The European Union's (EU) Data Protection Directive

Executive Summary
Read more

PSC Solution
Read more

DM Review
Business Intelligence: What You Need to Know about the EU Data Privacy Directive
Read article

The European Union's Data Protection Directive
Full Text

EU Data Protection Directive Executive Summary

Since October 1995 the European Union has implemented far reaching data protection laws for it citizens. The storage, use and exchange of personal information (either on computer systems or even old fashioned pan and paper) that uniquely identifies a real person is strictly controlled. It is illegal to move such data without the person's permission and certainly illegal to move it outside of the EU, unless the designated country has personal data protection laws equivalent to the EU.

The US has no such law, so for US companies wishing to do business in the EU an equivalent system has been established by the Department of Commerce. This system sets up a "safe harbor" guideline to which a company can adhere.

Therefore, any company wishing to do business and exchange customer information with a company in the EU has to apply to the department of commerce for the safe harbor approval. The process is by self-assessment, but due to the complexity of the EU rules the assistance of an experienced assessor is highly recommended.

Certifying under the Safe Harbor will provide a US Company with a number of benefits:

All 25 Member States of the European Union are bound by the European Commission's finding of adequacy;
A US Company will be deemed adequate and the process of data flow to a US Company should not be hindered as a consequence;
Member State requirements for prior approval of data transfers to a US Company either may be waived or approval may be automatically granted; and
Claims brought by European citizens against a US Company can be heard in the US subject to limited exceptions.

To qualify for the Safe Harbor, a US Company can (1) join a self-regulatory privacy program (e.g. TRUSTe, BBBOnLine Privacy) that adheres to the safe harbor's requirements, or (2) develop its own self-regulatory privacy policy that conforms to the Safe Harbor. In either case, a US Company must comply with the seven Safe Harbor principles. These principles are as follows:

Notice
A US Company must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact a US Company with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means a US Company offers for limiting its use and disclosure.

Choice
A US Company must give individuals the opportunity to choose ("opt out") whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit ("opt in") choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Onward Transfer (Transfers to Third Parties)
To disclose information to a third party, a US Company must apply the notice and choice principles above. Where a US Company wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor principles, or is subject to the Directive or another adequacy finding. As an alternative, a US Company can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

Access
Individuals must have access to personal information about them that a US Company holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

Security
A US Company must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data integrity
Personal information must be relevant for the purposes for which it is to be used. a US Company should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

Enforcement
In order to ensure compliance with the Safe Harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments a US Company makes to adhere to the Safe Harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by a US Company. If a US Company fails to provide annual self-certification letters, it will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

PSC Solution

To help organizations meet EU Data Directive requirements, PSC provides:

Specific security assessment of the requirements under the seven criteria
Advice on the most cost effective approach to remediation if the customer does not meet the requirements
Analysis of the data types and collection mechanisms to assess the overall need for safe harbor
Ongoing reassessment on an annual basis

Proven Solutions For:

Proven Services: