香港六合彩 » SlideShare

The Safe Harbor The Safe Harbor FrameworkFramework

Information Technology Association of Information Technology Association of America (ITAA) WebcastAmerica (ITAA) Webcast

February 16, 2001February 16, 2001

Presented by: Presented by:

Patricia M. Sefcik and Patricia M. Sefcik and

Jeff Rohlmeier,Jeff Rohlmeier,

U.S. Department of CommerceU.S. Department of Commerce

Introduction: Introduction: The European Union The European Union

Directive on Data ProtectionDirective on Data Protection

The U.S. and the EU have different approaches to The U.S. and the EU have different approaches to data privacy protectiondata privacy protection

U.S. system based on:U.S. system based on:

- Self-Regulation- Self-Regulation

- Sector specific legislation in highly - Sector specific legislation in highly sensitive areas such as financial, medical, sensitive areas such as financial, medical, children’s and genetic informationchildren’s and genetic information

European system is based on comprehensive European system is based on comprehensive legislationlegislation

Introduction (continued)Introduction (continued)

October 1998, EU’s sweeping privacy directive went October 1998, EU’s sweeping privacy directive went into effectinto effect

EU directive prohibits the transfer of personal data to EU directive prohibits the transfer of personal data to non-EU countries that do not provide “adequate” non-EU countries that do not provide “adequate” privacy protectionprivacy protection

EU directive covers all industry sectors and virtually all EU directive covers all industry sectors and virtually all personal datapersonal data

European authorities could legally stop data flows at European authorities could legally stop data flows at any timeany time


Implications of EU directive:Implications of EU directive:

- In 1999, the U.S. had approximately $350 billion in - In 1999, the U.S. had approximately $350 billion in trade with the EUtrade with the EU

- Over $120 billion in two-way trade with EU is - Over $120 billion in two-way trade with EU is dependent upon access to personal informationdependent upon access to personal information

U.S. and EU are committed to bridging different U.S. and EU are committed to bridging different approaches to privacy while maintaining data flows approaches to privacy while maintaining data flows and high level of privacy protectionand high level of privacy protection


Safe Harbor Framework: Based on 7 principles Safe Harbor Framework: Based on 7 principles that closely reflect the U.S. approach to privacythat closely reflect the U.S. approach to privacy

July 2000: Safe Harbor principles are deemed July 2000: Safe Harbor principles are deemed adequate by European Commissionadequate by European Commission

November 1, 2000: November 1, 2000:

- Safe Harbor becomes effective- Safe Harbor becomes effective

- DOC launches safe harbor website at - DOC launches safe harbor website at http://www.export.gov/safeharborhttp://www.export.gov/safeharbor

Part I: Part I: OverviewOverview of the Safe Harbor of the Safe Harbor FrameworkFramework

Safe Harbor Framework includes: Safe Harbor Framework includes:

- 7 privacy principles (see Part II of presentation)- 7 privacy principles (see Part II of presentation)

- 15 FAQ’s- 15 FAQ’s

- European Commission’s adequacy - European Commission’s adequacy determinationdetermination

- Letters between Dept. of Commerce and - Letters between Dept. of Commerce and European CommissionEuropean Commission

- Letters from Dept. of Transportation and - Letters from Dept. of Transportation and Federal Trade CommissionFederal Trade Commission

Overview of Safe Harbor Framework Overview of Safe Harbor Framework (continued)(continued)

Understanding safe harbor requires familiarity with all Understanding safe harbor requires familiarity with all safe harbor documents safe harbor documents (http://www.export.gov/safeharbor)(http://www.export.gov/safeharbor)

Decisions by U.S. organizations to enter the safe harbor Decisions by U.S. organizations to enter the safe harbor are entirely voluntaryare entirely voluntary

A “stand-still” agreement between U.S. and EU remains A “stand-still” agreement between U.S. and EU remains in effectin effect

mid-2001: Review of safe harbor will take place; stand-mid-2001: Review of safe harbor will take place; stand-still will be reassessedstill will be reassessed


Benefits of Implementing the Safe Harbor Benefits of Implementing the Safe Harbor Framework:Framework:

- Predictability and Continuity (all 15 Member - Predictability and Continuity (all 15 Member States bound by adequacy determination)States bound by adequacy determination)

- Eliminates need for prior approval to begin - Eliminates need for prior approval to begin data transfersdata transfers

- Flexible privacy regime more congenial to U.S. - Flexible privacy regime more congenial to U.S. approach approach

