Safe Harbor: A framework for US – EU data privacy
Download as PPTX, PDF4 likes2,488 views
Safe Harbor is a framework that allows the transfer of personal data from the EU to the US in compliance with EU data privacy laws. It provides a bridge between differing US and EU privacy approaches through voluntary self-certification to its principles by organizations doing business between the regions. The principles address issues like notice, choice, security and enforcement to protect EU citizens' privacy rights when their data is transferred to the less restrictive US context. While initially controversial, Safe Harbor has helped enable transatlantic data flows for many companies over the past 15 years.
Safe Harbor: A framework for US – EU data privacy
- 1. Safe Harbor: A framework for US – EU data privacy Raymond K. Cunningham, Jr. CRM, CA, CDIA+, CIPP/IT
- 2. What is Safe Harbor? • Safe Harbor is a framework providing a bridge between the approaches taken by the United States and the European Union toward the protection of privacy • Safe Harbor is for corporations and other organizations doing business in or with EU companies and subsidiaries • Safe Harbor is voluntary • Organizations self-certify to the principles of Safe Harbor
- 3. Safe Harbor • Because of the implementation of the EU Directive on Data Protection in 1998 the transfer of personal data to non-EU states was to be halted • In order to bridge the gap the US Department of Commerce and the EU Commission developed the Safe Harbor program
- 4. Why Safe Harbor? • Privacy in the United States differs significantly from Privacy in Europe • European Privacy is a basic human right Everyone has the right to respect for his private and family life, his home and his correspondence. - European convention for the Protection of Human Rights and Fundamental freedoms
- 5. Privacy in Europe • Privacy is derived from the European Convention on Human Rights (1950) Article 8 • Directive on Data Protection Directive 95/46/EC was the result of 15 years of work to provide an EU framework on data protection
- 6. Data Protection Directive 95/46/EC • The directive takes a comprehensive approach to privacy: the objectives are to protect individuals with respect to processing personal information and to ensure the free movement of personal information • Personal data is defined as relating to an identifiable person. • The directive is broad. Storage and retrieval are covered in the directive but transmission is not.
- 7. Data Protection Directive 95/46/EC • Article 25 of the EU Directive prohibits any EU country from transferring personal data via the Internet to, or receiving data from, countries deemed to lack "adequate" Internet privacy protection. • The United States is one such country with no national laws regarding Internet data privacy
- 8. Privacy in the United States • Privacy has been defined in court decisions Roe v. Wade • Privacy is protected through legislation in various areas: –HIPAA, COPPA, GLBA Privacy and security is also protected by self-regulatory initiatives - PCI-DSS
- 9. Benefits to Safe Harbor • All member EU states are bound by the EU Commission’s finding of adequacy of SH • Companies participating will be allowed data flows • Prior approval of member states will be waived or automatically granted • Claims brought by EU citizens will be heard in the US (some exceptions may apply)
- 10. A Word about Switzerland • In 2008 the Swiss Federal Act on Data Protection (FADP) was modified and a Safe Harbor Program instituted • The Swiss data protection application is identical to EU Safe harbor form and the process is also similar but it is separate
- 11. Safe Harbor Principles • Notice • Choice • Onward Transfer • Security • Data Integrity • Access • Enforcement
- 12. Safe Harbor Principles: Notice • Organizations must provide a clear and conspicuous notice • The information’s purpose and how it will be used must be stated • A contact for questions or complaints • Individuals must be told the types of third parties data is to be disclosed
- 13. Safe Harbor Principles: Choice • The organization must give the opportunity for individuals to opt-out when: – Their information is transferred to a third party – Their information is used for a purpose for which it was not originally collected • Mechanisms must be in place to exercise choice
- 14. Safe Harbor Principles: Choice • People must be given affirmative or explicit opt-in choice if the following information is to be divulged to a third party –PII or PHI –For racial, ethnic, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation
- 15. Choice – Explicit Opt-in • Explicit opt-in gives the recipient a clear understanding of the process of opting-in or opting-out • Opt-in – to request a service, single click • Confirmed Opt-in – Confirmation email sent allowing them to unsubscribe • Double Opt-in – Confirmation email sent and they must reconfirm
- 16. Safe Harbor Principles: Onward Transfer • To disclose to a third party must apply the Notice and Choice principles. • The organization MUST ascertain that the receiving party subscribes to the principles.
