Brief: EU Safe Harbor Review Impacts US Privacy Processes

The EU Data Protection Act (DPA) attempts to ensure consistent protection of EU data by prohibiting the transfer of personal information to non-EU countries unless they meet the "adequacy" standard for privacy protection — and the US does not. Rather than crafting specific legal restrictions guaranteeing DPA compliance for every data transfer, many US firms adopt the US-EU Safe Harbor Framework, which is effectively an agreement to abide by the EU data protection principles irrespective of jurisdiction. This Safe Harbor agreement has been in effect since 2000; however, recent NSA leaks have brought the whole US privacy position under severe scrutiny, with Safe Harbor being central to the analysis. For security and risk (S&R) professionals responsible for advising business leaders on the changing regulatory environment, particularly as it relates to privacy, this paper reviews key issues with current Safe Harbor efforts, anticipated changes to the Safe Harbor Framework, and what these changes will mean for businesses with a US presence.