1.Safe Harbor: A framework forUS EU data privacy Raymond K. Cunningham, Jr.CRM, CA, CDIA+, CIPP/IT

2. What is Safe Harbor? Safe Harbor is a framework providing a bridgebetween the approaches taken by the UnitedStates and the European Union toward theprotection of privacy Safe Harbor is for corporations and otherorganizations doing business in or with EUcompanies and subsidiaries Safe Harbor is voluntary Organizations self-certify to the principles of SafeHarbor 3. Safe Harbor Because of the implementation of the EUDirective on Data Protection in 1998 the transferof personal data to non-EU states was to behalted In order to bridge the gap the US Department ofCommerce and the EU Commission developedthe Safe Harbor program 4. Why Safe Harbor? Privacy in the United States differssignificantly from Privacy in Europe European Privacy is a basic human rightEveryone has the right to respect for hisprivate and family life, his home and hiscorrespondence. - European convention for the Protection of Human Rights and Fundamental freedoms 5. Privacy in Europe Privacy is derived from theEuropean Convention on HumanRights (1950) Article 8 Directive on Data ProtectionDirective 95/46/EC was the resultof 15 years of work to provide anEU framework on data protection 6. Data Protection Directive 95/46/EC The directive takes a comprehensive approach toprivacy: the objectives are to protect individualswith respect to processing personal informationand to ensure the free movement of personalinformation Personal data is defined as relating to anidentifiable person. The directive is broad. Storage and retrieval arecovered in the directive but transmission is not. 7. Data Protection Directive 95/46/EC Article 25 of the EU Directive prohibits any EUcountry from transferring personal data via theInternet to, or receiving data from, countriesdeemed to lack "adequate" Internet privacyprotection. The United States is one such country with nonational laws regarding Internet data privacy 8. Privacy in the United States Privacy has been defined in courtdecisions Roe v. Wade Privacy is protected through legislationin various areas:HIPAA, COPPA, GLBAPrivacy and security is also protectedby self-regulatory initiatives - PCI-DSS 9. Benefits to Safe Harbor All member EU states are bound by the EUCommissions finding of adequacy of SH Companies participating will be allowed dataflows Prior approval of member states will be waivedor automatically granted Claims brought by EU citizens will be heard in theUS (some exceptions may apply) 10. A Word about Switzerland In 2008 the Swiss Federal Act on DataProtection (FADP) was modified and a SafeHarbor Program instituted The Swiss data protection application isidentical to EU Safe harbor form and theprocess is also similar but it is separate 11. Safe Harbor Principles Notice Choice Onward Transfer Security Data Integrity Access Enforcement 12. Safe Harbor Principles: Notice Organizations must provide a clear andconspicuous notice The informations purpose and how it willbe used must be stated A contact for questions or complaints Individuals must be told the types of thirdparties data is to be disclosed 13. Safe Harbor Principles: Choice The organization must give the opportunity forindividuals to opt-out when: Their information is transferred to a third party Their information is used for a purpose for which itwas not originally collected Mechanisms must be in place to exercise choice 14. Safe Harbor Principles: Choice People must be given affirmative or explicitopt-in choice if the following information isto be divulged to a third party PII or PHI For racial, ethnic, political opinions,religious or philosophical beliefs, tradeunion membership, sexual orientation 15. Choice Explicit Opt-in Explicit opt-in gives the recipient a clearunderstanding of the process of opting-in oropting-out Opt-in to request a service, single click Confirmed Opt-in Confirmation email sentallowing them to unsubscribe Double Opt-in Confirmation email sent andthey must reconfirm 16. Safe Harbor Principles: Onward Transfer To disclose to a third party must apply theNotice and Choice principles. The organization MUST ascertain that thereceiving party subscribes to the principles. 