- Simpler/more efficient means of compliance- Simpler/more efficient means of compliance


What organizations may join safe harbor?:What organizations may join safe harbor?:

- U.S. organizations subject to jurisdiction of the FTC - U.S. organizations subject to jurisdiction of the FTC or the Dept. of Transportationor the Dept. of Transportation

- Financial services, telecommunications (common - Financial services, telecommunications (common carriers) and not-for-profits are currently ineligiblecarriers) and not-for-profits are currently ineligible

- Treasury Department, in consultation with DOC, - Treasury Department, in consultation with DOC, leading negotiations concerning financial servicesleading negotiations concerning financial services

Overview of Safe Harbor Framework Overview of Safe Harbor Framework (continued):(continued):

What organizations should join Safe Harbor?:What organizations should join Safe Harbor?:

- Organizations that receive personally identifiable - Organizations that receive personally identifiable information from EU member states must information from EU member states must demonstrate “adequate” privacy protectionsdemonstrate “adequate” privacy protections

- Organizations that have not identified another - Organizations that have not identified another basis for demonstrating “adequacy” should basis for demonstrating “adequacy” should consider joining safe harborconsider joining safe harbor


Joining safe harbor is Joining safe harbor is not the only means of not the only means of compliancecompliance with the EU “adequacy” requirement. with the EU “adequacy” requirement.

Other methods of compliance include:Other methods of compliance include:

- direct compliance with EU directive- direct compliance with EU directive

- consent- consent

- entering into a model contract (not yet available)- entering into a model contract (not yet available)


How Do Organizations Join Safe Harbor?:How Do Organizations Join Safe Harbor?:

- - Organizations must comply with the framework’s Organizations must comply with the framework’s requirements and publicly declare that they do sorequirements and publicly declare that they do so

- To be assured of safe harbor benefits, an - To be assured of safe harbor benefits, an organization needs to self-certify annually to the DOCorganization needs to self-certify annually to the DOC

- Organizations may self-certify either by letter or by - Organizations may self-certify either by letter or by registering on the safe harbor website at registering on the safe harbor website at http://www.export.gov/safeharbor (see Part III of http://www.export.gov/safeharbor (see Part III of presentation)presentation)


How and Where will Safe Harbor be Enforced?:How and Where will Safe Harbor be Enforced?:

- In general, enforcement will take place in U.S, - In general, enforcement will take place in U.S, in accordance with U.S. law, and will rely, to a in accordance with U.S. law, and will rely, to a great extent, on private sector enforcement.great extent, on private sector enforcement.

- Private sector enforcement has three - Private sector enforcement has three components: Verification, Dispute Resolution, components: Verification, Dispute Resolution, and Remedies (see Part II of presentation)and Remedies (see Part II of presentation)


Failure to Comply with Safe Harbor Requirements: Failure to Comply with Safe Harbor Requirements:

- If an organization persistently fails to comply with - If an organization persistently fails to comply with safe harbor requirements, it is no longer entitled to safe harbor requirements, it is no longer entitled to safe harbor benefitssafe harbor benefits

- Independent recourse mechanisms are required to - Independent recourse mechanisms are required to notify DOC of such facts. Safe Harbor list will notify DOC of such facts. Safe Harbor list will indicate failure to comply.indicate failure to comply.

- Failure to comply may also result in an enforcement - Failure to comply may also result in an enforcement action by the FTC or DoTaction by the FTC or DoT

Part II: The Part II: The SafeSafe Harbor PrinciplesHarbor Principles

An organization entering the safe harbor must An organization entering the safe harbor must adhere to 7 privacy principles:adhere to 7 privacy principles:

- Notice- Notice

- Choice- Choice

- Onward Transfer- Onward Transfer

- Security- Security

- Data integrity- Data integrity

- Access- Access

- Enforcement- Enforcement

The Safe Harbor Principles (continued)The Safe Harbor Principles (continued)

NoticeNotice::

- Inform individuals about the purpose for which the - Inform individuals about the purpose for which the information is being collectedinformation is being collected

- Inform individuals about how to contact the - Inform individuals about how to contact the organizations with inquiries or complaintsorganizations with inquiries or complaints

- Provide information on the types of third parties to - Provide information on the types of third parties to which information is being disclosed, and the choices which information is being disclosed, and the choices and means offered for limiting its use and disclosureand means offered for limiting its use and disclosure


Choice: Choice:

- An organization must offer individuals the - An organization must offer individuals the opportunity to choose (opt out) whether their opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a personal information is (a) to be disclosed to a third party, or (b) to be used for a purpose that third party, or (b) to be used for a purpose that is incompatible with the purposes for which it is incompatible with the purposes for which it was originally collected or subsequently was originally collected or subsequently authorized by the individual. authorized by the individual.

