ShawPittman ALERT A Law Partnership Including Professional Corporations NONPROFIT ORGANIZATIONS / ASSOCIATIONS March 2001 Number 2 United States Adopts Safe Harbor for Compliance with European Privacy Directive Many nonprofit organizations, including trade and professional associations collect and use information from European members. However, when receiving cross-border transfers of personal information from Europe, the European Unions (EU) Directive on Data Privacy (the Directive) would apply to these data transfers.1 The Directive specifically prohibits the crossborder transfer of personal data from EU nations to non-EU nations that do not have adequate standards for privacy protection. Consequently, to receive and use individual European member information, a U.S. organization must ensure and certify that it employs privacy protection measures that would be considered adequate under the Directive. As discussed below, this may be accomplished by following a self-certification process developed and provided by the U.S. Department of Commerce and made available through the Internet for individual companies and organizations. The Directive In October 1998, the European Union approved the Directive, which requires the European Commission (the governing body of the EU) to determine the adequacy of data protection in third countries and to prohibit personal data flows to countries with privacy regimes that are not deemed adequate. The European Union (EU) is a regional, treaty-based organization that manages economic and political cooperation among its fifteen European member countries: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden and the United Kingdom. 1 Washington, DC Northern Virginia New York Los Angeles The Directive has two basic objectives: (1) to protect individuals with respect to the processing of personal information and (2) to ensure the free movement of personal information within the EU through the coordination of national laws. Personal information is defined broadly as information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. The scope of the Directive also is very broad. The Directive applies to all processing of data, on-line and off line, manual as well as automatic, and all organizations holding personal data. It excludes from its reach only data used in the course of purely personal or household activity. The Directive establishes strict guidelines for the processing of personal information. Processing includes any operations involving personal information, except perhaps its mere transmission, such as copying information or putting it in a file. The Directive requires that all personal information must be processed fairly and lawfully, so that, a person whose personal information is at issue knows that it is being collected and is informed of the proposed use(s). Furthermore, the use of personal information must be limited to the purpose first identified and to other compatible uses, and no more information may be collected than is required to satisfy the purpose for which it is collected. Information must also be kept accurate and up to date. The Directive sets forth rules for legitimate data processing that require obtaining the consent of the London www.shawpittman.com ShawPittman A Law Partnership Including Professional Corporations data subject before information is processed unless specific exemptions apply. In addition, certain information must be provided to data subjects when their personal information is processed, such as whether they have rights to see the data, to correct any information that is inaccurate, or to know who will receive the data. Sensitive data, such as that pertaining to racial or ethnic origins, political or religious beliefs, or health or sex life, may not be processed at all unless such processing comes within limited exceptions, for example if the individual gives explicit consent. The Directive requires that appropriate technical and organizational measures to protect data against destruction, loss, alteration, or unauthorized disclosure or access be taken. We have provided a synopsis of the Directives principles with this Alert. There are some limited exceptions to these requirements. For example, personal data that is necessary to complete a contract between an individual and company can be transferred without an adequacy determination, and data importing companies may receive such data if they enter into contracts with data exporting companies that bind the data importer to provide adequate privacy protection. Safe Harbor Framework and Self-Certification For U.S. organizations, the Directive prohibits the transfer of personal data to countries outside of the EU that fail to ensure an adequate level of [privacy] protection. To address the potential impact of the Directive on U.S. companies and organization, the U.S. Department of Commerce, in consultation with the European Commission, industry and non-governmental organizations, developed a safe harbor framework to satisfy the adequacy requirement of the Directive. As long as U.S. organizations comply with the safe harbor provisions they may legally receive personal information from EU organizations. The safe harbor provisions became effective on November 1, 2000. In summary, to satisfy the adequacy requirement of the Directive and qualify for the safe harbor afforded U.S. organizations, the organization must establish a privacy policy that incorporates eight core principles. Primary among these principles is providing notice to individuals about the purposes for which the organization collects and uses information about them and the choice to opt-out of whether their personal information is to be disclosed to a third party or used for a purpose that is incompatible with the purpose(s) for which it was originally collected. An organizations privacy policy only can use sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), if the individual gives an affirmative or explicit (opt in) choice for the information to be disclosed to a third party or used for a purpose other than those for which it was originally collected. Also, the organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect the information from loss, misuse and unauthorized access, disclosure, alteration and destruction. The integrity of personal data also must be maintained so that an organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. In addition, individuals must have access to personal information about them that an organization holds and be able to correct, amend or delete that information where it is inaccurate. Finally, a privacy policy consistent with the safe harbor principles must include mechanisms for assuring compliance with the Safe Harbor Principles, recourse for individuals to whom the data relate affected by non-compliance, and consequences for the organization when the Safe Harbor Principles are not followed. To take advantage of the safe harbor benefits, an organization must self-certify annually to the Department of ShawPittman A Law Partnership Including Professional Corporations Summary of Safe Harbor Principles for Compliance with European Directive on Data Privacy Notice: An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. Choice: An organization must offer individuals the opportunity to choose (opt out) whether their personal information is 1) to be disclosed to a third party or 2) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. Sensitive Information: For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. Onward Transfer: To disclose information to a third party, organizations must apply the foregoing Notice and Choice Principles. Commerce that it adheres to the safe harbors requirements. Organizations that decide to participate in the safe harbor must comply with the safe harbors requirements and publicly declare that they do so, for example in its privacy policy statement. The Department of Commerce has developed a form available on its website (www.ita.doc.gov/ecom) that a Security: Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction. Data Integrity: Consistent with the Safe Harbor Principles, personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete and current. Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individuals privacy, or where the rights of persons other than the individual would be violated. Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the Safe Harbor Principles, recourse for individuals to whom the data relate affected by non-compliance, and consequences for the organization when the Safe Harbor Principles are not followed. U.S. organization can complete and submit for selfcertification as an organization that employs recognized adequate privacy protection policies consistent with the requirements of the Directive. An EU organization can ensure that it is sending information to a U.S. organization participating in the safe harbor by accessing the public list of safe harbor organizations ShawPittman A Law Partnership Including Professional Corporations posted on the Department of Commerces website at www.export.gov/safeharbor. For further information concerning the issues in this Alert, please contact: If an organization self-certifies that it complies with the safe harbor principles, subsequent failure to comply with such self regulation may be actionable under federal or state law prohibiting unfair and deceptive acts. The Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act (15 U.S.C. §§ 41-58, as amended) (the Act) may take enforcement action against organizations that fail to protect personal information in accordance with their representations and/or commitments to do so according to the safe harbor principles. Section 5 of the Act declares unfair or deceptive acts or practices in or affecting commerce to be illegal. 15 U.S.C. § 45(a)(1). In exercising its Section 5 authority, the FTC takes the position that misrepresenting the purpose for information is being collected from consumers or how the information will be used constitutes a deceptive practice. Jerry Jacobs [email protected] - 202.663.8011 Nonprofit organizations planning to send, sell or use lists with information on European persons, either members or nonmembers, should take steps to comply with the Directive. Jeff Glassie [email protected] - 202.663.8036 Tom Arend [email protected] - 202.663.8070 Karen Cipriani [email protected] - 202.663.8069 Lauren Bright [email protected] - 202.663.8578 Copyright © 2001 by Shaw Pittman. All Rights Reserved. This publication is provided by Shaw Pittman for general information purposes; it is not and should not be used as a substitute for legal advice.
© Copyright 2026 Paperzz