A VC in Vacationland

A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

The U.S. Department of Commerce requires all organizations that accept personal data from the E.U. and Switzerland to comply with the U.S.-E.U. Safe Harbor and U.S.-Swiss Safe Harbor program.  This program requires organizations in the U.S. who accept data from the E.U. and Switzerland to make legally binding representations that they will address and implement safeguards that meet the data transfer standards under E.U. privacy law.  Non-compliance with the Safe Harbor program can result in federal and state government enforcement, European Data Protection enforcement, civil penalties (up to $12,000 per day for violations), de-certification or permanent ineligibility for Safe Harbor, and reputational sanctions.

Companies certifying under the Safe Harbor program must adhere to the program's 7 Privacy Principles:  (1) Notice, (2) Choice, (3) Onward Transfer, (4) Security, (5) Data Integrity, (6) Access, and (7) Enforcement.

(1)  Notice

• Organizations must notify their customers about how their personal information will be collected, used, and disclosed. 
• Organizations must provide contact information within the company for any questions or complaints about privacy related matters.
• Clear and conspicuous language must be provided at the time of collection.

(2)  Choice and (3) Onward Transfer

• Individuals must have the opportunity to choose whether their personal information is disclosed to independent third parties.
• Individuals must be able to choose whether their personal information are used for purposes that are not compatible with the original notice provided to them.
• Notice and choice principles also apply when data is transferred to independent third parties.
• If the data is being transferred to an independent third party, the individual must be given the opportunity to opt-out; if sensitive information is involved, opt-in consent must be obtained.

(4)  Security

• Organizations must take reasonable precautions to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
• Such examples of reasonable precautions include without limitation implementing policies and training, encrypting backup tapes, limiting access to personal data on a need-to-know basis, securing areas with access to sensitive data, terminating promptly data access for departing employees.

(5)  Data Integrity and (6) Access

• Organizations must take reasonable steps to ensure that data is reliable, accurate, complete and current.
• Individuals must be provided with access to and have the ability to correct, amend or delete inaccurate information (exceptions include: if the burden or expense is disproportionate to risks to the individual’s privacy; or if the rights of other persons would be violated).
• Organizations should only collect and process personal data that is relevant for the business purposes for which it was collected.

(7)  Enforcement

• Organizations must include mechanisms for ensuring compliance with the Safe Harbor Principles (e.g., monitoring/auditing).
• Organizations must make readily available and affordable independent recourse mechanisms.
• Organizations must have in place follow-up procedures for verifying assertions regarding privacy practices.
• Organizations have an ongoing obligation to remedy problems arising from non-compliance.