Safe Harbor arrangement

From Wikipedia, the free encyclopedia

It has been suggested that this article or section be merged with International Safe Harbor Privacy Principles. (Discuss)

The US Safe Harbor arrangement is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data, a set of International Safe Harbor Privacy Principles. The process was developed by the US Department of Commerce in consultation with EU.

US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive. These principles must provide:

Notice - Individuals must be informed that their data is being collected and about how it will be used.
Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
Security - Reasonable efforts must be made to prevent loss of collected information.
Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Enforcement - There must be effective means of enforcing these rules.

Companies must also recertify every 12 months. They can either perform a self-assessment to verify they comply with these principles, or hire a third-party to perform the assessement. There are also requirements for ensuring that appropriate employee training and an effective disupute mechanism is in place.

The Federal Trade Commission theoretically oversees this program but, to date, no company's procedures have been challenged as failing to meet these guidelines.