Latest News & Resources for U.S.-EU/Switzerland Safe Harbor

U.S.-EU & U.S.-Swiss Safe Harbor Framework (Safe Harbor) for data transfer can be seen as an easy way for U.S.-based companies to meet the European Union’s data transfer requirements. In reality, implementing and maintaining the program properly takes a lot of effort. Increased enforcement action by the Federal Trade Commission (FTC) and upcoming changes to the Safe Harbor program will make compliance more challenging. Recent enforcement actions by the FTC include the settlement in August with 13 companies on charges of misleading consumers. These companies claimed they were certified under Safe Harbor but either had never applied for certification or let their certification lapse. The FTC has stepped up enforcement of the Safe Harbor program in recent years. Changes to the Program The European Commission has been demanding changes to the Safe Harbor program since the beginning of 2014. EU members have been concerned about the collection of data for national security purposes, as well as the lack of protections for EU residents that are currently available to U.S. residents. Other concerns are about the onward transfer of data from a Safe Harbor Certified entity. It is worth taking note of the 13 items for improvement requested by the European Commission to understand some of the potential changes coming for those in Safe Harbor. A revision to the Safe Harbor program is thought to come this year. The program is expected to become stricter. A greater number of enforcement activities by the FTC are anticipated. An organization in Safe Harbor will need to make sure they comply with the Certification requirements and documentation in order to protect themselves from action by the FTC. Understanding Safe Harbor Certification Safe Harbor Certification is more than checking a box and making a payment. In fact, certifying to Safe Harbor should be the last step of the program (besides continuous monitoring of your program’s compliance). Before making the self-certification, an organization must verify their privacy practices meet the Safe Harbor Principles. This can be done with a third-party review or can be competed with a self-assessment. A self-assessment requires a signed statement by a corporate office or designee. The assessment should be completed and signed annually and may be requested during an investigation of non-compliance. If a third-party is used, a statement of the compliance review should be signed by the reviewer or the corporate officer or designee annually and made available upon request during an investigation of non-compliance. See FAQ 7 Verification for additional details on the written Certification requirements. A critical part of the Certification process involves your organization’s Privacy Policy. Make sure:

• It conforms to the U.S.-EU Safe Harbor Privacy Principles
• You have reference in your Privacy Policy about your Safe Harbor Compliance
• Your Privacy Policy is publicly available

Another key to meeting self-certification requirements is employee training. Employees involved in processing EU and/or Swiss personal data should understand the Safe Harbor Principles. They also need details about the specific mechanisms your company uses to meet these Principles. Remember to plan for training any new hires so they can support your program’s objectives. Resources The Helpful Hints on Self-Certifying Compliance with the U.S.-EU Safe Harbor Framework page on the Safe Harbor web site provide assistance. The U.S.-EU Safe Harbor Framework Documents page is where a list of the 15 FAQs are found. These FAQs provide information to clarify requirements as well as spell out Certification requirements. The process of implementing and re-certifying compliance with Safe Harbor can be rewarding to a company in more ways than just providing a mechanism to process personally identifiable information from the EU to the U.S. Recertification also:

• Provides an opportunity to review the company’s privacy and security programs
• Helps train employees on privacy requirements, especially those related to the EU Directive 95/46/EC
• Educates senior management about the need for proper privacy protections and compliance with the EU Directive
• Promotes gaining funding to support privacy programs

The FTC blogs about Safe Harbor offer both helpful hints and the latest news of enforcement actions. For information on the Safe Harbor program, visit this page. At ClearStar, we are committed to keeping you abreast of the industry news. If you’d like to stay informed with day-to-day updates that may impact your business, follow us on Twitter and like us on Facebook and LinkedIn.

At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.