The Safe Harbor Framework, established in response to the EU's data protection directive, outlines a set of principles for U.S. organizations to adhere to in order to facilitate transatlantic data flows while ensuring adequate privacy protections. This framework is voluntary, consisting of seven privacy principles that require organizations to provide notice, choice, and security for personal data. Organizations can join the Safe Harbor by self-certifying their compliance through the Department of Commerce's website or by letter.

1. The Safe Harbor Framework Information Technology Association of America (ITAA) Webcast February 16, 2001 Presented by: Patricia M. Sefcik and Jeff Rohlmeier, U.S. Department of Commerce

2. Introduction: The European Union Directive on Data Protection The U.S. and the EU have different approaches to data privacy protection U.S. system based on: - Self-Regulation - Sector specific legislation in highly sensitive areas such as financial, medical, children’s and genetic information European system is based on comprehensive legislation

3. Introduction (continued) October 1998, EU’s sweeping privacy directive went into effect EU directive prohibits the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection EU directive covers all industry sectors and virtually all personal data European authorities could legally stop data flows at any time

4. Introduction (continued) Implications of EU directive: - In 1999, the U.S. had approximately $350 billion in trade with the EU - Over $120 billion in two-way trade with EU is dependent upon access to personal information U.S. and EU are committed to bridging different approaches to privacy while maintaining data flows and high level of privacy protection

5. Introduction (continued) Safe Harbor Framework: Based on 7 principles that closely reflect the U.S. approach to privacy July 2000: Safe Harbor principles are deemed adequate by European Commission November 1, 2000: - Safe Harbor becomes effective - DOC launches safe harbor website at http://www.export.gov/safeharbor

6. Part I: Overview of the Safe Harbor Framework Safe Harbor Framework includes: - 7 privacy principles (see Part II of presentation) - 15 FAQ’s - European Commission’s adequacy determination - Letters between Dept. of Commerce and European Commission - Letters from Dept. of Transportation and Federal Trade Commission

7. Overview of Safe Harbor Framework (continued) Understanding safe harbor requires familiarity with all safe harbor documents (http://www.export.gov/safeharbor) Decisions by U.S. organizations to enter the safe harbor are entirely voluntary A “stand-still” agreement between U.S. and EU remains in effect mid-2001: Review of safe harbor will take place; stand-still will be reassessed

8. Overview of Safe Harbor Framework (continued) Benefits of Implementing the Safe Harbor Framework: - Predictability and Continuity (all 15 Member States bound by adequacy determination) - Eliminates need for prior approval to begin data transfers - Flexible privacy regime more congenial to U.S. approach - Simpler/more efficient means of compliance

9. Overview of Safe Harbor Framework (continued) What organizations may join safe harbor?: - U.S. organizations subject to jurisdiction of the FTC or the Dept. of Transportation - Financial services, telecommunications (common carriers) and not-for-profits are currently ineligible - Treasury Department, in consultation with DOC, leading negotiations concerning financial services

10. Overview of Safe Harbor Framework (continued): What organizations should join Safe Harbor?: - Organizations that receive personally identifiable information from EU member states must demonstrate “adequate” privacy protections - Organizations that have not identified another basis for demonstrating “adequacy” should consider joining safe harbor

11. Overview of Safe Harbor Framework (continued) Joining safe harbor is not the only means of compliance with the EU “adequacy” requirement. Other methods of compliance include: - direct compliance with EU directive - consent - entering into a model contract (not yet available)

12. Overview of Safe Harbor Framework (continued) How Do Organizations Join Safe Harbor?: - Organizations must comply with the framework’s requirements and publicly declare that they do so - To be assured of safe harbor benefits, an organization needs to self-certify annually to the DOC - Organizations may self-certify either by letter or by registering on the safe harbor website at http://www.export.gov/safeharbor (see Part III of presentation)

13. Overview of Safe Harbor Framework (continued) How and Where will Safe Harbor be Enforced?: - In general, enforcement will take place in U.S, in accordance with U.S. law, and will rely, to a great extent, on private sector enforcement. - Private sector enforcement has three components: Verification, Dispute Resolution, and Remedies (see Part II of presentation)

14. Overview of Safe Harbor Framework (continued) Failure to Comply with Safe Harbor Requirements: - If an organization persistently fails to comply with safe harbor requirements, it is no longer entitled to safe harbor benefits - Independent recourse mechanisms are required to notify DOC of such facts. Safe Harbor list will indicate failure to comply. - Failure to comply may also result in an enforcement action by the FTC or DoT

