415.935.8936
info@springmeyerlaw.com

Safe Harbor Certification and Internet Privacy Legal Compliance

Business Law Blog
Authored by Bryan Springmeyer
The information on this page should not be construed as legal advice.

The Safe Harbor Framework described below was invalidated on October 6, 2015. For more information, read our article summarizing the present status and alternative approaches.

Around the globe, privacy laws related to personal information transmitted by Internet govern the types of information that websites and services, and even mobile apps can collect, utilize and disclose.  Some countries, like Canada, have restrictive provisions in their legislation. See Personal Information Protection and Electronic Documents Act (PIPEDA).  The United States, too, has restrictive provisions in various legislation covering such personal information as medical records (HIPAA), personal information about children (COPPA), financial information and Social Security numbers.

One of the most significant global regulatory schemes is the European Union Directive on Data Protection.  If the Commission determines that a country does not provide adequate privacy protection, they can prohibit the transferring of personal information to that country. In order to meet the adequacy requirement, the United States Department of Commerce has implemented a program called the Safe Harbor Framework.

The Safe Harbor program allows companies that are subject to the jurisdiction of the Federal Trade Commission (FTC) or Department of Transportation (DoT) to self-certify annual compliance with the Safe Harbor Framework. Safe Harbor Certification generally shifts a company’s burden to demonstrate adequacy of information protection from the EU to the Department of Commerce, which is favorable to US based companies. It also allows companies to select an independent review entity in the United States, rather than abroad. However, Safe Harbor Certification does subject the US based company to the enforcement actions at the disposal of the FTC or DoT, including criminal sanctions. See e.g. 18 U.S.C. §1001 (criminal statute for making false statements to the Federal Government).

Safe Harbor Certification is often a primary step in privacy law compliance for US based startups. For one, compliance extends to the 31 countries simultaneously. Additionally, the Safe Harbor Framework provides requirements to affirmatively comply with which are sufficient to comply with some of the restrictive legislative schemes around the globe. However, companies should be prudent in sculpting their privacy policies, giving consideration to the types of information that will be gathered, the circumstances the information will be utilized and disclosed under, and the laws of each of the jurisdictions where users are located.

Related Pages: