The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the
European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...
or United States which store
customer data
Customer data or consumer data refers to all personal, Behaviorism, behavioural, and demographic data that is collected by marketing companies and departments from their customer base.
To some extent, data collection from customers intrudes into c ...
from accidentally disclosing or losing
personal information
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
. They were overturned on October 6, 2015 by the
European Court of Justice
The European Court of Justice (ECJ, french: Cour de Justice européenne), formally just the Court of Justice, is the supreme court of the European Union in matters of European Union law. As a part of the Court of Justice of the European Un ...
(ECJ), which enabled some US companies to comply with
privacy law
Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be Personally identifiable information ...
s protecting
European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...
and
Swiss
Swiss may refer to:
* the adjectival form of Switzerland
* Swiss people
Places
* Swiss, Missouri
* Swiss, North Carolina
*Swiss, West Virginia
* Swiss, Wisconsin
Other uses
*Swiss-system tournament, in various games and sports
*Swiss Internation ...
citizens.
US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU
Data Protection Directive
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
and with Swiss requirements. The
US Department of Commerce
The United States Department of Commerce is an executive department of the U.S. federal government concerned with creating the conditions for economic growth and opportunity. Among its tasks are gathering economic and demographic data for busin ...
developed privacy frameworks in conjunction with both the European Union and the
Federal Data Protection and Information Commissioner
The Federal Data Protection and Information Commissioner (FDPIC) is responsible to advise, educate and ensure the protection of personal data in Switzerland. It is established by the Federal Act on Data Protection and by the Federal Act on Freedom ...
of Switzerland.
Within the context of a series of decisions on the adequacy of the protection of
personal data
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
transferred to other countries, the
European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...
made a decision in 2000 that the United States' principles did comply with the EU Directive – the so-called "Safe Harbour decision". However, after a customer complained that his
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
data were insufficiently protected, the ECJ declared in October 2015 that the Safe Harbour decision was invalid, leading to further talks being held by the Commission with the US authorities towards "a renewed and sound framework for transatlantic data flows".
The European Commission and the United States agreed to establish a new framework for transatlantic data flows on 2 February 2016, known as the "
EU–US Privacy Shield
The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive ...
", which was closely followed by the
Swiss-US Privacy Shield Framework.
Background history
In 1980, the
OECD
The Organisation for Economic Co-operation and Development (OECD; french: Organisation de coopération et de développement économiques, ''OCDE'') is an intergovernmental organisation with 38 member countries, founded in 1961 to stimulate e ...
issued recommendations for protection of
personal data
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
in the form of eight principles. These were non-binding and in 1995, the
European Union
The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been des ...
(EU) enacted a more binding form of governance, i.e. legislation, to protect personal
data privacy
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...
in the form of the
Data Protection Directive
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Pr ...
.
[Directive 95/46/EC of the European Parliament]
and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
According to the Data Protection Directive, companies operating in the European Union are not permitted to send personal data to "third countries" outside the
European Economic Area
The European Economic Area (EEA) was established via the ''Agreement on the European Economic Area'', an international agreement which enables the extension of the European Union's single market to member states of the European Free Trade Ass ...
, unless they guarantee adequate levels of protection, "the data subject himself agrees to the transfer" or "if
Binding corporate rules or Standard Contractual Clauses have been authorised." The latter means that privacy protection can be at an organizational level, where a multinational organization produces and documents its internal controls on personal data or they can be at the level of a country if its laws are considered to offer protection equal to the EU.
The Safe Harbour Privacy Principles were developed between 1998 and 2000. Key player was the Art. 29 Working Party, at that time chaired by the Italian Data Protection Authorit
www.garanteprivacy.itPresident Prof. Stefano Rodotà, one of the fathers of the privacy framework in Europe, helped by the Italian Data Protection Authority Secretary General Mr. Giovanni Buttarelli, lately appointed as European Data Protection Supervisor (EDPS). Safe Harbour Principles were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive. In July 2000, the
European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...
(EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called "safe harbour scheme", were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbour decision.
[European Court of Justic]
2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council
on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441) (Text with EEA relevance.) 25 August 2000, retrieved 30 October 2015
On 6 October 2015, the European Court of Justice invalidated the EC's Safe Harbour Decision, because "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life" (boldened in original text).
According to the European Commission, the
EU–US Privacy Shield
The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive ...
agreed on 2 February 2016 "reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and
Federal Trade Commission
The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction ov ...
, including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson".
Principles
The seven principles from 2000 are:
[
* Notice – Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
* Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
* Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
* Security – Reasonable efforts must be made to prevent loss of collected information.
