European Union regulations issued in 1995 required member states to enact laws prohibiting the transfer of individual's personal data to locations outside the Community unless the country to which the data is being transferred "ensures an adequate level of protection" against misuse or unauthorized disclosure. This has presented problems for many U.S.-based businesses, including parents and subsidiaries of European firms, which collect or process data collected from individuals, since the U.S. Government does not maintain a national data protection regime. U.S. Government regulation of data privacy is primarily directed at governmental activities. For the private sector, the U.S. has traditionally relied on industry self-regulation.

In 2000, the U.S. Department of Commerce successfully negotiated a "safe harbor" agreement with the E.U. to allow data transfers between U.S. and E.U. firms. U.S.-based companies which agree to meet certain minimum standards for data privacy, and which are subject to either Federal Trade Commission jurisdiction or other Federal laws and regulations protecting personal privacy (such as the Privacy Act), can qualify for safe harbor protection. This means that they can continue to receive and exchange personal data with European-based companies and other entities.

The minimum standards which must be satisfied are expressed in terms of seven principles which must be followed. Individuals must be provided with (1) notice of the use to be made of their information, (2) the ability to opt out of further disclosure, and (3) access to their information with the right to correct errors in the data. Companies must have (4) adequate data security procedures and (5) must only use data for disclosed purposes. Data (6) transfers may only be made to companies qualifying under the safe harbor or complying with EU regulations on data privacy. Finally, (7) the company must be subject to a federal enforcement mechanism if it fails to adhere to the safe harbor principals.

U.S. companies wishing to qualify for safe harbor treatment should register at a Commerce Department website recently established for this purpose. The website address is http://www.export.gov/safeharbor/. EU companies can verify a U.S. firm's eligibility to receive personal data by accessing the site to view a regularly updated list of participating companies.

Contact our office for more information about the safe harbor principals or for guidance on developing a data privacy policy that will qualify for safe harbor status.