The Data Protection law formulated by the European Commission in 1998 prohibits the transfer of personal data of European citizens to other countries that do not meet privacy protection standards. To comply with this directive, the U.S. Department of Commerce and the EU developed the Safe Harbor Program. It was designed to help to protect the privacy and integrity of the personal information collected and processed by U.S. companies. It allowed companies to self-certify that they would protect EU citizens’ data when transferred to servers and data centers located in U.S. U.S companies should adhere to 7 principles for Safe Harbor certification: Must inform customers the purpose of collecting information about them and the choices and means the organization offers individuals for limiting its use and disclosure. They should also inform the type of third parties they share their information with and how to contact the organization with any inquiries or complaints. Provide clear and affordable mechanism for the users to choose how the information they provide will be disclosed to third parties. Before sharing any personal information with a third party, an organization must see to it that they follow the above two principles. They must also ensure that the third party subscribes to the Safe Harbor Principles. Organizations involved in collecting, processing and the maintenance of users personal data should protect it from misuse, loss, alteration and unauthorized access. An organization should use the information only for the purpose for which it has been collected and should be responsible for keeping it updated and current. Individuals should also have access to the information they provide to the company to an extent. The access may depend on the nature and sensitivity of the information collected. Companies must also include the mechanism for assuring compliance with Safe Harbor Principles and a course of action for the organizations not following it. How does it help with doing business? Curious why so many companies joined Safe Harbor? Or why they chose Safe Harbor over other cross-border data transfer restrictions? Brian Hengesbaugh, a partner in the Chicago office of Baker & McKenzie, said, “It is better suited for online data transfer as it doesn’t require to obtain the consent from the website visitors or enter into bilateral agreements again and again.“ It also helps to avoid the administrative burden of maintaining model contracts and executing new contracts to cover new affiliates for business. Some of the key factors that drove U.S companies to join Safe Harbor were increased demand of cross-border data transfer and reliable solution for implementing data scrutiny. Among other benefits, it also enhanced brand reputation and EU customer satisfaction.
The European Union (EU) unveiled a series of proposals on November 4, 2010, that significantly revise its notorious Data Protection Directive. The changes could conceivably impact email marketers with subscribers in any of the EU\'s 27 member countries. \"The Right To Be Forgotten\" Also Applies To Email Subscribers The essence of the EU\'s new legislation was covered about a month ago in \"Cookie Monster: How The New EU Regulations Impact Email Marketers\". Since that time, the EU\'s introduced new proposals that include a regulation that can be summed up as \"the right to be forgotten.\" The legislation is directly crafted to apply primarily to social networks such as Facebook where the EU laws would require a simple, bold button that would indelibly and permanently erase all of the user\'s data from the site. This would allow the user to effectively delete any signs of their previous presence on the site when they quit the network. You May Have to Delete All of a Subscriber\'s Personal Data These new regulations impact email marketers as well in that they apply to any customer data held by businesses. It seems as if the EU is heading towards mandating a similarly simple and bold button on each of your outgoing emails that would allow the European customer to not only unsubscribe, but ensure that all of their personal data that is held by you is to be deleted from all of your systems. How the EU would enforce such a mandate on companies that are registered in the United States and have the data on servers outside the EU is not yet clear. These Rules Will Apply Right Across All 27 EU Member Nations To date, the EU\'s various data protection regulations have been implemented in a haphazard manner across the member states. Some countries have chosen to implement modified versions of the laws, while others have not enforced any of them. Many email marketers have not taken this legislation seriously due to the internal discrepancies in its international administration. The EU has taken steps to close those loopholes and thus force its member states to homogenously adopt the rules. The EU\'s latest revisions address those inconsistencies with a clear statement that these regulations will mark a \"consistent application of data protection rules across the Single Market.\" Voluminous Legal \"Consumer Information\" Text On Your Signup Forms The EU\'s revisions also include legislation so that \"collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used.\" These clauses take the EU\'s regulations beyond any existing laws, as the definition of the information that must be provided to all subscribers upon signup is significantly more extensive than any currently contemplated. This could equate to having to include voluminous legal \"consumer information\" text on your signup forms accessible to all of your European customers. The EU\'s review process for its data protection regulations will end on January 15, 2011, and the laws may implemented as early as just a couple of months later. These developments bear close scrutiny by any email marketer with subscribers within the EU\'s member nations, as the fines for violation could be considerable.