US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data.
Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with the EU.
Contents |
The European Union has for many years had a formalised system of Privacy legislation, which is regarded as more rigorous than that found in many other areas of the world.
Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive equivalent levels of protection.
Such protection can either be at a country level (if the country's laws are considered to offer equal protection) or at an organizational level (where a multinational organization produces and documents its internal controls on personal data).
The Safe Harbor Privacy Principles allows US companies to register their certification if they meet the European Union requirements.
These principles must provide:
After opting in, an organization must re-certify every 12 months. It can either perform a self-assessment to verify that it complies with these principles, or hire a third-party to perform the assessment. There are also requirements for ensuring that appropriate employee training and an effective dispute mechanism are in place.
The Federal Trade Commission theoretically oversees this program but, to date, no company's procedures have been challenged as failing to meet these guidelines.
The EU-US Safe Harbor has been the subject of significant criticism regarding compliance and enforcement in three external evaluations: