Title: The U.S.E.U. Safe Harbor Framework Cross Border Data Flows, Data Protection, and Privacy
1 The U.S.-E.U. Safe Harbor Framework
Cross Border Data Flows, Data Protection, and
Privacy
- Damon Greer
- Safe Harbor Program
- October 15, 2007
-
2Different Approaches to Data Privacy ? Why it
matters
- European Unions Data Protection Directive
creates a barrier for those countries, including
the U.S., that do not meet the EUs adequacy
requirements for data protection. - U.S. Department of Commerce and European
Commission negotiated the SAFE HARBOR to provide
U.S. companies with a simple, streamlined means
of complying with the adequacy requirement. - Trans-Atlantic Trade in 2006 reached 630 billion
3Adequacy via the Safe Harbor
- Safe Harbor registration is a voluntary
representation to European business partners and
European citizens that U.S. companies will comply
with the Safe Harbor framework. - Administered by the DOC, enforced in the United
States - by the FTC and DOT
- Currently nearly 1,300 U.S. organizations,
including multinationals and SMEs.
47 Safe Harbor Principles (SHFIPPs)
- NOTICE
- CHOICE
- SECURITY
- ONWARD TRANSFER
- DATA INTEGRITY
- ACCESS
- ENFORCEMENT
5Where to Find Safe Harbor Information
- http//export.gov/safeharbor/ website includes
- Safe Harbor List
- Safe Harbor Workbook
- Compliance Checklist/Helpful Hints
- Safe Harbor Documents (including principles,
FAQs, correspondence, etc.) - Historical documents (including public comments)
6Compliance Enforcement
- U.S. culture of customer service is highly
effective in addressing customer
complaints/concerns, perhaps more than
comprehensive legislation. - Independent recourse mechanisms are required to
notify DoC of a companys failure to comply with
the Safe Harbor principles, and FTC has authority
to take action. - Results
- No referrals and no complaints filed with the EU
DPAs. - TRUSTe, BBB, DMA, and others report internal
complaints resolved!
7Other Options for Meeting the EU Directives
Requirements
- Joining Safe Harbor is not the only means of
meeting the EU Directives requirements - Other alternatives include
- Unambiguous consent
- Necessary to perform contract
- Codes of Conduct
- Model Contract Clauses
- Direct compliance/registration with EU
Authorities - http//ec.europa.eu/justice_home/fsj/privacy/index
_en.htm
8Since 2000, weve built credibility and
confidence in Safe Harbor in the E.U.
- In November 2000, there were 6 Safe Harbor
companies - Today, we are approaching 1,300 organizations
spanning industries from consumer goods to
aviation - Average 35 new members per month
- EU view SH as a Best Practice and Gold Standard
for data protection.
9Moving Forward The Challenge Continues
- Expanded dialogue with the European Commission
Conference on International Transfers of Personal
Data, Brussels, October 2006 - More needs to be done by EU to harmonize Data
Directive educate data subjects we raised this
specific issue in Brussels in bilateral
negotiations last fall - Increased Emphasis by Industry on Harmonizing
Approval Process for Binding Corporate Rules
10Safe Harbor Program Membership2000 Oct. 2007
11Safe Harbor Program Top 20 Industries
12For additional information or questions
- Contact me at
- Damon C. Greer
- U.S. Department of Commerce
- HCHB 2003
- 1401 Constitution Avenue, N.W.
- Washington, D. C. 20230
- Telephone (202) 482-5023 Fax (202) 482-5522
- Email damon.greer_at_mail.doc.gov