15. Part II: The Safe Harbor Principles An organization entering the safe harbor must adhere to 7 privacy principles: - Notice - Choice - Onward Transfer - Security - Data integrity - Access - Enforcement

16. The Safe Harbor Principles (continued) Notice : - Inform individuals about the purpose for which the information is being collected - Inform individuals about how to contact the organizations with inquiries or complaints - Provide information on the types of third parties to which information is being disclosed, and the choices and means offered for limiting its use and disclosure

17. The Safe Harbor Principles (continued) Choice: - An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party, or (b) to be used for a purpose that is incompatible with the purposes for which it was originally collected or subsequently authorized by the individual. - Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

18. The Safe Harbor Principles (continued) Sensitive Information : - For sensitive information (i.e. medical/ health conditions; racial/ethnic origin; political opinions; religious/ philosophical beliefs; trade union membership; sex life), individuals must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive.

19. The Safe Harbor Principles (continued) Onward Transfer: - To disclose information to a third party, organizations must apply the notice and choice principles. - Notice and Choice are not required for data transfers to an agent (someone who acts on behalf of the transferor) if it is first determined by the organization that the agent complies with the safe harbor principles, or is subject to the directive or another adequacy finding, or enters into a written agreement with the organization .

20. The Safe Harbor Principles (continued) Security : - Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction - Organizations must take more care to protect sensitive information, as it is defined in the principles.

21. The Safe Harbor Principles (continued) Data Integrity : - Personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. - To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

22. The Safe Harbor Principles (continued) Access: - Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

23. The Safe Harbor Principles (continued): Enforcement : - Organizations must have the following enforcement mechanisms in place: (1) readily available and affordable independent recourse mechanisms to investigate and resolve complaints brought by individuals (2) Follow-up procedures for verifying that safe harbor policies and mechanisms have been implemented (3) Obligations to remedy problems arising out of a failure by the organization to comply with the principles

24. The Safe Harbor Principles (continued) Verification : - An organization may use a self-assessment or an outside/third-party assessment program. - Under self-assessment, a statement verifying the self-assessment should be signed by a corporate officer or other authorized representative at least once a year. - Under outside assessment, a verification statement should be signed either by the reviewer or by the corporate officer/authorized representative at least once a year.

25. The Safe Harbor Principles (continued) Dispute Resolution : - Organizations may choose to have disputes resolved by third-party dispute resolution programs, such as (TRUSTe, BBBOnLine, DMA. AICPA WebTrust, JAMS/Endispute, Entertainment Software Rating Board, etc.), or they may choose to cooperate with the European Data Protection Authorities (DPA’s). - In the case of human resources data, the organization must agree to cooperate with the DPA’s.

26. The Safe Harbor Principles (continued) For more guidance on the safe harbor principles, consult http://www.export.gov/safeharbor: - Safe Harbor FAQ’s - Safe Harbor Workbook

27. Part III: The Safe Harbor Website and Self-Certification Procedure Organizations that decide to join the safe harbor may do so by: - Self-certifying via the Department of Commerce’s safe harbor website at http://www.export.gov/safeharbor; or by - Sending the Department of Commerce a letter Once received, the information submitted will be reviewed for completeness.

28. Website and Self-Certification Procedure (continued) Review for completeness should take approximately 48 hours. Process make take longer depending on need for clarification. Always be sure to make certain that all fields on certification form have been completed. Keep copies for self-certification materials for your records.

29. Website and Self-Certification Procedure (continued) Additional resources available on the safe harbor website: - Safe Harbor List (updated regularly) - Safe Harbor Workbook - Safe Harbor Documents (including Principles, FAQ’s, correspondence) - Historical Documents (including public comment) - Compliance Checklist

30. Conclusion Safe Harbor Framework is a streamlined, efficient means of complying with EU Directive on Data Protection Safe Harbor is entirely voluntary Organizations may sign up via the Department of Commerce’s safe harbor website (http://www.export.gov/safeharbor, or by sending the Department a letter

31. Contact Information Questions, comments may be directed to: Jeff Rohlmeier U.S. Department of Commerce International Trade Administration Office of Electronic Commerce HCHB 2003 14th & Constitution Avenues, NW Washington, DC 2003 PH: (202)482-0343 E-Mail: jeff_rohlmeier@ita.doc.gov