got privacy? Musings on the state of Privacy in a connected world.
Safe Harbor...or Disaster? 02/19/2010
Marcus Morissette, Managing Director and Privacy Practice Lead, Concise Consulting Group
I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance. Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.
As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework. Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework. I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).
Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.
US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data. Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.
It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.
Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).
If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).
While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists. This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.
So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.
I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance. Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.
As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework. Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework. I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).
Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.
US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data. Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.
It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.
Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).
If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).
While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists. This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.
So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.
Add Comment
