Scott & Scott | Software Compliance Counsel
Scott & Scott Scott & Scott

« Forum Selection and Intellectual Property Claims | Main | Keeping Trade Secrets Secret »

International Privacy Regulations and Safe Harbor Provisions

To encourage the free movement of personal data without diminishing protection of that data, fifteen member states of the European Union were required to enact national legislation that complied with Directive 95/46/EC (the “Data Protection Directive”). Data collectors must follow the following principles when collecting or processing data:


  • Data must be processed fairly and lawfully.
  • Data must be collected for explicit and legitimate purposes and used accordingly.
  • Data must be relevant and not excessive in relation to the purpose for which it is processed.
  • Data must be accurate and where necessary, kept up to date.
  • Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
  • Data that identifies individuals must not be kept longer than necessary.
  • In principle, all data controllers must notify supervisory authorities when they process data. Member States may provide for simplification or exemption from notification for specific types of processing which do not entail particular risks. Exception and simplification can also be granted when, in conformity with national law, an independent officer in charge of data protection has been appointed by the controller.


Because the United States’ regulations for privacy are not as stringent as those in the European Union, businesses in the United States that want to collect or process data belonging to an individual in one of the fifteen member states must qualify for safe harbor registration. To qualify for the safe harbor, an organization can (1) join a self-regulatory privacy program that adheres to the safe harbor's requirements; or (2) develop its own self regulatory privacy policy that conforms to the safe harbor. The safe harbor provisions include:

  • Notice

  • Choice

  • Onward Transfer (Transfers to Third Parties)

  • Access

  • Security

  • Data integrity

  • Enforcement


If an organization is willing to certify that it meets the qualifications of the safe harbor, it can collect and process data from European Citizens. Companies that are interested in joining the safe harbor can review the checklist located at http://www.export.gov/safeharbor/Sh_Checklist.asp for more information. The Department of Commerce maintains a list of all organizations that file self-certification letters and make both the list and the self-certification letters publicly available.

Posted on July 31, 2007 10:15 AM |

Comments (1)

Damon Greer:

Julie, my name is Damon Greer and I am the Director of the Safe Harbor Program for the U.S. Department of Commerce. I just wanted to note that there are now 27 EU member states that subscribe to Safe Harbor plus 3 EEA countries: Norway, Iceland, and Lichtenstein for a total of 30 countries.

Regards,

Damon Greer

Posted by Damon Greer | August 2, 2007 1:47 PM

Posted on August 2, 2007 13:47

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on July 31, 2007 10:15 AM.

The previous post in this blog was Forum Selection and Intellectual Property Claims.

The next post in this blog is Keeping Trade Secrets Secret.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.32