Safe Harbor: A framework for US – EU data privacy Raymond K. Cunningham, Jr. CRM, CA, CDIA+, CIPP/IT
What is Safe Harbor?• Safe Harbor is a framework providing a bridge between the approaches taken by the United States and the European Union toward the protection of privacy• Safe Harbor is for corporations and other organizations doing business in or with EU companies and subsidiaries• Safe Harbor is voluntary• Organizations self-certify to the principles of Safe Harbor
Safe Harbor• Because of the implementation of the EU Directive on Data Protection in 1998 the transfer of personal data to non-EU states was to be halted• In order to bridge the gap the US Department of Commerce and the EU Commission developed the Safe Harbor program
Why Safe Harbor?• Privacy in the United States differs significantly from Privacy in Europe• European Privacy is a basic human right Everyone has the right to respect for his private and family life, his home and his correspondence. - European convention for the Protection of Human Rights and Fundamental freedoms
Privacy in Europe• Privacy is derived from the European Convention on Human Rights (1950) Article 8• Directive on Data Protection Directive 95/46/EC was the result of 15 years of work to provide an EU framework on data protection
Data Protection Directive 95/46/EC• The directive takes a comprehensive approach to privacy: the objectives are to protect individuals with respect to processing personal information and to ensure the free movement of personal information• Personal data is defined as relating to an identifiable person.• The directive is broad. Storage and retrieval are covered in the directive but transmission is not.
Data Protection Directive 95/46/EC• Article 25 of the EU Directive prohibits any EU country from transferring personal data via the Internet to, or receiving data from, countries deemed to lack "adequate" Internet privacy protection.• The United States is one such country with no national laws regarding Internet data privacy
Privacy in the United States• Privacy has been defined in court decisions Roe v. Wade• Privacy is protected through legislation in various areas: –HIPAA, COPPA, GLBA Privacy and security is also protected by self-regulatory initiatives - PCI-DSS
Benefits to Safe Harbor• All member EU states are bound by the EU Commission’s finding of adequacy of SH• Companies participating will be allowed data flows• Prior approval of member states will be waived or automatically granted• Claims brought by EU citizens will be heard in the US (some exceptions may apply)
A Word about Switzerland• In 2008 the Swiss Federal Act on Data Protection (FADP) was modified and a Safe Harbor Program instituted• The Swiss data protection application is identical to EU Safe harbor form and the process is also similar but it is separate
Safe Harbor Principles: Notice• Organizations must provide a clear and conspicuous notice• The information’s purpose and how it will be used must be stated• A contact for questions or complaints• Individuals must be told the types of third parties data is to be disclosed
Safe Harbor Principles: Choice• The organization must give the opportunity for individuals to opt-out when: – Their information is transferred to a third party – Their information is used for a purpose for which it was not originally collected• Mechanisms must be in place to exercise choice
Safe Harbor Principles: Choice• People must be given affirmative or explicit opt-in choice if the following information is to be divulged to a third party –PII or PHI –For racial, ethnic, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation
Choice – Explicit Opt-in• Explicit opt-in gives the recipient a clear understanding of the process of opting-in or opting-out• Opt-in – to request a service, single click• Confirmed Opt-in – Confirmation email sent allowing them to unsubscribe• Double Opt-in – Confirmation email sent and they must reconfirm
Safe Harbor Principles: Onward Transfer• To disclose to a third party must apply the Notice and Choice principles.• The organization MUST ascertain that the receiving party subscribes to the principles.
Safe Harbor Principles: Security• Organizations must take reasonable precautions to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction• Similar to PCI-DSS and GLBA• ISO/IEC 27002 is a best practice formerly 17799
Safe Harbor Principles: Data Integrity• Personal information must be relevant for the purposes for which it is used• An organization must not process information in a way that is incompatible with the purpose for which it has been collected or authorized by the individual• Organizations should take reasonable steps to ensure that the data is reliable for its intended use, accurate, complete, and current
Safe Harbor Principles: AccessIndividuals must have access topersonal information about them thatan organization holds and be able tocorrect, amend, or delete thatinformation where it is inaccurate
Safe Harbor Principles: AccessEXCEPT where the burden or expense ofproviding access would be disproportionate tothe risks to the individual’s privacy in the case inquestion, or where the rights of persons otherthan the individual would be violated.
Safe Harbor: Enforcement• Enforcement mechanisms must include: – Readily available and affordable independent recourse mechanisms by which disputes are investigated and resolved and damages awarded – Follow up procedures for verifying that the organization makes about their privacy practices are true, the policies implemented as presented – Obligations to remedy problems arising out of failure to comply with the principles – Sanctions must be sufficiently rigorous to ensure compliance
Safe Harbor• Self-assessment (in-house) – Maintain documentation – Have documentation available – Employee training – Conduct regular audits• Outsource compliance review – Random reviews for compliance – Statements of compliance verification – All documents should be available upon request
Safe Harbor: Enforcement• The FTC is committed to reviewing referrals from privacy self-regulatory organizations such as BBBOnline and Truste.• The FTC maintains a list of Safe Harbor companies on the web• Member states alleging non-compliance can use the FTC’s Section 5 prohibiting unfair or deceptive acts• The FTC may obtain civil penalties
Enforcement• Fact: From November 2000 to 2009 NO actions were taken• In November 2009 six companies were sanctioned and an injunction ordered against another• Balls of Kryptonite, LLC was misleading customers stating self-certification
Important!• Whatever you put into a Privacy Statement you must conform to the statement.• Designate a point of contact to handle questions• Keep your certification current!
Records Managers• Records Managers are front-line players in privacy/security• Records retention is directly tied to privacy• Records access is directly tied to security• Records managers in your organization should have some oversight role• In 2006 the DPA condemned the retention of telecomm data on security grounds in response to the London and Madrid bombings
FAQ – Some Questions• How do organizations provide for verifications that the attestations and assertions they make are being followed in accordance with the Safe Harbor Principles?• Documenting the Self-assessment or having an outside firm audit the principles.
FAQ – Some Questions• How does the Access Principle apply to Human Resources records?• Safe Harbor requires that an organization processing such data in the US will cooperate in providing access either directly or through the EU employer.
FAQ – Some Questions• What about data transferred to the US for data processing only?• Data controllers in the EU are always required to enter into a contract. Data protection is always a key element to outsourced data storage or processing.• Principles would not necessarily apply depending on the work to be done.
Pharma and Medical Products• Do member states laws apply to personal medical data collected in the EU transferred to the USA? – Safe harbor principles apply after the transfer to the US. Anonymize data where appropriate• What happens to an individual’s data if a participant decides to withdraw from a clinical trial? – Data collected previous to the withdraw; may be processed if it was made clear to the participant in the notice.
How much will it cost?• Fees are $200 certifying for the first time• Recertification is $100• Payments are made to the Department of Commerce• This is exclusive of fees to third parties for compliance
What is the Future?• The EU Directive is being rewritten (Dec. 2011)• The right to be forgotten• Data protection officers• Certification and seal programs• Breach Notifications• Data protection impact statements• Consent• New European Data Protection Board
What is the Future?• The Right to be Forgotten – Adults should not be made to live in perpetuity with data they posted during a less mature point in their lives• Breach Notification – Data controllers will be required to notify supervisory authority without undue delay – within 24 hours
Resources• http://safeharbor.export.gov/list.aspx• International Association of Privacy Professionals (IAPP) Sign up for free daily newsletter• Federal Trade Commission (FTC)• AICPA
Contact Ray Cunninghamcunningham@uif.uillinois.edu 217 244-0658