In 1995 the European Union (EU) adopted the Data Protection Directive 95/46/EC. Its general objective was to harmonise the way in which personal data could be processed in the EU member states. Article 25 is a key provision of the directive which prohibits the transfer of personal data to a third country unless that country ensures an “adequate level of protection” (i.e. similar protection to that set out in the directive).
There was immediately a problem in relation to the US, where there is a variety of existing privacy legislation. It was widely accepted that the US legislation did not meet the EU’s requirements for “adequate protection”.
As such, there was a real concern that businesses based in the EU would not be able to transfer data to the US and this would have a significant impact on trade and the free movement of information about individuals.
In some cases this problem could be resolved if the European and US parties entered into a specific contract to protect the use of personal data. While this worked for intragroup transfers and other particular relationships, it was widely felt that a more comprehensive solution should be found. During lengthy negotiations, the US issued a compromise proposal, known as the ‘Safe Harbor Principles’, which largely follows the EU requirements giving individuals the right to:
1. receive notification of how personal data is
to be used;
2. object to the transfer of data to third parties
or to the use of the data for unauthorised
purposes; and
3. have access to personal data held about
them.
After a period of considerable uncertainty, in July 2000 the European Commission (EC) announced it accepted that the Safe Harbor Principles do provide adequate protection for personal data transferred from the EU and this decision is binding on all 15 member states.
The EC has indicated that the ‘safe harbor’ arrangements should be in place by November 2000 and this will ensure that, as long as the process is followed correctly, personal data can now be transferred to the US.
How the safe harbor principles work
US organisations will self-certify compliance with the safe harbor principles to the US Department of Commerce. Although participation in the ‘safe harbor’ arrangements is optional, the principles are binding for those US organisations that decide to adhere to them, and are enforceable by the Federal Trade Commission.
Organisations must also publicly declare that they adhere to the principles to obtain and retain the benefits of safe harbor. EU data exporters wishing to check that the data recipient enjoys ‘safe harbor’ status will be able to refer to a publicly available list maintained by the US Department of Commerce.
The list will be available later in the year. If participating organisations persistently fail to comply with the principles, they may lose their ‘safe harbor’ status, and any such loss of status will be made clear in the list. The list will be available online and updated regularly.
