US safe harbour principles.
The European Commission’s Directive on Data Protection came into effect in October of 1998. It prohibited the transfer of personal data to non-European Union nations that did not meet the European “adequacy” standard for privacy protection. Both United States and the European Union shared the goal of improving privacy protection for their citizens, the United States took a different approach to privacy than that taken by the European Union. To bridge these different privacy approaches and provide a uniform and cost-effective means for U.S. organisations to satisfy the adequacy requirement of the Directive, the U.S. Department of Commerce in compliance with Data Protection Act, developed a “Safe Harbor” framework. Approved by the EC in 2000, the Safe Harbor Framework helps U.S. companies in dealing with EU and assuring that they meet the standards of EU trade countries’ data Privacy.
Following are the principles of Safe Harbour Framework:
- Notice The organisation (that collect and store the information of individuals) must formally inform the individuals about the purposes of collecting information. The organisation must also disclose the use of information. It should also inform the individual the way of contacting the organisation in case the individual has any query.
- Choice Individuals must be given a choice of opting out i.e. if they don’t wish to disclose the information to the third party or they do not want the organisation to use their details for the purpose which was not mentioned to them.
- Onward Transfer (Transfers to Third Parties) When the organisation wants to transfer the information to a third party ( for example any agent), it should ensure that the third party also subscribes to the Safe Harbour principles or other directives for privacy that are at par with the Safe Harbour Scheme.
- Access Individuals must be given access to their information that the organisation holds. They should be able to update and correct their information.
- Security Organisations must take sufficient measure to protect personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction.
- Data integrity Organisation must ensure that the Personal information they are storing must be accurate and updated at regular intervals.
- Enforcement A mechanism should be provided to ensure that the principles are followed by the organisation without making any changes. This mechanism should also provide ways for verifying the organisation’s commitment to follow the standards. It should also help in resolving the disputes related to privacy issues or issues arising due to the failure on the part of the organisation.