DMA Offers 'Safe Harbor' Program for Companies that Import European Personal Data to US
November 6, 2008 — Does your company import personal data from Europe to the United States? If “yes,” then you might want to consider joining the US Department of Commerce’s safe harbor framework.
In October 1998, the European Union passed wide-sweeping privacy legislation called the European Union Data Protection Directive. This Directive places requirements on businesses that wish to collect, process or transfer personal data from an EU Member State.
Under the Directive, the transfer of personal information from an EU Member State to a non-EU country forbidden unless the country provides an “adequate" level of privacy protection. The EU does not view the US as having an adequate level of protection.
In order to avoid potential disruptions in trade between the US and the EU, the US Department of Commerce — in consultation with the European Commission and American business interests, including the Direct Marketing Association (DMA) — developed the safe harbor framework. This framework allows US companies a means of assuring European consumers that they will provide an adequate level of privacy protection, thereby satisfying the "adequacy" requirement of the European Directive on Data Protection.
Participation by US companies in the safe harbor framework is completely voluntary. However, if a company decides to take advantage of the US Commerce Department’s safe harbor framework, then it must:
· Comply with and self-certify to the seven safe harbor principles (notice, choice, onward transfer, access, security, data integrity and enforcement);
· Review the 15 frequently asked questions prepared by the Commerce Department;
· Have in-house and third-party dispute and enforcement mechanisms (for instance, the DMA) in place to ensure your compliance.
For additional information about the Commerce Department’s safe harbor framework, visit www.export.gov/safeharbor.
How Can DMA Assist Your Company?
In addition, DMA has developed a program to assist those companies that wish to comply with the safe harbor requirements, and thus be able to certify to the US Commerce Department that it has fulfilled the requirements of the safe harbor principles.
In particular, DMA helps companies meet the requirements of the Enforcement Principle. Under the Enforcement Principle, companies must take reasonable steps to ensure that any consumer privacy concern will be addressed by:
· Referring consumers to its customer service department or other in-house dispute resolution program;
· Subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. [DMA is pleased to offer members this service]; and
· Having appropriate monitoring, verification, and remedy procedures in place.
DMA’s Safe Harbor Program (http://www.dmaresponsibility.org/SafeHarbor/) is designed to:
· Serve as a third-party dispute and enforcement mechanism for unresolved European data privacy complaints;
· Provide a DMA Safe Harbor Program mark.
How Do You Join DMA’s Safe Harbor Program?
For additional information, visit http://www.dmaresponsibility.org/SafeHarbor/ or contact Lisa Shosteck, DMA’s Safe Harbor Program Administrator, at Lshosteck@the-dma.org or 703.922.5472 (office) or 703-922-0074 (fax)
# # #
back to top