A decade ago, the European Union (EU) implemented a Safe Harbor law, the Data Protection Directive, which featured strong standards governing the use and protection of important data. In this case, any form of data transferred within the European Economic Area (EEA) would enjoy protection from this law. However, personal data being transferred to other states would not be guaranteed the same protection unless they met a certain level of data protection.

In 2015, there were some changes to the Safe Harbor agreement where the European Court of Justice overturned it and ruled that each country in the EU should govern how their citizens' online information can be collected and used. Following this decision, the national regulators for each of these countries were allowed to suspend transfers if any U.S. company failed to protect user data adequately.

In 2016, the EU and the U.S. established the EU-US Privacy Shield, a legal framework that governs transatlantic data flows, to replace Safe Harbor. Recently, the Federal Trade Commission, a body in the U.S. that governs the enforcement of Safe Harbor, has started a crackdown on U.S. firms that claim to be Safe Harbor Compliant but fail to implement the necessary protection standards.

Is It Safe to Use Safe Harbor?

Over time, the law has held that Safe Harbor applies to drugs, devices and use of patented technology, including activities that are related to FDA approval. That is as long as there is a reasonable basis to indicate that a patented technology may be used for FDA submission, then the its use is protected under the safe harbor.

Safe Harbor EU allows secure transfer of data while still safeguarding the personal data of European citizens. In addition, U.S companies in this agreement enjoy unrestricted export and import of data with all certified Safe Harbor participants. It also eliminates the automatic approval of grants for data transfers, thus creating a cost- and time-efficient system.

How to Become Safer Harbor Compliant

If you operate a company that is related to business phone system providers, then it is likely that you handle critical information about people who use your products and services. The data you collect is quite literary a gold mine, and that’s where you need to be extra careful to prevent spammers from getting their hands on such information. Before proving personal information, data subjects need to look for phone providers that are compliant.

To qualify for Safe Harbor Compliance, a company should complete a self-certification process with the Department of commerce that is done annually. An entity can start by joining a self-regulatory program that can review the company’s privacy policies and issue compliance certificates with Safe Harbor or create their own self-regulatory privacy policies that concur with the Safe Harbor guidelines.

What Is the Safe Harbor Certification and Privacy Standards

Being Safe Harbor-certified means that an organization has adhered to all data privacy standards to ensure that the EU citizen’s personal data including customers in others part of the world, will be treated with utmost security.

Formulated for U.S. companies that process personal data gathered in the EU, the Safe Harbor Principles have to be followed to help eligible organizations to fulfill the requirements of the EU Data Protection Directive.

The following principles must also be included in the privacy policy in a Safe Harbor Compliant:

Notice: The organization collecting personal information must inform respective individuals of the data collection process, and the purposes for which personal data is collected and used. The firm must provide the parties to which it will disclose the information, how individuals involved can contact the organizations with inquiries or complaints, and by what means disclosure of the personal data can be restricted.

Choice: The company must offer individuals the opportunity to choose (opt-out) of third-party disclosures or usage of their personal information. Data owners should also be given the assenting or choice for the use or disclosure of sensitive information.

Onward Transfer: If an organization desires to transfer personal information to the third party, it should use the principles of notice and choice. Where a business wishes to disclose information to a third party as a representative, it may do so by confirming that the third party adheres to the Safe Harbor’s data privacy standards and guidelines, being subject to EU Data Protection Directive or enter into an agreement in writing with the third party asking them to offer similar level of confidentiality in data protection as required by Safe Harbor.

Security: Organizations must take the required measures to protect personal data to assure its reliability for its use and reasonable precautions to protect it from tampering, loss, misuse, disclosure, unauthorized access, alteration and other possible manipulations.

Data Integrity: In line with these principles, companies that intend to collect personal information from individuals must have realistic procedures to ensure the information is reliable, complete, accurate and current.

Access: Organizations must allow individuals to access their personal information and be able to amend and correct that information if it’s inaccurate. This principle is subject to the reasonableness standard.

Enforcement: For an individual to file a complaint, a recourse mechanism must be included to assure compliance with the Safe Harbor compliance principles. Such a mechanism must include these elements: (a) readily and reasonably priced alternative mechanisms to ensure each data subjects complaints are investigated and resolved; (b) followup procedures to verify that the pledges business makes regarding the privacy practices have been applied; and (c) responsibilities to remedy any glitches arising due to failure to adhere to Safe Harbor principles. Sanctions should be severe to guarantee compliance by the company.

Ensure Your Compliance

Companies planning to operate smoothly on a global level must have mechanism to safeguard personal information when it is being transferred to and from the U.S. Important agreements such as Safe Harbor provide a good basis for European Union and the United States to carry out a mutually beneficial relationship, but the agreement alone cannot completely guarantee data protection. The companies involved need to ensure they have Safe Harbor compliance as a way of building trust to allow such agreement to be effective no and in future.

Don’t be left out, follow the required guidelines and become Safe Harbor Compliant.

When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.

Related Topics:

HIPAA Compliant Hosting

FIPS Cryptography

FISMA