The EU Data Protection Directive 95/46/EC (the “Directive”) states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Because the laws of the United States are not considered by the European Union to provide an adequate level of protection, companies that collect or process data from the EU in the United States must decide whether they will adopt a safe-harbor certification, EU model contract, or binding corporate rules “strategy” for coming into compliance.

Although the US-EU Safe Harbor certification process (the “Safe Harbor”) has been available since 2000, initially few companies availed themselves of the process. Indeed more than two years after the framework had been in place less than 150 companies had entered the Safe Harbor. Recently, however, the Safe Harbor process has gained in popularity and now more than 4000 companies have Safe Harbor status.

Companies completing the Safe Harbor process must make several decisions. For example, they must decide whether to have an independent third party verify their compliance with the Safe Harbor framework, whether to retain an arbitration group to adjudicate complaints about their privacy practices, and what data they wish to include within their certification. The following provides background and benchmarking concerning the types of companies that utilize the safe harbor and how they have approached certification:

Click here to view image.

The following are the most popular mechanisms chosen by companies to adjudicate privacy disputes:

Click here to view image.

Things an organization should consider when entering the Safe Harbor:

  • Do you want to self-assess compliance with the privacy principles, or retain a P third party to independently assess your compliance?
  • Is there increased risk of liability if you self-assess compliance? If so, to what degree?
  • How will you comply with the Safe Harbor’s requirement that you retain an independent third party to adjudicate disputes with data subjects?
  • Are there benefits to obtaining a private arbitration association to adjudicate disputes?
  • If you decide to obtain a private arbitration association, which association should you select?
  • Should you include human resource data within the scope of your certification?
  • What are the top legal risks involved in self-certification?
  • Do you have a process in place to monitor complaints that are submitted directly to the Federal Trade Commission about your privacy practices?