In October of 1998, the European Commission's Directive on Data Protection went into effect and started to prohibit any transfer of personal data about any European citizen to any non-European Union countries that fail to meet the European Union's standard for what is considered to be adequate privacy protection.
The approach to privacy that the United States takes is different than that of the EU, so something had to be done to bridge the differences to allow a transfer of personal data to the United States.
The U.S. Department of Commerce got together separately with both the European Commission and the Federal Data Protection and Information Commissioner of Switzerland to develop 2 separate "Safe Harbor" frameworks: the U.S.-EU Safe Harbor program and the U.S.-Swiss Safe Harbor program.
Note that while these are two separate Safe Harbor frameworks, they essentially have the same requirements and purposes.
Who can participate in Safe Harbor
Participation in the Safe Harbor is limited to businesses and organizations that fall under the jurisdiction of the Federal Trade Commission (FTC), or U.S. ticket agents and air carriers that fall under the jurisdiction of the Department of Transportation (DoT).
What industries fall under FTC jurisdiction?
FTC jurisdiction tends to cover areas where consumers are spending large amounts of money. Some industries that fall under the jurisdiction of the FTC, and thus can participate in the Safe Harbor, include food, energy, healthcare, computer technology companies, and others.
If you aren't certain whether your industry falls under FTC jurisdiction, you should find this out by contacting the FTC or researching through reputable sources.
Why should your business join the Safe Harbor?
If you wish to collect personal information from any European citizen via a website, mobile app or another form of the business outlet and wish to not be in violation of European laws, you will want to become Safe Harbor compliant.
Without joining the Safe Harbor, you would have to obtain consent from each individual country in the EU before collecting any personal data from any of their citizens.
Safe Harbor is a convenient way to stay compliant.
Benefits of joining
There are a number of benefits to joining the U.S.-EU and U.S. Swiss Safe Harbors. Some key benefits include:
- If there is a requirement for prior approval of a data transfer, this approval will either be automatically granted or the requirement will be waived for all member states.
- Organizations and businesses who are in the Safe Harbor will all be deemed to provide adequate privacy protection to meet both U.S. and EU standards.
- To make litigation easier for U.S. businesses, all claims brought by EU citizens against U.S. organizations or businesses will be heard in a U.S. court.
How to join
Joining is completely voluntary. Organizations and businesses that wish to join must:
- Comply with each of the 7 Privacy principles of the Safe Harbor program
- Publicly declare that they are complying
- Submit an annual self-certification to the Department of Commerce, in writing, stating that the business or organization agrees to comply with the requirements of the Safe Harbor framework
- Include in a published Privacy Policy that it is adhering to the 7 Safe Harbor Privacy Principles
- Submit a certification form and a processing fee
7 Privacy principles of Safe Harbor
- Notice.
A business or organization must disclose information to individuals about how data and information collected from these individuals are used, as well as about what types of third parties have access to this data.
Any information about ways that users can limit the use and disclosure of information collected from them must be provided. Individuals must also be provided with information about how to contact the business or organization with any questions or complaints.
All of these notice requirements can be met by having a thorough Privacy Policy that covers each of these areas in great detail.
- Choice.
Choices for opting-in and opting-out of the disclosing of personal information to third parties for purposes not compatible with the original purpose of collecting the information must be provided.
When sensitive personal information is involved, such as home address, users must be presented with a choice to opt-in to having this data shared with third parties for other purposes before any data is shared, and the user must affirmatively opt-in before any data can be shared.
Requiring a user to check a box that says they agree to allow their personal data to be shared with third parties, and for alternative purposes, is a great way to meet this requirement.
Here's an example from Zappos linking to its Privacy Policy page and Terms of Use page on the sign-up page:
Provide a link to your Privacy Policy that has thorough information about the use of personal data by third parties when you request the user to opt in or out so that the user can make a well-informed choice.
For not so sensitive personal information, you must just provide a way for the user to opt-out if he or she so desires. Include information about how a user can opt-out in your Privacy Policy.
- Onward transfer (transfer to third parties).
When transferring information to a third party that is acting as an agent of the business or organization, one of two requirements must be met by the third party.
Either the third party must also subscribe to and apply the Safe Harbor Privacy Principles or be found to be adequate by the EU Commission, or the organization or business can create a written agreement with the third party that requires the third party to act in a way that provides at a minimum the level of privacy protection for data that the Safe Harbor framework requires.
- Access.
When a business or organization keeps personal information about individuals, these individuals must be given access to a way to edit or delete this information when it is inaccurate or outdated.
This requirement is excepted if there is a high burden or expense in providing this access and the risk of the privacy of the individual being violated is low.
- Security.
Reasonable precautions must be taken and put in place to protect the personal information of individuals from unauthorized access, misuse, loss, disclosure, destruction, and alteration. The more sensitive the data is, the stronger the precautions taken must be.
- Data integrity
Only collect information that is relevant for the purposes you will be using the data for, and take steps to make sure that any data you use is reliable and accurate, complete and current.
- Enforcement.
You can't just do the above steps. You have to be able to prove that you're doing them.
To finalize compliance with the Safe Harbor Privacy Principles you must do the following:
- Put independent recourse mechanisms in place to allow disputes and complaints to be investigated and resolved quickly and affordably, and any damages immediately covered.
- Make verification of the above requirements possible. Keep files, records, etc. so that if someone asks you about whether and how you are following one of these seven requirements, you can quickly confirm that you are, and how you are.
- Maintain steady compliance. Any lapse in compliance is sanctionable.
Examples
In the example below, note how Zoho makes it clear that they comply with the Safe Harbor requirements and that they have certified this:
Basecamp also provides information about their Safe Harbor certification, as seen below:
Note the thorough way that Asana details compliance with Safe Harbor and provides an email address for communication about questions and privacy concern inquiries.
Asana also addresses the first enforcement requirement by stating that they have "committed to refer unresolved privacy complaints under the US-EU and US-Swiss Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus."
The more information you provide in your Privacy Policy, the better.
Consider breaking down your information into sections within your Privacy Policy, such as the example below from AirBnB. This is a great example of a thorough Safe Harbor section of a Privacy Policy:
There are a number of requirements that must be met before Safe Harbor certification can be obtained, but most all of them are best practices and generally good ideas for website and mobile app developers to use.
The benefits of being Safe Harbor certified far outweigh the efforts that must be put into obtaining the certification.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.