* Data Integrity – Data must be relevant and reliable for the purpose it was collected.
* Access – Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
* Enforcement – There must be effective means of enforcing these rules.
]
Scope, certification and enforcement
Only U.S. organizations regulated by the Federal Trade Commission
The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction ov ...
or the Department of Transportation may participate in this voluntary program. This excludes many financial institutions (such as banks, investment houses, credit unions, and savings & loans institutions), telecommunication common carriers
A common carrier in common law countries (corresponding to a public carrier in some civil law systems,Encyclopædia Britannica CD 2000 "Civil-law public carrier" from "carriage of goods" usually called simply a ''carrier'') is a person or compan ...
(including internet service provider
An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...
s), labor associations, non-profit organizations, agricultural co-operatives
An agricultural cooperative, also known as a farmers' co-op, is a cooperative in which farmers pool their resources in certain areas of activity.
A broad typology of agricultural cooperatives distinguishes between agricultural service cooperati ...
, and meat processor
The meat-packing industry (also spelled meatpacking industry or meat packing industry) handles the slaughtering, processing, packaging, and distribution of meat from animals such as cattle, pigs, sheep and other livestock. Poultry is generally ...
s, journalists and most insurances, although it may include investment banks.
After opting in, an organization must have appropriate employee training and an effective dispute mechanism in place, and self re-certify every 12 months in writing that it agrees to adhere to the U.S.–EU Safe Harbor Framework's principles, including notice, choice, access, and enforcement.[U.S. Department of Commerc]
U.S.–EU Safe Harbor Overview
18 December 2013, retrieved 30 October 2015 It can either perform a self-assessment to verify that it complies with the principles, or hire a third-party to perform the assessment. Companies pay an annual $100 fee for registration except for first time registration ($200).
The U.S. government does not regulate Safe Harbor, which is self-regulated through its private sector members and the dispute resolution entities they pick. The Federal Trade Commission "manages" the system under the oversight of the U.S. Department of Commerce. To comply with the commitments, violators can be penalized under the Federal Trade Commission Act
The Federal Trade Commission Act of 1914 was a United States federal law which established the Federal Trade Commission. The Act was signed into law by US President Woodrow Wilson in 1914 and outlaws unfair methods of competition and unfair acts ...
by administrative orders and civil penalties of up to $16,000 per day for violations. If an organization fails to comply with the framework it must promptly notify the Department of Commerce, or else it can be prosecuted under the 'False Statements Act'.[
In a 2011 case, the ]Federal Trade Commission
The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction ov ...
obtained a consent decree from a California-based online retailer that had sold exclusively to customers in the United Kingdom
The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Europe, off the north-western coast of the continental mainland. It comprises England, Scotland, Wales and North ...
. Among its many alleged deceptive practices was representing itself as having self-certified under Safe Harbour when in fact it had not. It was barred from using such deceptive practices in the future.
Criticism and evaluation
EU evaluations
The EU–US Safe Harbour Principles 'self certification scheme' has been criticised in regard to its compliance and enforcement in three external EU evaluations:
* A 2002 review by the European Union found "a substantial number of organisations that have self-certified adherence to the Safe Harbour do not seem to be observing the expected degree of transparency as regards their overall commitment or as regards the contents of their privacy policies" and that "not all dispute resolution mechanisms have indicated publicly their intention to enforce Safe Harbour rules and not all have in place privacy practices applicable to themselves."
* 2004 review by the European Union:
* In 2008, an Australian consulting company named Galexia issued a scathing review, finding "the ability of the US to protect privacy through self-regulation, backed by claimed regulator oversight was questionable'. They documented basic claims as incorrect where only 1109 out of 1597 recorded organisations listed by the US Department of Commerce
The United States Department of Commerce is an executive department of the U.S. federal government concerned with creating the conditions for economic growth and opportunity. Among its tasks are gathering economic and demographic data for busin ...
(DOC) on 17 October 2008 remained in the database after doubles, triples and ‘not current’ organisations were removed. Only 348 organisations met even the most basic requirements for compliance. Of these, only 54 extended their Safe Harbor membership to all data categories (manual, offline, online, human resources). 206 organisations falsely claimed to be members for years, yet there was no indication that they were subject of any US enforcement. Reviewers criticized the DOC's 'Safe Harbor Certification Mark' offered to companies to use as a "visual manifestation of the organization when it self-certifies that it will comply" as misleading, because it does not carry the words "self certify" on it. Only 900 organizations provided a link to their privacy policies
A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify ...
