By: Kerstin Bagus, Director of Global Initiatives
Safe Harbor, specifically the U.S.-EU Safe Harbor Privacy Arrangement, is still very much in the news. In the EU, various Member State Data Protection Authorities have been stating their position on data transfer mechanisms to the U.S.
Two sets of Authorities stand out with their positions:
Germany took a hard line approach. The seventeen Data Protection Authorities are restricting new approvals for any U.S. data transfers.
The UK’s Information Commissioner’s Office (“ICO”) encouraged thoughtfulness on the part of businesses when considering alternative data transfer mechanisms. It cautioned that companies should not rush to implement a potentially sub-standard solution.
Outside of the EU, other countries’ data protection regimes have pointed to Safe Harbor as one potential mechanism to transfer data to the U.S. Often these countries’ data protection principles are based upon the EU Data Protection Directive. Israel and Dubai’s DIFC recently announced they no longer allow data transfer based upon Safe Harbor. I expect we will continue to see other countries remove Safe Harbor, as it currently exists, as a valid transfer mechanism.
To clarify a key point: Safe Harbor is not terminated or invalid. The European Court of Justice declared the use of Safe Harbor, as a mechanism to transfer personal data from the EU to the U.S., is no longer valid. This is an important distinction. Although Safe Harbor may no longer be used as a data transfer mechanism, this does not mean that it has no value at all in a U.S. company’s data protection framework. I, personally, have found Safe Harbor to be a good tool to use when raising an organization’s level of privacy protections. It has helped me establish a clear set of requirements for a privacy program.
My experience is that privacy programs do not exist in a vacuum. Enacting programs and protections to meet one requirement often has the impact of extending those protections to a larger set of operations. A great example is privacy training. One requirement of Safe Harbor is staff training. Without fail, each Safe Harbor training I have conducted have raised awareness and compliance with global privacy protections, including U.S. requirements. These trainings, and many of the Safe Harbor principles, have helped me reinforce our company’s compliance with the FCRA and other U.S. requirements. The FCRA and the EU Directive share many common requirements, and repeating them in training can only provide additional value. The Safe Harbor principles are also a good way to understand how to process global background screens. Even if a background screener is not supporting End Users or screening applicants located in the EU, the Safe Harbor principles can help them understand the restrictions encountered when process background check elements from the EU.
A word of caution for companies currently enrolled in Safe Harbor: the requirements to adhere to the Safe Harbor principles remain, unless the company has officially exited from the Safe Harbor program. Exiting the Sage Harbor program includes updating privacy policies, service agreements, and other statements about the company’s Safe Harbor certification, and removing the Safe Harbor logo from websites.
Much work is being done on a new Safe Harbor program, often referred to as Safe Harbor 2.0. This new program has been agreed to, in principle, by representatives from the EU and U.S. An end of January 2016 deadline for the new program has been set by the EU’s 28 National Data Privacy Regulators.
I am cautiously optimistic about the new Safe Harbor program, and am also thrilled to see so much focus on data privacy now coming to the mainstream press. However difficult our jobs have become as we work to find adequate mechanisms for cross-border data transfer, the level of discussion on the topic has been raised. Like training, I have found discussion and debate to be a great way to support privacy programs.
Information about the Safe Harbor program can be found here.
Kerstin Bagus, Director of Global Initiatives
Kerstin Bagus supports ClearStar’s global screening program as its Director of Global Initiatives. Kerstin has more than 30 years of background screening industry experience, working for a variety of firms, large and small. During this time, she has been involved in many aspects of screening including sales, customer service, product management, compliance, and vendor management. Kerstin is one of the few individuals in the industry who is privacy certified through the International Association of Privacy Professionals (IAPP) for Canada, EU, and US.
Kerstin is a passionate participant in the Professional Background Screening Association (PBSA, formerly NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.