Trans-Atlantic Privacy Protection

If your company transfers consumer data from the European Union to the US, you’ll want to know about the US-EU Safe Harbor Program, a voluntary international privacy framework that lets companies transfer data from the EU to the US in a way that complies with EU law. To participate in the US-EU Safe Harbor Program, a company has to self-certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

To help your customers in the EU understand the program, point them to Information for EU Residents Regarding the U.S.-EU Safe Harbor Program. A company that participates in the program can let consumers know by sending out a press release that includes the Safe Harbor certification mark, displaying the Safe Harbor certification mark on its website, or mentioning its Safe Harbor certification in its privacy policy. But a business that says it complies has an obligation to live up to that promise. The FTC has sued companies that claimed they had valid Safe Harbor certifications but had allowed their certifications to lapse, improperly used the Safe Harbor certification mark, or didn't comply with the Safe Harbor principles.