- Individuals must be provided with clear and - Individuals must be provided with clear and conspicuous, readily available, and affordable conspicuous, readily available, and affordable mechanisms to exercise choice.mechanisms to exercise choice.


Sensitive InformationSensitive Information::

- For sensitive information (i.e. medical/ health - For sensitive information (i.e. medical/ health conditions; racial/ethnic origin; political opinions; conditions; racial/ethnic origin; political opinions; religious/ philosophical beliefs; trade union religious/ philosophical beliefs; trade union membership; sex life), individuals must be given membership; sex life), individuals must be given affirmative or explicit (opt in) choice if the affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used information is to be disclosed to a third party or used for a purpose other than those for which it was for a purpose other than those for which it was originally collected or subsequently authorized In originally collected or subsequently authorized In any case, an organization should treat as sensitive any case, an organization should treat as sensitive any information received from a third party where any information received from a third party where the third party treats and identifies it as sensitive.the third party treats and identifies it as sensitive.


Onward Transfer: Onward Transfer:

- To disclose information to a third party, organizations - To disclose information to a third party, organizations must apply the notice and choice principles.must apply the notice and choice principles.

- Notice and Choice are not required for data transfers - Notice and Choice are not required for data transfers to an agent (someone who acts on behalf of the to an agent (someone who acts on behalf of the transferor) if it is first determined by the organization transferor) if it is first determined by the organization that the agent complies with the safe harbor that the agent complies with the safe harbor principles, or is subject to the directive or another principles, or is subject to the directive or another adequacy finding, or enters into a written agreement adequacy finding, or enters into a written agreement with the organizationwith the organization. .


SecuritySecurity::

- Organizations creating, maintaining, using or - Organizations creating, maintaining, using or disseminating personal information must take disseminating personal information must take reasonable precautions to protect it from loss, reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, misuse and unauthorized access, disclosure, alteration and destructionalteration and destruction

- Organizations must take more care to protect - Organizations must take more care to protect sensitive information, as it is defined in the sensitive information, as it is defined in the principles.principles.


Data IntegrityData Integrity::

- Personal information must be relevant for the - Personal information must be relevant for the purposes for which it is to be used. An organization purposes for which it is to be used. An organization may not process personal information in a way that may not process personal information in a way that is incompatible with the purposes for which it has is incompatible with the purposes for which it has been collected or subsequently authorized by the been collected or subsequently authorized by the individual. individual.

- To the extent necessary for those purposes, an - To the extent necessary for those purposes, an organization should take reasonable steps to ensure organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, that data is reliable for its intended use, accurate, complete, and current.complete, and current.


Access:Access:

- Individuals must have access to personal - Individuals must have access to personal information about them that an organization information about them that an organization holds and be able to correct, amend, or delete holds and be able to correct, amend, or delete that information where it is inaccurate, except that information where it is inaccurate, except where the burden or expense of providing access where the burden or expense of providing access would be disproportionate to the risks to the would be disproportionate to the risks to the individual’s privacy in the case in question, or individual’s privacy in the case in question, or where the rights of persons other than the where the rights of persons other than the individual would be violated.individual would be violated.

The Safe Harbor Principles (continued):The Safe Harbor Principles (continued):

EnforcementEnforcement: :

- Organizations must have the following enforcement - Organizations must have the following enforcement mechanisms in place:mechanisms in place:

(1) readily available and affordable independent (1) readily available and affordable independent recourse mechanisms to investigate and resolve recourse mechanisms to investigate and resolve complaints brought by individualscomplaints brought by individuals

(2) Follow-up procedures for verifying that safe harbor (2) Follow-up procedures for verifying that safe harbor policies and mechanisms have been implementedpolicies and mechanisms have been implemented

(3) Obligations to remedy(3) Obligations to remedy problems arising out of a problems arising out of a failure by the organization to comply with the failure by the organization to comply with the principlesprinciples


VerificationVerification::

- An organization may use a self-assessment or - An organization may use a self-assessment or an outside/third-party assessment program.an outside/third-party assessment program.

