The U.S.E.U. Safe Harbor Framework Cross Border Data Flows, Data Protection, and Privacy

1
The U.S.-E.U. Safe Harbor Framework
Cross Border Data Flows, Data Protection, and
Privacy

• Damon Greer
• Safe Harbor Program
• October 15, 2007

2
Different Approaches to Data Privacy ? Why it
matters

• European Unions Data Protection Directive
  creates a barrier for those countries, including
  the U.S., that do not meet the EUs adequacy
  requirements for data protection.
• U.S. Department of Commerce and European
  Commission negotiated the SAFE HARBOR to provide
  U.S. companies with a simple, streamlined means
  of complying with the adequacy requirement.
• Trans-Atlantic Trade in 2006 reached 630 billion

3
Adequacy via the Safe Harbor

• Safe Harbor registration is a voluntary
  representation to European business partners and
  European citizens that U.S. companies will comply
  with the Safe Harbor framework.
• Administered by the DOC, enforced in the United
  States
• by the FTC and DOT
• Currently nearly 1,300 U.S. organizations,
  including multinationals and SMEs.

4
7 Safe Harbor Principles (SHFIPPs)

• NOTICE
• CHOICE
• SECURITY
• ONWARD TRANSFER
• DATA INTEGRITY
• ACCESS
• ENFORCEMENT

5
Where to Find Safe Harbor Information

• http//export.gov/safeharbor/ website includes
• Safe Harbor List
• Safe Harbor Workbook
• Compliance Checklist/Helpful Hints
• Safe Harbor Documents (including principles,
  FAQs, correspondence, etc.)
• Historical documents (including public comments)

6
Compliance Enforcement

• U.S. culture of customer service is highly
  effective in addressing customer
  complaints/concerns, perhaps more than
  comprehensive legislation.
• Independent recourse mechanisms are required to
  notify DoC of a companys failure to comply with
  the Safe Harbor principles, and FTC has authority
  to take action.
• Results
• No referrals and no complaints filed with the EU
  DPAs.
• TRUSTe, BBB, DMA, and others report internal
  complaints resolved!

7
Other Options for Meeting the EU Directives
Requirements

• Joining Safe Harbor is not the only means of
  meeting the EU Directives requirements
• Other alternatives include
• Unambiguous consent
• Necessary to perform contract
• Codes of Conduct
• Model Contract Clauses
• Direct compliance/registration with EU
  Authorities
• http//ec.europa.eu/justice_home/fsj/privacy/index
  _en.htm

8
Since 2000, weve built credibility and
confidence in Safe Harbor in the E.U.

• In November 2000, there were 6 Safe Harbor
  companies
• Today, we are approaching 1,300 organizations
  spanning industries from consumer goods to
  aviation
• Average 35 new members per month
• EU view SH as a Best Practice and Gold Standard
  for data protection.

9
Moving Forward The Challenge Continues

• Expanded dialogue with the European Commission
  Conference on International Transfers of Personal
  Data, Brussels, October 2006
• More needs to be done by EU to harmonize Data
  Directive educate data subjects we raised this
  specific issue in Brussels in bilateral
  negotiations last fall
• Increased Emphasis by Industry on Harmonizing
  Approval Process for Binding Corporate Rules

10
Safe Harbor Program Membership2000 Oct. 2007
11
Safe Harbor Program Top 20 Industries
12
For additional information or questions

• Contact me at
• Damon C. Greer
• U.S. Department of Commerce
• HCHB 2003
• 1401 Constitution Avenue, N.W.
• Washington, D. C. 20230
• Telephone (202) 482-5023 Fax (202) 482-5522
• Email damon.greer_at_mail.doc.gov