- 17. Safe Harbor Principles: Security • Organizations must take reasonable precautions to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction • Similar to PCI-DSS and GLBA • ISO/IEC 27002 is a best practice formerly 17799
- 18. Safe Harbor Principles: Data Integrity • Personal information must be relevant for the purposes for which it is used • An organization must not process information in a way that is incompatible with the purpose for which it has been collected or authorized by the individual • Organizations should take reasonable steps to ensure that the data is reliable for its intended use, accurate, complete, and current
- 19. Safe Harbor Principles: Access Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate
- 20. Safe Harbor Principles: Access EXCEPT where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
- 21. Safe Harbor: Enforcement • Enforcement mechanisms must include: – Readily available and affordable independent recourse mechanisms by which disputes are investigated and resolved and damages awarded – Follow up procedures for verifying that the organization makes about their privacy practices are true, the policies implemented as presented – Obligations to remedy problems arising out of failure to comply with the principles – Sanctions must be sufficiently rigorous to ensure compliance
- 22. Safe Harbor • Self-assessment (in-house) – Maintain documentation – Have documentation available – Employee training – Conduct regular audits • Outsource compliance review – Random reviews for compliance – Statements of compliance verification – All documents should be available upon request
- 24. Safe Harbor: Enforcement • The FTC is committed to reviewing referrals from privacy self-regulatory organizations such as BBBOnline and Truste. • The FTC maintains a list of Safe Harbor companies on the web • Member states alleging non-compliance can use the FTC’s Section 5 prohibiting unfair or deceptive acts • The FTC may obtain civil penalties
- 25. Enforcement • Fact: From November 2000 to 2009 NO actions were taken • In November 2009 six companies were sanctioned and an injunction ordered against another • Balls of Kryptonite, LLC was misleading customers stating self-certification
- 26. Important! • Whatever you put into a Privacy Statement you must conform to the statement. • Designate a point of contact to handle questions • Keep your certification current!
- 27. Records Managers • Records Managers are front-line players in privacy/security • Records retention is directly tied to privacy • Records access is directly tied to security • Records managers in your organization should have some oversight role • In 2006 the DPA condemned the retention of telecomm data on security grounds in response to the London and Madrid bombings
- 28. FAQ – Some Questions • How do organizations provide for verifications that the attestations and assertions they make are being followed in accordance with the Safe Harbor Principles? • Documenting the Self-assessment or having an outside firm audit the principles.
- 29. FAQ – Some Questions • How does the Access Principle apply to Human Resources records? • Safe Harbor requires that an organization processing such data in the US will cooperate in providing access either directly or through the EU employer.
- 30. FAQ – Some Questions • What about data transferred to the US for data processing only? • Data controllers in the EU are always required to enter into a contract. Data protection is always a key element to outsourced data storage or processing. • Principles would not necessarily apply depending on the work to be done.
- 31. Pharma and Medical Products • Do member states laws apply to personal medical data collected in the EU transferred to the USA? – Safe harbor principles apply after the transfer to the US. Anonymize data where appropriate • What happens to an individual’s data if a participant decides to withdraw from a clinical trial? – Data collected previous to the withdraw; may be processed if it was made clear to the participant in the notice.
- 32. How much will it cost? • Fees are $200 certifying for the first time • Recertification is $100 • Payments are made to the Department of Commerce • This is exclusive of fees to third parties for compliance
- 33. What is the Future? • The EU Directive is being rewritten (Dec. 2011) • The right to be forgotten • Data protection officers • Certification and seal programs • Breach Notifications • Data protection impact statements • Consent • New European Data Protection Board
- 34. What is the Future? • The Right to be Forgotten – Adults should not be made to live in perpetuity with data they posted during a less mature point in their lives • Breach Notification – Data controllers will be required to notify supervisory authority without undue delay – within 24 hours
- 35. Resources • http://safeharbor.export.gov/list.aspx • International Association of Privacy Professionals (IAPP) Sign up for free daily newsletter • Federal Trade Commission (FTC) • AICPA
- 36. Contact Ray Cunningham cunningham@uif.uillinois.edu 217 244-0658