CHAPTER 13:
EU REGULATION
The two most important European Union instruments, for North American organizations working with or within the EU, are the EU Data Protection Directive 1995 and the EU Privacy Directive 2003.
The Safe Harbor framework
This allows US corporations that are regulated by the Federal Trade Commission (‘FTC’) and have operations in the EU to receive European data. They can comply with the EU Data Protection Directive by adopting the seven Safe Harbor Principles (these compliance standards are certified through the Department of Commerce and enforced by the FTC) which are set out on the Commerce Department’s website7 and submitting themselves to Commerce Department certification. Only a relatively small percentage of corporations have met a requirement that enables them to obtain EU member state (one year renewable) permission to transfer data out of the EU.
The benefits to US corporations of Safe Harbor compliance, in respect of the EU, are that:
• all EU member states will be bound by the Commission’s finding of adequacy;
• companies participating in the Safe Harbor will be deemed adequate and data flows to those companies will be legal;
• member state requirements for prior approval of data transfers will be waived or approval will be automatically granted; and
• claims brought by European citizens against US companies will be heard in the United States, subject to limited exceptions.
The list of US companies that have met the Safe Harbor requirements is to be found at: http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list.