Documento del U.S. Deparment of Commerce
sull'accordo con la UE "Safe Harbor" per la protezione dei dati
How will the "safe harbor" arrangement for personal
data transfers to the US work?
How will data controllers in Europe know which companies in the US can
The Department of Commerce will hold (or designate somebody to hold) a list
of organisations that have joined the "safe harbor". The list will
also make clear if any "harborites" lose their safe harbor"
status, for example because they have not complied with the rules. The list will
be publicly available, including on-line. It will be kept regularly up to date
and will therefore be a reliable source of information.
Will "harborites" be the only US companies that can receive
personal data from the EU?
No. Some transfers may benefit from exemptions under Article 26(1) of the
Directive (e.g. if data subjects have given their consent, or if the transfer is
made to fulfil a contract involving the data subject). Article 26(2) allows data
to be transferred to destinations where adequate protection is not generally
guaranteed where the exporter can show that adequate safeguards are in place,
for example in the form of a contract with the importer. These transfers have to
be authorised, however, by Member States' data protection commissioners. If
model contracts are approved by the Commission, this may (it varies from Member
State to Member State) allow the authorisation requirement to be waived.
How will US companies get on to the "safe harbor" list?
By self-certification. Companies are not obliged to show that they conform to
the "safe harbor" principles before they sign up , though some privacy
programmes do involve independent verification of conformity before companies
can sign up. But, when they self-certify, companies will have to identify their
enforcement bodies, so by consulting the list, anybody who has a problem knows
where to go to make a complaint.
How will we be sure that data transferred to US companies within the "safe
harbor" will not be passed to others outside the "safe harbor"
where data is not protected?
One of the rules of the "safe harbor" is that transfers of data to
a third party can only be made if the individual has first been given the
opportunity to opt-out. The only exception to this rule is when the disclosure
is made to a third party acting as an agent under instructions from the "harborite".
In this case the disclosure can be made either to other "harborites"
or to companies which have undertaken contractual obligations to observe similar
But isn't the safe harbor a voluntary system?
Signing up is indeed voluntary: companies will only join if they want to. But
the rules are binding for those who sign up.
Who will make sure that the rules are in fact observed?
Many companies in the "safe harbor" will have their compliance
checked annually by an independent body, but this is not obligatory, in order
not to discourage small and medium-sized enterprises from signing up. For them,
there are rules about how to conduct effective self-verification. Beyond that,
enforcement will largely be through alternative dispute resolution mechanisms.
Independent private sector bodies will investigate and try to resolve complaints
in the first place. If "harborites" fail to comply with the rulings of
these bodies, these cases will be notified to the Federal Trade Commission or
the Department of Transportation, depending on the sector, which have legal
powers to oblige them to comply. Serious cases of non-compliance will result in
companies being struck off the Department of Commerce's list. This means that
they will no longer receive data transfers from the EU under the "safe
What role will the Federal Trade Commission play?
The FTC Act makes it illegal in the US to make misrepresentations to
consumers or to commit deceptive acts that are likely to mislead reasonable
consumers in a material way.Announcing a particular set of privacy policies and
practices and then not abiding by them is likely to amount to misrepresentation
or deception. The FTC has strong enforcement powers, including the capacity to
impose heavy fines and to require the payment of compensation to individuals.
Moreover, getting on the wrong side of the FTC brings bad publicity and often
triggers a stream of private legal actions. The FTC thus backs up the private
sector programmes. It is not there to take up large numbers of individual cases,
but it has undertaken to give priority to referrals of non-compliance with
self-regulatory guidelines received from privacy programmes or from the EU's
data protection authorities. The FTC's powers can be used in the same way to
ensure that the private sector bodies involved in dispute resolution abide by
What about the sectors that are excluded from the FTC's jurisdiction?
The FTC covers commerce in general, but some sectors are excluded from its
jurisdiction (financial services, transport, telecommunications etc). These
sectors can also be covered by the "safe harbor" to the extent that
other public bodies with similar powers to the FTC undertake to pursue companies
in sectors under their jurisdiction for non-compliance with the Principles. For
the time being, only the US Department of Transportation has chosen to come
forward with the necessary information to allow the Commission to recognise it
as a government enforcement body in addition to the FTC. This will allow
airlines to join the "safe harbor". The Commission expects to be able
to recognise other US government enforcement bodies in due course.
As regards financial services (banking, insurance etc) the talks between the
Commission and the Department of Commerce on the "safe harbor"
coincided with important legislative developments in the US establishing new
rules for data protection, notably for banks (the Gramm/Leach/Bailey Act). It
was agreed to suspend talks on data transfers from the EU in these sectors and
to resume them after the implementation of the new Act with a view to extending
the benefits of the "safe harbor" to financial services.
How can individuals hope to understand this complex system?
The Commission and the relevant Member State authorities will provide
information for the public about these arrangements. But in practice, if an
individual has a problem, he will in all likelihood turn to his national or
regional data protection Commissioner, or perhaps the company that has exported
the data. The latter will be able to help put the individual in touch with the
complaint handling department of the US company itself, or with the independent
dispute resolution body, by consulting the "safe harbor" list. When
companies join the "safe harbor" they have to provide all this
Will EU authorities have to let data go to US "harborites" even
if difficulties arise?
EU authorities retain powers to intervene in certain cases. For example, if a
private sector dispute resolution body found that a company had made serious
violations of the principles, but the company contested the finding and the case
was referred to the FTC, the EU authorities could suspend data transfers to that
company until the matter was resolved. Also for example, if evidence of
non-compliance accumulates and the relevant US enforcement body is not doing its
job properly and if letting transfers continue risks causing grave harm to data
subjects, EU authorities can once again suspend transfers. The Commission could
subsequently change the "safe harbor" decision to exclude an
ineffective US enforcement body.
What would happen if the "safe harbor" principles were widely
flouted by "harborites" and the redress mechanisms proved ineffective?
If the US authorities failed to take the action necessary to correct the
situation, the Commission could reverse its decision to grant the "safe
harbor" arrangement "adequate protection" status.
Date: 27 July 2000