, for 421 it was unavailable. Numerous policies were only 1-3 sentences long, containing "virtually no information". Many entries appeared to confuse privacy compliance with security compliance and showed a "lack of understanding about the Safe Harbor program". The companies' listing of their dispute resolution providers was confusing, and problems regarding independence and affordability were noted. Many organisations did not spell out that they would cooperate with or explain to their customers that they could choose the dispute resolution panel established by the EU Data Protection Authorities.
:Galexia recommended the EU to re-negotiate the Safe Harbor arrangement, provide warnings to EU consumers and consider to comprehensively review all list entries. They recommended to the US to investigate the hundreds of organisations making false claims, revising its statements about the number of participants, to abandon the use of the Safe Harbor Certification Mark, to investigate the unauthorised and misleading use of its Departmental logo and automatically suspend an organisation’s membership if they failed to renew their Safe Harbor certification.[Chris Connolly (Galexia]
US Safe Harbor - Fact or Fiction?
''Privacy Laws and Business International'', issue 96, December 2008, published on Galexia.com, retrieved 30 October 2015
Patriot Act's reach
In June 2011, Microsoft U.K.'s managing director Gordon Frazer
Gordon Frazer from the Defence Science and Technology Group, Defence Science and Technology Organisation, Edinburgh, South Australia, Edinburgh, Australia was named Fellow of the Institute of Electrical and Electronics Engineers (IEEE) in 2015 fo ...
said that " cloud data, regardless of where it is in the world, is not protected against the Patriot Act
The USA PATRIOT Act (commonly known as the Patriot Act) was a landmark Act of the United States Congress, signed into law by President George W. Bush. The formal name of the statute is the Uniting and Strengthening America by Providing Appropr ...
."
The Netherlands promptly ruled out U.S. cloud suppliers from Dutch government contracts, and even considered a ban on Microsoft- and Google-provided cloud contracts. A Dutch subsidiary of the U.S. based Computer Sciences Corporation
Computer Sciences Corporation (CSC) was an American multinational corporation that provided information technology (IT) services and professional services. On April 3, 2017, it merged with the Enterprise Services line of business of HP Ente ...
(CSC) runs the electronic health records
An electronic health record (EHR) is the systematized collection of patient and population electronically stored health information in a digital format. These records can be shared across different health care settings. Records are shared throu ...
of the Dutch national health service system and warned, that unless CSC could assure it was not subject to the Patriot Act, it would end the contract.[
One year later in 2012, a legal research paper supported the notion that the Patriot Act allowed U.S. law enforcement to bypass European privacy laws.][Zack Whittaker]
Patriot Act can "obtain" data in Europe, researchers say
CBS News December 4, 2012
Citizen complaint about Facebook data safety
In October 2015, the ECJ responded to a referral from the High Court of Ireland
The High Court ( ga, An Ard-Chúirt) of Ireland is a court which deals at first instance with the most serious and important civil and criminal cases. When sitting as a criminal court it is called the Central Criminal Court and sits with judg ...
in relation to a complaint from Austria
Austria, , bar, Östareich officially the Republic of Austria, is a country in the southern part of Central Europe, lying in the Eastern Alps. It is a federation of nine states, one of which is the capital, Vienna, the most populous ...
n citizen Maximillian Schrems regarding Facebook's processing of his personal data from its Irish subsidiary to servers in the US. Schrems complained that "in the light of the revelations made in 2013 by Edward Snowden
Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...
concerning the activities of the United States intelligence services (in particular the National Security Agency
The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
('the NSA')), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities". The ECJ held the Safe Harbour Principles to be invalid, as they did not require ''all'' organizations entitled to work with EU privacy-related data to comply with it, thus providing insufficient guarantees. US federal government agencies could use personal data under US law, but were not required to opt in. The court held that companies opting in were "bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with national security, public interest and law enforcement requirements".[
In accordance with the EU rules for referral to the ECJ for a ']preliminary ruling
A preliminary ruling is a decision of the European Court of Justice (ECJ) on the interpretation of European Union law that is given in response to a request (preliminary reference) from a court or a tribunal of a member state. A preliminary rulin ...
', the Irish Data Protection Commissioner
The Office of the Data Protection Commissioner (Irish: An Coimisinéir Cosanta Sonraí) (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to ...
since then has had to "...examine Mr. Schrems's case 'with all due diligence' and ..decide whether ..the transfer of Facebook's European subscribers' personal data to the United States should be suspended".[ EU regulators said that if the ECJ and United States did not negotiate a new system within three months, businesses might face action from European privacy regulators. On October 29, 2015, a new "Safe Harbour 2.0" agreement appeared close to being finalized. However Commissioner Jourova expects the U.S. to act next. American NGOs were quick to expand on the significance of the decision.
