federal Data Protection Act, which states that transfers of personal data from Switzerland to other jurisdictions can only be permitted if the jurisdiction is deemed to provide an adequate level of data protection, in accordance with the Swiss Federal Data Protection Act and the Information Commissioner.

Swiss data protection laws already provide for various data transfer solutions, such as those provided for under other European data protection laws (e.g., model clauses). The introduction of the Swiss Safe Harbor provides a Swiss data exporter with another option under which such data transfers to the US could take place under a framework that ensures adequacy.

Swiss flagThe Swiss Safe Harbor works in a very similar way to the US Safe Harbor that exists between the US and the European Union, and even works to the same seven US Safe Harbor data protection principles. Where a Swiss data exporter transfers the data to a US data importer that is appropriately registered and set up under the new Swiss Safe Harbor mechanism, the Swiss data protection authorities will recognise the transfer as falling within an adequate framework.

While there are many similarities and indeed identical provisions when comparing the US Safe Harbor and the Swiss Safe Harbor mechanisms, there is a very notable difference. The Swiss Safe Harbor has a much wider reference point with regards to personal data. Under the Swiss Safe Harbor, personal data will include not only personal data that relates to individuals (and natural persons) but also personal data that relates to legal persons (companies and other legal entities).

See our summary of adequacy solutions table.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Ship
Vinod Bange

      

Sally Annereau

Sally Annereau

Lucy Lyons

Lucy Lyons





Vinod, Sally and Lucy explain the requirements for and evaluate the US Safe Harbor scheme.

"Give individuals the choice ('opt-out') of whether their information can be disclosed to a third party or is to be used for a purpose that is incompatible with the purpose for which it was originally collected. For sensitive personal information an affirmative or explicit 'opt-in' must be provided if the information is to be disclosed to a third party or used for a purpose which is incompatible for that which it was originally collected."