17. Safe Harbor Principles: Security Organizations must take reasonableprecautions to protect informationfrom loss, misuse, unauthorizedaccess, disclosure, alteration anddestruction Similar to PCI-DSS and GLBA ISO/IEC 27002 is a best practiceformerly 17799 18. Safe Harbor Principles:Data Integrity Personal information must be relevant for thepurposes for which it is used An organization must not process information ina way that is incompatible with the purpose forwhich it has been collected or authorized by theindividual Organizations should take reasonable steps toensure that the data is reliable for its intendeduse, accurate, complete, and current 19. Safe Harbor Principles: AccessIndividuals must have access topersonal information about them thatan organization holds and be able tocorrect, amend, or delete thatinformation where it is inaccurate 20. Safe Harbor Principles: AccessEXCEPT where the burden or expense ofproviding access would be disproportionate tothe risks to the individuals privacy in the case inquestion, or where the rights of persons otherthan the individual would be violated. 21. Safe Harbor: Enforcement Enforcement mechanisms must include: Readily available and affordable independentrecourse mechanisms by which disputes areinvestigated and resolved and damages awarded Follow up procedures for verifying that theorganization makes about their privacy practices aretrue, the policies implemented as presented Obligations to remedy problems arising out of failureto comply with the principles Sanctions must be sufficiently rigorous to ensurecompliance 22. Safe Harbor Self-assessment (in-house) Maintain documentation Have documentation available Employee training Conduct regular audits Outsource compliance review Random reviews for compliance Statements of compliance verification All documents should be available upon request 23. Certification of Compliance 24. Safe Harbor: Enforcement The FTC is committed to reviewing referrals fromprivacy self-regulatory organizations such asBBBOnline and Truste. The FTC maintains a list of Safe Harborcompanies on the web Member states alleging non-compliance can usethe FTCs Section 5 prohibiting unfair ordeceptive acts The FTC may obtain civil penalties 25. Enforcement Fact: From November 2000 to 2009 NOactions were taken In November 2009 six companies weresanctioned and an injunction orderedagainst another Balls of Kryptonite, LLC was misleadingcustomers stating self-certification 26. Important! Whatever you put into a PrivacyStatement you must conform to thestatement. Designate a point of contact to handlequestions Keep your certification current! 27. Records Managers Records Managers are front-line players inprivacy/security Records retention is directly tied to privacy Records access is directly tied to security Records managers in your organization shouldhave some oversight role In 2006 the DPA condemned the retention oftelecomm data on security grounds in responseto the London and Madrid bombings 28. FAQ Some Questions How do organizations provide for verificationsthat the attestations and assertions they makeare being followed in accordance with the SafeHarbor Principles? Documenting the Self-assessment or having anoutside firm audit the principles. 29. FAQ Some Questions How does the Access Principle apply toHuman Resources records? Safe Harbor requires that an organizationprocessing such data in the US willcooperate in providing access eitherdirectly or through the EU employer. 30. FAQ Some Questions What about data transferred to the US for dataprocessing only? Data controllers in the EU are always required toenter into a contract. Data protection is always akey element to outsourced data storage orprocessing. Principles would not necessarily apply dependingon the work to be done. 31. Pharma and Medical Products Do member states laws apply to personalmedical data collected in the EU transferred tothe USA? Safe harbor principles apply after the transfer to theUS. Anonymize data where appropriate What happens to an individuals data if aparticipant decides to withdraw from a clinicaltrial? Data collected previous to the withdraw; may beprocessed if it was made clear to the participant inthe notice. 32. How much will it cost? Fees are $200 certifying for the first time Recertification is $100 Payments are made to the Department ofCommerce This is exclusive of fees to third parties forcompliance 33. What is the Future? The EU Directive is being rewritten (Dec. 2011) The right to be forgotten Data protection officers Certification and seal programs Breach Notifications Data protection impact statements Consent New European Data Protection Board 34. What is the Future? The Right to be Forgotten Adults should not be made to live in perpetuity withdata they posted during a less mature point in theirlives Breach Notification Data controllers will be required to notify supervisoryauthority without undue delay within 24 hours 35. Resources http://safeharbor.export.gov/list.aspx International Association of Privacy Professionals(IAPP) Sign up for free daily newsletter Federal Trade Commission (FTC) AICPA 36. Contact Ray Cunninghamcunningham@uif.uillinois.edu217 244-0658