Skip to main content
Find a Lawyer

Overview of the Federal Trade Commission's Safe Harbor Framework

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed March 26, 2008

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

Overview

The Federal Trade Commission developed the 'safe harbor' framework so that US companies may meet the European Union ("EU") adequacy standard for privacy protection.

Introduction

The EU is a regional based treaty organization that manages economic cooperation between its fifteen European member countries. The fifteen countries belonging to the EU are Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden and the United Kingdom. The EU Directive of Data Protection when into effect in October 1999. The Directive requires the European Commission ("Commission") to determine the adequacy of data protection in third countries and to prohibit personal data flows in countries with privacy regimes that are not deemed "adequate." Organizations desiring to receive personally identifiable information from the EU must provide "adequate" privacy protection.

In contrast to the EU's comprehensive approach to individual privacy, the United States takes a sectoral approach. The safe harbor framework was developed by the U.S. Department of Commerce to bridge the differences between the EU's approach to data privacy and the U.S.'s approach. The safe harbor principles were deemed adequate by the European Commission on July 20, 2000 and became effective November 1, 2000.

The European Union Directive on Data Protection

The EU directive establishes strict guidelines for the processing of personal information. These guidelines encompass the following principles:

Data Quality. All personal information must be collected fairly and lawfully. This means the person whose personal information is being collected must know it is being collected and informed of the purpose. The use of the data must be limited to the purpose first identified.

Legitimate Data Processing. The consent of the data subject is required. The data subject has the right to see the data, correct inaccurate data, and know who will receive the data.

Sensitive Data. Data such as racial or ethnic origins, political or religious beliefs, health or sex life may not be processed at all except for limited circumstances such as if the individual gives express consent.

Security. The organization must take measures to protect data from destruction, loss, alteration or unauthorized disclosure.

Data Controllers. Anyone processing data must appoint a "data controller" who must register with government authorities and is responsible for all data processing.

Government Data Protection Authorities. Each member state is required to create an authority with independent pubic authority to supervise the protection of personal data.

Transfers of Data Outside the EU. Member states are required to enact laws that prohibit the transfer of personal data to countries outside the EU that fail to ensure an "adequate" level of protection. Member States are required to take measures to prevent the transfer of data to any country where the level of protection is inadequate, and the Member States and their Data Protection Commissions must inform each other when they believe an outside country does not ensure an adequate level of protection.

The Safe Harbor Framework

The safe harbor framework was developed by the U.S. Department of Commerce to provide a means for U.S. organizations to satisfy the "adequacy" requirement of the EU Directive on Data Protection. The safe harbor framework is set forth with a set of seven privacy principles. The safe harbor can apply to all personal information transferred from the EU, whether collected online or offline. A decision by a U.S. organization to enter the safe harbor is entirely voluntary.

Benefits of using the safe harbor

The safe harbor provides a number of important benefits for U.S. and EU firms. Benefits for U.S. organizations participating in the safe harbor include:

  • All 15 Member States are bound by the EU's finding of adequacy of the safe harbor;

  • Companies participating in the safe harbor will be deemed adequate and data flows to those countries will continue;

  • Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and

  • Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.

    The Safe Harbor List

    The safe harbor list, available at http://www.export.gov/safeharbor, is maintained by the U.S. Department of Commerce and became operational November 2000. The list is updated regularly and enables an EU organization to determine if an organization adheres to the safe harbor. As of February 14, 2001 only twenty-one U.S. organizations are on the list. However, one recent notable addition to the list is the Hewlett-Packard Company. Hewlett-Packard becomes the first high-tech company to join, and in an announcement, the company states "HP believes that consumer confidence will be enhanced by ensuring customer privacy rights on- and off-line" and that "[t]he safe harbor framework offers consistency and continuity for business operations conducted between HP sites located in the United States and the European Union."

    How to Join

    The decision to join the safe harbor is entirely voluntary. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements and publicly declare they do so. To quality, an organization can (1) join a self-regulatory private program that adheres to the safe harbor's requirements; or (2) develop its own self regulatory privacy policy that confirms to the safe harbor. Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation may join.

    An organization may withdraw by notifying the Department of Commerce. Failure of a withdrawing organization to notify the Department could constitute a misrepresentation and may be actionable under the False Statements Act (18 USC

  • 1001). Withdrawal from the list terminates the organization's adherence to the Safe Harbor Principles, but does not relieve the organization of its obligations with respect to information received prior to the termination.

    The Safe Harbor Principles:

    Compliance with the seven save harbor principles is required. The principles are:

  • Notice: Organizations must notify individuals about the purposes data is collected and used, how to contact the organization with any inquiries and complaints, the types of third parties to which it discloses the information, and the means the organization offers for limiting the use and disclosure of information and how the information is secured.

  • Choice. An individual must receive the opportunity to opt out of sharing their personal information with a third party or before the information is used for a purpose incompatible with the original purpose the information was collected. For sensitive information, affirmative or explicit consent must be given before the information is shared with a third party or used for a purpose other than its original purpose.

  • Third Party Transfers (Onward transfers). Notice and choice principles must be applied before any transfer of information to a third party. If the third party is acting as an agent for the transferring organization, the transferring organization must insure the third party subscribes to the safe harbor principles or has adequate levels of protection. As an alternative, a written agreement with the third party requiring that the third party will provide at least the same level of privacy protection as required by the relevant principles may be utilized.

  • Access. Individuals must have access to their personal information. Individuals must be able to correct, amend, or delete their information where inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or the rights of another person would be violated.

  • Security. Organizations must take reasonable precautions to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

  • Data Integrity. The data must be relevant for the purposes for which it is used. Personal information may not be used in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. Reasonable steps to ensure the data is reliable for its intended use, accurate complete, and current should be taken.

  • Enforcement. Effective privacy protection must include mechanisms for assuring compliance. Private sector enforcement has three components: verification, dispute resolution, and remedy. Either independent or self-assessment procedures must be in place for verification. The dispute mechanism must be readily available and affordable to the individual. The dispute resolution body chosen must provide sufficiently rigorous sanctions to ensure compliance by the organization.

    How the safe harbor is enforced

    In general, enforcement of the safe harbor will take place in the United States in accordance with U.S. law and will primarily be carried out by the private sector.

    As part of their safe harbor obligations, organizations are required to have in place a dispute resolution system that will investigate and resolve individual complaints and disputes and procedures for verifying compliance. Organizations are required to remedy problems arising out of a failure to comply with the principles. Sanctions must be severe enough to ensure compliance and must include publicity for findings of non0compliance and deletion of data in certain circumstances. Sanctions may also include suspension from membership in a privacy program (and thus effectively suspended from the safe harbor) and injunctive orders.

    Organizations may also satisfy the dispute resolution and remedy requirements through compliance with government supervisory authorities or cooperation with data protection authorities located in Europe.

    Depending on the industry, the Federal Trade Commission, comparable U.S. government agencies, and/or states may also enforce of the safe harbor principles. Where a company has a self regulatory scheme in place, its failure to comply with the scheme may be actionable under federal or state law prohibiting unfair and deceptive acts. The FTC has the power to rectify such misrepresentations by seeking administrative orders and civil penalties up to $12,000 per day for violations. The Department of Commerce will indicate on its safe harbor list any notification it receives of persistent failures to comply and will make clear which organizations are assured and which organizations are no longer assured of safe harbor benefits.

    Conclusion

    The safe harbor framework provides an easy method for U.S. organizations to satisfy the EU's "adequacy" requirement and continue to exchange data with organizations in EU Member States.

Was this helpful?

Copied to clipboard