]
Response to EU–US Privacy Shield Agreement
German MEP Jan Philipp Albrecht
Jan Philipp Albrecht (born 20 December 1982) is a German politician of the Alliance '90/The Greens, part of The Greens-European Free Alliance. From 2018 to 2022, he has been serving as Minister for Energy, Agriculture, the Environment, Nature a ...
and campaigner Max Schrems
Maximilian Schrems (born 1987) is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to t ...
have criticized the new ruling, with the latter predicting that the Commission might be taking a "round-trip to Luxembourg" (where the European Court of Justice is located). EU Commissioner for Consumers, Vera Jourova, expressed confidence that a deal would be reached by the end of February. Many Europeans were demanding a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens data did not fall into the hands of U.S intelligence agencies. The Article 29 Working Party
The Article 29 Working Party (Art. 29 WP), full name "The Working Party on the Protection of Individuals with regard to the Processing of Personal Data", was an advisory body made up of a representative from the data protection authority of each ...
has taken up this demand, and stated it would hold back another month until March 2016 to decide on consequences of Commissioner Jourova's new proposal. The European Commission’s Director for Fundamental Rights Paul Nemitz stated at a conference in Brussels in January how the Commission would decide on the "adequacy" of data protection. ''The Economist
''The Economist'' is a British weekly newspaper printed in demitab format and published digitally. It focuses on current affairs, international business, politics, technology, and culture. Based in London, the newspaper is owned by The Econo ...
'' newspaper predicts that "once the Commission has issued a beefed-up 'adequacy decision', it will be harder for the ECJ to strike it down." Privacy activist Joe McNamee summed up the situation by noting the Commission has announced agreements prematurely, thus forfeiting its negotiating right. At the same time, the first court challenges in Germany have commenced: the Hamburg
(male), (female) en, Hamburger(s),
Hamburgian(s)
, timezone1 = Central (CET)
, utc_offset1 = +1
, timezone1_DST = Central (CEST)
, utc_offset1_DST = +2
, postal ...
data protection authority was during February 2016 preparing to fine three companies for relying on Safe Harbour as the legal basis for their transatlantic data transfers and two other companies were under investigation. From the other side a reaction looked imminent.
On 25 March 2021 the European Commission and US Secretary of Commerce reported that "intensified negotiations" were taking place. Discussions continued at the U.S.-EU Summit in Brussels in June 2021.[Department of Commerce]
U.S. Secretary of Commerce Gina M. Raimondo Joins President Biden at U.S.-EU Summit and Advances Tech and Trade Issues with European Union and Private Sector Leaders
published 23 June 2021, accessed 28 July 2021
See also
* Binding corporate rules
* Electronic Communications Privacy Act
Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer ( ''et seq.''), added new pro ...
* Fair Information Practice Principles (FIPP's), US
* General Data Protection Regulation
The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
* IT risk
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Re ...
* Privacy
Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
The domain of privacy partially overlaps with security, which can include the concepts of a ...
* Safe harbor
*Stored Communications Act
The Stored Communications Act (SCA, codified at 18 U.S.C. Chapter 121 §§ 2701–2712) is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party i ...
*Privacy Impact Assessment A Privacy Impact Assessment (PIA) is a process which assists organizations in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships etc. It benefits variou ...
*Trans-Atlantic Data Privacy Framework
Transatlantic, Trans-Atlantic or TransAtlantic may refer to:
Film
* Transatlantic Pictures, a film production company from 1948 to 1950
* Transatlantic Enterprises, an American production company in the late 1970s
* ''Transatlantic'' (1931 film) ...
Further reading
*
References
External links
Safe Harbor Arrangement Official US site
*{{cite web, title=U.S.-EU Safe Harbor Framework Documents , url=http://export.gov/safeharbor/eu/eg_main_018493.asp , publisher=US government , archive-url=http://webarchive.loc.gov/all/20150405033356/http://export.gov/safeharbor/eu/eg_main_018493.asp , archive-date=April 5, 2015 , url-status=dead
U.S.-EU Safe Harbor list
US Federal Trade Commission, n.d., retrieved 30 October 2015
An open data project listing Safe Harbor companies
collected from the FTC site, even obsoletes, which are overwritten on the FTC site, allowing to track how submissions evolve over time.
Information privacy
Privacy law
United States–European Union relations