The U.S.-E.U. Safe Harbor
Framework
Cross Border Data Flows, Data
Protection, and Privacy
Damon Greer
Safe Harbor Program
October 15, 2007
Different Approaches to Data Privacy  Why it
matters
• European Union’s Data Protection Directive creates a barrier for
those countries, including the U.S., that do not meet the EU’s
“adequacy” requirements for data protection.
• U.S. Department of Commerce and European Commission
negotiated the SAFE HARBOR to provide U.S. companies with a
simple, streamlined means of complying with the adequacy
requirement.
• Trans-Atlantic Trade in 2006 reached $630 billion
2
Adequacy via the Safe Harbor
• Safe Harbor registration is a voluntary representation to
European business partners and European citizens that U.S.
companies will comply with the Safe Harbor framework.
 Administered by the DOC, enforced in the United States
by the FTC and DOT
• Currently nearly 1,300 U.S. organizations, including
multinationals and SMEs.
3
7 Safe Harbor Principles (SHFIPPs)
•
•
•
•
•
•
•
NOTICE
CHOICE
SECURITY
ONWARD TRANSFER
DATA INTEGRITY
ACCESS
ENFORCEMENT
4
Where to Find Safe Harbor Information
• http://export.gov/safeharbor/ website includes:
Safe Harbor List
Safe Harbor Workbook
Compliance Checklist/Helpful Hints
Safe Harbor Documents (including principles,
FAQ’s, correspondence, etc.)
 Historical documents (including public
comments)




5
Compliance & Enforcement
• U.S. culture of customer service is highly effective in addressing
customer complaints/concerns, perhaps more than comprehensive
legislation.
• Independent recourse mechanisms are required to notify DoC of a
company’s failure to comply with the Safe Harbor principles, and
FTC has authority to take action.
• Results:
 No referrals and no complaints filed with the EU DPAs.
 TRUSTe, BBB, DMA, and others report internal complaints
resolved!
6
Other Options for Meeting the EU Directive’s
Requirements
• Joining Safe Harbor is not the only means of meeting the EU
Directive’s requirements
• Other alternatives include:





“Unambiguous” consent
Necessary to perform contract
Codes of Conduct
Model Contract Clauses
Direct compliance/registration with EU Authorities
http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm
7
Since 2000, we’ve built credibility and
confidence in Safe Harbor in the E.U.
• In November 2000, there were 6 Safe Harbor companies;
• Today, we are approaching 1,300 organizations spanning
industries from consumer goods to aviation;
• Average 35 new members per month;
• EU view SH as a “Best Practice” and Gold Standard for data
protection.
8
Moving Forward — The Challenge Continues
• Expanded dialogue with the European Commission;
Conference on International Transfers of Personal Data,
Brussels, October 2006
• More needs to be done by EU to harmonize Data Directive;
educate data subjects; we raised this specific issue in
Brussels in bilateral negotiations last fall
• Increased Emphasis by Industry on Harmonizing Approval
Process for Binding Corporate Rules
9
Safe Harbor Program Membership
2000 – Oct. 2007
300
244
250
223
211
204
200
154
150
HR
Non-HR
Total
143
109
100
50
6
0
2000
2001
2002
2003
2004
2005
2006
2007
10
Safe Harbor Program – Top 20 Industries
Information Services - (INF)
Computer Services - (CSV)
Computer Software - (CSF)
General Services - (GSV)
Management Consulting Services - (MCS)
Employment Services - (EMP)
Education & Training - (EDS)
Advertising Services - (ADV)
Drugs & Pharmaceuticals - (DRG)
Telecommunications Services - (TES)
Travel & Tourism Services - (TRA)
Financial Services - (FNS)
Health Care Services - (HCS)
Computer & Peripherals - (CPT)
Medical Equipment - (MED)
Biotechnology - (BTC)
Electronic Components - (ELC)
General Consumer Goods - (GCG)
Insurance Services - (INS)
General Science & Technology - (GST)
279
218
209
125
87
71
65
62
58
57
50
50
41
30
28
26
24
22
19
19
0
50
100
150
200
250
300
11
For additional information or questions
Contact me at:
Damon C. Greer
U.S. Department of Commerce
HCHB 2003
1401 Constitution Avenue, N.W.
Washington, D. C. 20230
Telephone: (202) 482-5023; Fax: (202) 482-5522
Email: damon.greer@mail.doc.gov
12