How will the "safe harbor" arrangement for personal data transfers to the US work?
The Department of Commerce holds a list of organisations that have joined the "safe harbor". The list is publicly available at the Department of Commerce's website and is kept regularly up to date.
No. Some other transfers may benefit from exemptions under Article 26(1) of the Directive (e.g. if data subjects have given their unambiguous and informed consent, or if the transfer is made to fulfil a contract involving the data subject). In addition, Article 26(2) allows data to be transferred to destinations where adequate protection is not generally guaranteed where the exporter can show that adequate safeguards are in place, for example in the form of a contract with the importer.
The contract between the exporter and the importer of data can either be tailored to the specific transfer, in which case it will have to be approved beforehand by national data protection authorities or it can rely on standard contractual clauses adopted by the Commission to this effect and available at http://www.eu.int/comm/privacy. Generally speaking these clauses do not need prior approval from national data protection commissioners. In cases where prior authorisation is still required by a Member State it will be granted automatically.
By self-certification. Companies are obliged to declare that they conform to the "safe harbor" principles when they sign up, but this is not compulsorily subject to any independent verification.. After they self-certify, companies are subject to the oversight and possible enforcement actions of the Federal Trade Commission or the US Department of Transportation for unfair and deceptive practices. Organisations are also required to to identify an independent dispute resolution body so by consulting the list, anybody who has a problem knows where to go to make a complaint.
How will we be sure that data transferred to US companies within the "safe harbor" will not be passed to others outside the "safe harbor" where data is not protected?
One of the rules of the "safe harbor" is that transfers of data to a third party can only be made if the individual has first been given the opportunity to opt-out. The only exception to this rule is when the disclosure is made to a third party acting as an agent under instructions from the "harborite". In this case the disclosure can be made either to other "harborites" or to companies which have undertaken contractual obligations to observe similar standards.
Signing up is indeed voluntary: companies will only join if they want to. But the rules are binding for those who sign up
Companies in the "safe harbor" may have their compliance checked annually by an independent body, but this is not obligatory, in order not to discourage small and medium-sized enterprises from signing up. Companies not opting for independent verification must conduct effective self-verification. Beyond that, enforcement will largely be complaint driven, initially through alternative dispute resolution mechanisms. These bodies will investigate and try to resolve complaints in the first place. If "harborites" fail to comply with their rulings, these cases will be notified to the Federal Trade Commission or the Department of Transportation, depending on the sector, which have legal powers and can impose effective sanctions to oblige them to comply. Serious cases of non-compliance will result in companies being struck off the Department of Commerce's list. This means that they will no longer receive data transfers from the EU under the "safe harbor" arrangement.
The FTC Act makes it illegal in the US to make misrepresentations to consumers or to commit deceptive acts that are likely to mislead reasonable consumers in a material way. Announcing a particular set of privacy policies and practices and then not abiding by them is likely to amount to misrepresentation or deception. The FTC has strong enforcement powers, including the capacity to impose heavy fines. Moreover, getting on the wrong side of the FTC brings bad publicity and often triggers a stream of private legal actions. The FTC thus backs up the private sector programmes. It is not there to take up large numbers of individual cases, but it has undertaken to give priority to referrals of non-compliance with self-regulatory guidelines received from privacy programmes or from the EU's data protection authorities. The FTC's powers can be used in the same way to ensure that the private sector bodies involved in dispute resolution abide by their undertakings
The FTC covers commerce in general, but some sectors are excluded from its jurisdiction (financial services, transport, telecommunications etc). These sectors could in future also be covered by the "safe harbor" to the extent that other public bodies with similar powers to the FTC undertake to pursue companies in sectors under their jurisdiction for non-compliance with the Principles. For the time being, only the US Department of Transportation has chosen to come forward with the necessary information to allow the Commission to recognise it as a government enforcement body in addition to the FTC. This allows airlines to join the "safe harbor". The Commission expects to be able to recognise other US government enforcement bodies in due course.
As regards financial services (banking, insurance etc) the talks between the Commission and the Department of Commerce on the "safe harbor" coincided with important legislative developments in the US establishing new rules, inter alia for data protection, notably for banks (the Gramm/Leach/Bailey Act). It was agreed to suspend talks on data transfers from the EU in these sectors and to resume them after the implementation of the new Act with a view to extending the benefits of the "safe harbor" to financial services. The Commission's services remain ready to engage in discussions with the US authorities concerning arrangements for those sectors currently excluded from the scope of the Safe Harbor, in particular financial services.
Individuals have several options. If they know which US organisation is holding their data and they detect a problem, they can address themselves directly to that organisation, which is obliged when joining the "safe harbor" rules to identify a point of contact. The organisation is also obliged to identify clearly the dispute resolution body to which individuals can turn. But individuals can always and in all likelihood will often turn to their national or regional data protection Commissioner, or perhaps the company that has exported the data. The latter will be able to help put individuals in touch with the complaint handling department of the US company itself, or with the independent dispute resolution body, by consulting the "safe harbor" list.
EU authorities retain powers to intervene in certain cases. For example, if a private sector dispute resolution body found that a company had made serious violations of the principles, but the company contested the finding and the case was referred to the FTC, the EU authorities could suspend data transfers to that company until the matter was resolved. Also for example, if evidence of non-compliance accumulates and the relevant US enforcement body is not doing its job properly and if letting transfers continue risks causing grave harm to data subjects, EU authorities can once again suspend transfers. The Commission could subsequently change the "safe harbor" decision to exclude an ineffective US enforcement body.
What would happen if the "safe harbor" principles were widely flouted by "harborites" and the redress mechanisms proved ineffective?
If the US authorities failed to take the action necessary to correct the situation, the Commission could reverse its decision to grant the "safe harbor" arrangement "adequate protection" status.