U.S.-EU & U.S.-Swiss Safe Harbor Framework (Safe Harbor) for data transfer can be seen as an easy way for U.S.-based companies to meet the European Union’s data transfer requirements. In reality, implementing and maintaining the program properly takes a lot of effort. Increased enforcement action by the Federal Trade Commission (FTC) and upcoming changes to the Safe Harbor program will make compliance more challenging.
Recent enforcement actions by the FTC include the settlement in August with 13 companies on charges of misleading consumers. These companies claimed they were certified under Safe Harbor but either had never applied for certification or let their certification lapse. The FTC has stepped up enforcement of the Safe Harbor program in recent years.
Changes to the Program
The European Commission has been demanding changes to the Safe Harbor program since the beginning of 2014. EU members have been concerned about the collection of data for national security purposes, as well as the lack of protections for EU residents that are currently available to U.S. residents.
Other concerns are about the onward transfer of data from a Safe Harbor Certified entity. It is worth taking note of the 13 items for improvement requested by the European Commission to understand some of the potential changes coming for those in Safe Harbor.
A revision to the Safe Harbor program is thought to come this year. The program is expected to become stricter. A greater number of enforcement activities by the FTC are anticipated. An organization in Safe Harbor will need to make sure they comply with the Certification requirements and documentation in order to protect themselves from action by the FTC.
Understanding Safe Harbor Certification
Safe Harbor Certification is more than checking a box and making a payment. In fact, certifying to Safe Harbor should be the last step of the program (besides continuous monitoring of your program’s compliance). Before making the self-certification, an organization must verify their privacy practices meet the Safe Harbor Principles. This can be done with a third-party review or can be competed with a self-assessment.
A self-assessment requires a signed statement by a corporate office or designee. The assessment should be completed and signed annually and may be requested during an investigation of non-compliance. If a third-party is used, a statement of the compliance review should be signed by the reviewer or the corporate officer or designee annually and made available upon request during an investigation of non-compliance. See FAQ 7 Verification for additional details on the written Certification requirements.
- It conforms to the U.S.-EU Safe Harbor Privacy Principles
Another key to meeting self-certification requirements is employee training. Employees involved in processing EU and/or Swiss personal data should understand the Safe Harbor Principles. They also need details about the specific mechanisms your company uses to meet these Principles. Remember to plan for training any new hires so they can support your program’s objectives.
The Helpful Hints on Self-Certifying Compliance with the U.S.-EU Safe Harbor Framework page on the Safe Harbor web site provide assistance.
The U.S.-EU Safe Harbor Framework Documents page is where a list of the 15 FAQs are found. These FAQs provide information to clarify requirements as well as spell out Certification requirements.
The process of implementing and re-certifying compliance with Safe Harbor can be rewarding to a company in more ways than just providing a mechanism to process personally identifiable information from the EU to the U.S. Recertification also:
- Provides an opportunity to review the company’s privacy and security programs
- Helps train employees on privacy requirements, especially those related to the EU Directive 95/46/EC
- Educates senior management about the need for proper privacy protections and compliance with the EU Directive
- Promotes gaining funding to support privacy programs
At ClearStar, we are committed to keeping you abreast of the industry news. If you’d like to stay informed with day-to-day updates that may impact your business, follow us on Twitter and like us on Facebook and LinkedIn.