- Under self-assessment, a statement verifying - Under self-assessment, a statement verifying the self-assessment should be signed by a the self-assessment should be signed by a corporate officer or other authorized corporate officer or other authorized representative at least once a year.representative at least once a year.

- Under outside assessment, a verification - Under outside assessment, a verification statement should be signed either by the statement should be signed either by the reviewer or by the corporate officer/authorized reviewer or by the corporate officer/authorized representative at least once a year.representative at least once a year.


Dispute ResolutionDispute Resolution::

- Organizations may choose to have disputes resolved - Organizations may choose to have disputes resolved by third-party dispute resolution programs, such as by third-party dispute resolution programs, such as (TRUSTe, BBBOnLine, DMA. AICPA WebTrust, (TRUSTe, BBBOnLine, DMA. AICPA WebTrust, JAMS/Endispute, Entertainment Software Rating JAMS/Endispute, Entertainment Software Rating Board, etc.), or they may choose to cooperate with Board, etc.), or they may choose to cooperate with the European Data Protection Authorities (DPA’s).the European Data Protection Authorities (DPA’s).

- In the case of human resources data, the organization - In the case of human resources data, the organization mustmust agree to cooperate with the DPA’s. agree to cooperate with the DPA’s.


For more guidance on the safe harbor For more guidance on the safe harbor principles, consult principles, consult http://www.export.gov/safeharbor:http://www.export.gov/safeharbor:

- Safe Harbor FAQ’s- Safe Harbor FAQ’s

- Safe Harbor Workbook- Safe Harbor Workbook

PartPart III: The Safe Harbor Website and III: The Safe Harbor Website and Self-Certification ProcedureSelf-Certification Procedure

Organizations that decide to join the safe harbor Organizations that decide to join the safe harbor may do so by:may do so by:

- Self-certifying via the Department of Commerce’s - Self-certifying via the Department of Commerce’s safe harbor website at safe harbor website at http://www.export.gov/safeharbor; or byhttp://www.export.gov/safeharbor; or by

- Sending the Department of Commerce a letter- Sending the Department of Commerce a letter

Once received, the information submitted will be Once received, the information submitted will be reviewed for completeness.reviewed for completeness.

Website and Self-Certification Procedure Website and Self-Certification Procedure (continued)(continued)

Review for completeness should take Review for completeness should take approximately 48 hours.approximately 48 hours.

Process make take longer depending on need for Process make take longer depending on need for clarification.clarification.

Always be sure to make certain that all fields on Always be sure to make certain that all fields on certification form have been completed. certification form have been completed.

Keep copies for self-certification materials for your Keep copies for self-certification materials for your records.records.

Website and Self-Certification Procedure Website and Self-Certification Procedure (continued)(continued)

Additional resources available on the safe Additional resources available on the safe harbor website:harbor website:

- Safe Harbor List (updated regularly)- Safe Harbor List (updated regularly)

- Safe Harbor Workbook- Safe Harbor Workbook

- Safe Harbor Documents (including Principles, - Safe Harbor Documents (including Principles, FAQ’s, correspondence)FAQ’s, correspondence)

- Historical Documents (including public - Historical Documents (including public comment) comment)

- Compliance Checklist- Compliance Checklist

ConclusionConclusion

Safe Harbor Framework is a streamlined, Safe Harbor Framework is a streamlined, efficient means of complying with EU Directive efficient means of complying with EU Directive on Data Protectionon Data Protection

Safe Harbor is entirely voluntarySafe Harbor is entirely voluntary

Organizations may sign up via the Department Organizations may sign up via the Department of Commerce’s safe harbor website of Commerce’s safe harbor website (http://www.export.gov/safeharbor, or by (http://www.export.gov/safeharbor, or by sending the Department a lettersending the Department a letter

Contact InformationContact Information

Questions, comments may be directed to:Questions, comments may be directed to:

Jeff RohlmeierJeff Rohlmeier

U.S. Department of CommerceU.S. Department of Commerce

International Trade AdministrationInternational Trade Administration

Office of Electronic CommerceOffice of Electronic Commerce

HCHB 2003HCHB 2003

14th & Constitution Avenues, NW14th & Constitution Avenues, NW

Washington, DC 2003Washington, DC 2003

PH: (202)482-0343PH: (202)482-0343

E-Mail: [email protected]: [email protected]

香港六合彩 » SlideShare

Technology

Transcript of 香港六合彩 » SlideShare