Issue
With the recent European Union's (EU) approval of the United States' "Safe Harbor" Agreement will US companies continue to do business with EU customers while protecting any consumer information collected?

Importance
While the US Government is beginning to take a harder look at data privacy and the use of personal information, the European Union has enacted strict regulations on consumer privacy and opposes corporate self-regulation. The negotiations to establish a "safe harbor" or standards to protect consumer privacy are vital to the continued presence of US business in the EU.

ATA Position
ATA members doing business with EU countries must comply with the Safe Harbor Privacy Principles.

Background
In October 1998, the European Union's Directive on Data Protection became effective. The directive requires that transfers of personal data take place only to non-EU countries that provide an adequate level of privacy protection. Since the US relies upon a mix of legislation, regulation, and self-regulation to ensure privacy, the US Government and businesses were unsure if US standards were adequate for the EU's requirements. To remove the uncertainty the US developed the Safe Harbor Privacy Principles in cooperation with industry and the general public. The EU accepted these principles in July 2000 as ensuring an adequate level of protection for personal data transferred from the EU to businesses within the US. The principles are intended solely for personal data transmissions from the EU to the US. US companies can voluntarily seek qualification under the safe harbor provisions whether through joining a self-regulatory privacy program or by developing its own internal self-regulatory privacy policies. The Safe Harbor Privacy Principles require a US company to follow these requirements:

Notice: Individuals must be informed about the purposes for which it collects and uses information about them, types of third parties to which it discloses the information, and how individuals can limit its use and disclosure.

Choice: Allow individuals to choose (opt out) whether their information can be disclosed to a third party or used for purposes other than for which it was originally collected.

Onward Transfer: Ensure that the third party receiving the transmitted information also adheres to these Safe Harbor Privacy Principles or is subject to the EU Directive.

Security: Must take reasonable precautions to protect personal information from loss, misuse and unauthorized access or alteration.

Data Integrity: Ensure that personal information is used for the purposes
for which it was collected.

Access: Individuals must have access to personal information and be able to correct or delete inaccurate information.

Enforcement: Establishment of dispute settlement process available to individuals who believe their personal information has been misused.

<Back to Issue Summaries>