Documento del U.S. Deparment of Commerce
sull'accordo con la UE "Safe Harbor" per la protezione dei dati personali

How will the "safe harbor" arrangement for personal data transfers to the US work?

How will data controllers in Europe know which companies in the US can receive data?

The Department of Commerce will hold (or designate somebody to hold) a list of organisations that have joined the "safe harbor". The list will also make clear if any "harborites" lose their safe harbor" status, for example because they have not complied with the rules. The list will be publicly available, including on-line. It will be kept regularly up to date and will therefore be a reliable source of information.

Will "harborites" be the only US companies that can receive personal data from the EU?

No. Some transfers may benefit from exemptions under Article 26(1) of the Directive (e.g. if data subjects have given their consent, or if the transfer is made to fulfil a contract involving the data subject). Article 26(2) allows data to be transferred to destinations where adequate protection is not generally guaranteed where the exporter can show that adequate safeguards are in place, for example in the form of a contract with the importer. These transfers have to be authorised, however, by Member States' data protection commissioners. If model contracts are approved by the Commission, this may (it varies from Member State to Member State) allow the authorisation requirement to be waived.

How will US companies get on to the "safe harbor" list?

By self-certification. Companies are not obliged to show that they conform to the "safe harbor" principles before they sign up , though some privacy programmes do involve independent verification of conformity before companies can sign up. But, when they self-certify, companies will have to identify their enforcement bodies, so by consulting the list, anybody who has a problem knows where to go to make a complaint.

How will we be sure that data transferred to US companies within the "safe harbor" will not be passed to others outside the "safe harbor" where data is not protected?

One of the rules of the "safe harbor" is that transfers of data to a third party can only be made if the individual has first been given the opportunity to opt-out. The only exception to this rule is when the disclosure is made to a third party acting as an agent under instructions from the "harborite". In this case the disclosure can be made either to other "harborites" or to companies which have undertaken contractual obligations to observe similar standards.

But isn't the safe harbor a voluntary system?

Signing up is indeed voluntary: companies will only join if they want to. But the rules are binding for those who sign up.

Who will make sure that the rules are in fact observed?

Many companies in the "safe harbor" will have their compliance checked annually by an independent body, but this is not obligatory, in order not to discourage small and medium-sized enterprises from signing up. For them, there are rules about how to conduct effective self-verification. Beyond that, enforcement will largely be through alternative dispute resolution mechanisms. Independent private sector bodies will investigate and try to resolve complaints in the first place. If "harborites" fail to comply with the rulings of these bodies, these cases will be notified to the Federal Trade Commission or the Department of Transportation, depending on the sector, which have legal powers to oblige them to comply. Serious cases of non-compliance will result in companies being struck off the Department of Commerce's list. This means that they will no longer receive data transfers from the EU under the "safe harbor" arrangement.

What role will the Federal Trade Commission play?

The FTC Act makes it illegal in the US to make misrepresentations to consumers or to commit deceptive acts that are likely to mislead reasonable consumers in a material way.Announcing a particular set of privacy policies and practices and then not abiding by them is likely to amount to misrepresentation or deception. The FTC has strong enforcement powers, including the capacity to impose heavy fines and to require the payment of compensation to individuals. Moreover, getting on the wrong side of the FTC brings bad publicity and often triggers a stream of private legal actions. The FTC thus backs up the private sector programmes. It is not there to take up large numbers of individual cases, but it has undertaken to give priority to referrals of non-compliance with self-regulatory guidelines received from privacy programmes or from the EU's data protection authorities. The FTC's powers can be used in the same way to ensure that the private sector bodies involved in dispute resolution abide by their undertakings.

What about the sectors that are excluded from the FTC's jurisdiction?

The FTC covers commerce in general, but some sectors are excluded from its jurisdiction (financial services, transport, telecommunications etc). These sectors can also be covered by the "safe harbor" to the extent that other public bodies with similar powers to the FTC undertake to pursue companies in sectors under their jurisdiction for non-compliance with the Principles. For the time being, only the US Department of Transportation has chosen to come forward with the necessary information to allow the Commission to recognise it as a government enforcement body in addition to the FTC. This will allow airlines to join the "safe harbor". The Commission expects to be able to recognise other US government enforcement bodies in due course.

As regards financial services (banking, insurance etc) the talks between the Commission and the Department of Commerce on the "safe harbor" coincided with important legislative developments in the US establishing new rules for data protection, notably for banks (the Gramm/Leach/Bailey Act). It was agreed to suspend talks on data transfers from the EU in these sectors and to resume them after the implementation of the new Act with a view to extending the benefits of the "safe harbor" to financial services.

How can individuals hope to understand this complex system?

The Commission and the relevant Member State authorities will provide information for the public about these arrangements. But in practice, if an individual has a problem, he will in all likelihood turn to his national or regional data protection Commissioner, or perhaps the company that has exported the data. The latter will be able to help put the individual in touch with the complaint handling department of the US company itself, or with the independent dispute resolution body, by consulting the "safe harbor" list. When companies join the "safe harbor" they have to provide all this information.

Will EU authorities have to let data go to US "harborites" even if difficulties arise?

EU authorities retain powers to intervene in certain cases. For example, if a private sector dispute resolution body found that a company had made serious violations of the principles, but the company contested the finding and the case was referred to the FTC, the EU authorities could suspend data transfers to that company until the matter was resolved. Also for example, if evidence of non-compliance accumulates and the relevant US enforcement body is not doing its job properly and if letting transfers continue risks causing grave harm to data subjects, EU authorities can once again suspend transfers. The Commission could subsequently change the "safe harbor" decision to exclude an ineffective US enforcement body.

What would happen if the "safe harbor" principles were widely flouted by "harborites" and the redress mechanisms proved ineffective?

If the US authorities failed to take the action necessary to correct the situation, the Commission could reverse its decision to grant the "safe harbor" arrangement "adequate protection" status.

Date: 27 July 2000