Companies doing business globally have a variety of complex issues to deal with, not the least of which is concern about the security of personal data collected from their customers.
In 1995, the European Union issued Directive 95/46/EC, the Data Protection Directive, concerning the protection of individuals with regard to the processing and transfer of personal data. Thereafter, the U.S. Department of Commerce (DOC), in consultation with the EU, developed the U.S.-EU Safe Harbor Framework. This, along with the U.S.-Swiss Safe Harbor Framework, is a streamlined process for American companies to comply with the Data Protection Directive. The Framework enables U.S. organizations to transfer personal data from the EU to the U.S. provided the American company certifies with the DOC that it adheres to the Safe Harbor privacy principles. As of December 2013, more than 4,000 companies had certified compliance with the Safe Harbor program.
Despite the Safe Harbor Framework, concerns were raised recently within the EU about data privacy amidst revelations of surveillance of EU citizens’ data by the American government. The European Commission (EC) undertook a review of the EU-U.S. Safe Harbor scheme to ensure that it adequately served the purpose of preserving EU citizens’ data protection right when that data was transmitted to the United States. Late last year, the EC issued a report concerning the operation of Safe Harbor and offered a number of recommendations to strengthen it.
The EC recommended that companies using the Safe Harbor process to self-certify compliance with the Data Privacy Directive be required to publicly disclose their privacy policies and include a link on their websites to the DOC list of currently certified members of the Safe Harbor. The company must also require its subcontractors to publish the privacy conditions of the terms of those subcontracting agreements. Those privacy policies should set out the extent to which U.S. law permits authorities to collect data under the Safe Harbor. Recognizing that arbitration and mediation are effective means of resolving disputes between consumer and companies, the EC also suggested changes to the already-existing requirement that companies must create a readily available and affordable mechanism for dealing with individual complaints, including a system of alternative dispute resolution (ADR) by an independent third party.