International Safe Harbor Privacy Principles

Another foundational understanding of Self-sovereign Identification (SSI) and why it’s so critical that each individual be in control of their own identity, is the framework contained in the International Safe Harbor Privacy Principles and once again rather than my attempting to paraphrase I’ll borrow from Wikipedia

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015 by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

Within the context of a series of decisions on the adequacy of the protection of personal data transferred to other countries, the European Commission made a decision in 2000 that the United States’ principles did comply with the EU Directive – the so-called “Safe Harbour decision”. However, after a customer complained that his Facebook data were insufficiently protected, the ECJ declared in October 2015 that the Safe Harbour Decision was invalid, leading to further talks being held by the Commission with the US authorities towards “a renewed and sound framework for transatlantic data flows”.

The European Commission and the United States agreed to establish a new framework for transatlantic data flows on 2 February 2016, known as the “EU-US Privacy Shield“.

Background history

In 1980, the OECD issued recommendations for protection of personal data in the form of eight principles. These were non-binding and in 1995, the European Union (EU) enacted a more binding form of governance, i.e. legislation, to protect personal data privacy in the form of the Data Protection Directive.

According to the Data Protection Directive, companies operating in the European Union are not permitted to send personal data to “third countries” outside the European Economic Area, unless they guarantee adequate levels of protection, “the data subject himself agrees to the transfer” or “if Binding corporate rules or Standard Contractual Clauses have been authorised.”^[9] The latter means that privacy protection can be at an organizational level, where a multinational organization produces and documents its internal controls on personal data or they can be at the level of a country if its laws are considered to offer protection equal to the EU.

The Safe Harbour Privacy Principles were developed between 1998 and 2000. They were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called “safe harbour scheme”, were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbour Decision.

On 6 October 2015, the European Court of Justice invalidated the EC’s Safe Harbour Decision, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life” (boldened in original text).

According to the European Commission, the EU-US Privacy Shield agreed on 2 February 2016 “reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalised access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson”.

Principles

The seven principles from 2000 are:

• Notice – Individuals must be informed that their data is being collected and how it will be used.The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
• Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
• Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
• Security – Reasonable efforts must be made to prevent loss of collected information.
• Data Integrity – Data must be relevant and reliable for the purpose it was collected.
• Access – Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
• Enforcement – There must be effective means of enforcing these rules.

Scope, certification and enforcement

Only U.S. organizations regulated by the Federal Trade Commission or the Department of Transportation may participate in this voluntary program. This excludes many financial institutions (such as banks, investment houses, credit unions, and savings & loans institutions), telecommunication common carriers, including internet service providers, labor associations, non-profit organizations, agricultural co-operatives, and meat processors, journalists and most insurances. although it may include investment banks.

After opting in, an organization must have appropriate employee training and an effective dispute mechanism in place, and self re-certify every 12 months in writing that it agrees to adhere to the U.S.-EU Safe Harbor Framework’s principles, including notice, choice, access, and enforcement. It can either perform a self-assessment to verify that it complies with the principles, or hire a third-party to perform the assessment. Companies pay an annual $100 fee for registration except for first time registration ($200).

The U.S. government does not regulate Safe Harbor, which is self-regulated through its private sector members and the dispute resolution entities they pick. The Federal Trade Commission “manages” the system under the oversight of the U.S. Department of Commerce. to comply with the commitments can be penalized under the Federal Trade Commission Act by administrative orders and civil penalties of up to $16,000 per day for violations. If an organization fails to comply with the framework it must promptly notify the Department of Commerce, or else it can be prosecuted under the ‘False Statements Act’.

In a 2011 case, the Federal Trade Commission obtained a consent decree from a California-based online retailer that had sold exclusively to customers in the United Kingdom. Among its many alleged deceptive practices was representing itself as having self-certified under Safe Harbour when in fact it had not. It was barred from doing so in the future.

Safe Harbor Privacy Principles