Safe – harbour

In 2015 we observe that more and more Polish companies decide to move the main seat to the United States. At the same time, there is an increasing number of American companies moving their business to the European Union. However, the law in the EU and USA differ significantly. Today, we will discuss these differences, in particular, the privacy policy, which is in force in the EU.

Introduction
As we all know, the European Union is a large political and economic union, consisting of 28 countries of the total population of 500 million people. Economical wealth of the EU attracts numerous American companies. However, most of these companies are completely not familiar with the law concerning privacy at the area of the European Union. In fact, this issue is still an unmentionable subject for many American companies and many of them regard American courts and law as the first instance for matters related with the privacy policy, while the European legislation is regarded as a marginal aspect. The aim of this article is to explain which categories of American companies are within the scope of the EU law concerning the privacy policy. Next, we discuss the ways American companies are able to achieve a full compliance with EU provisions on personal data protection. The article ends with a brief conclusion.
Types of American companies falling into the scope of provisions concerning privacy protection in the European Union
This part of the article presents the categories of American companies subject to current law concerning privacy protection. Next, we present American companies falling into the legal scope of the new directive, which is to replace the current privacy policy.
Current community law concerning privacy protection and personal data protection
Current EU law concerns, in general, two cases. In the first one, a personal data administrator has its seat at the area of the European Union. In the second one, a personal data administrator uses the equipment located in the area of the European Union solely for the aims of personal data processing. Below, we discuss both cases in details.
A company is seated in the European Union
The Court of Justice of the European Union perfectly explained the concept of a seat, stating that a stable formation of a company’s seat in the area of the European Union requires that both human resources and technical resources, which are indispensable for serving particular services, should be located and continuously available in the area of the European Union. Thus, if we have only a computer or a server in the EU area, it is probable that it is not regarded as a seat as the server is treated only as a technical object or an instrument for data processing. On the other hand, an American company does not have to have a legal personality in the EU area. One example of such situation is Google, which used so called right to be forgotten. In May 2014, Court of Justice of the European Union made the decision in the case against Google company and perfectly explained the concept of a seat. In particular, the Court of Justice sentenced that if there are any economical relations between a company from a non-EU country and its branch located in the EU, provisions of the law on privacy protection and personal data processing concern also this company from a non-EU country, provided that it offers services in the European Union. More precisely, the Court of Justice stated that if Google Espania has profits from the sales of ads and it is a subsidiary of Google Inc., this means that both companies are related at an enough level as well as with the service of searching for information, which is offered by Google Inc. This means that, according to the Court of Justice of the European Union, the activity of Google Espania is subject to the privacy protection law in force in the EU and at the same time, this obligation is valid also for Google, if it wants to offer own services in the European Union.
Sole use of equipment located in the European Union
The right to privacy which is in force in the European Union does not define the concept of equipment in a detailed way.Thus, this concept can be really widely understood. Below, you can find two examples of definitions of equipment within the meaning of the European Union law.
First, let us assume that there is a company from Australia, which collects and processes personal data, stored in mobile phones of users living in the European Union. The activity of this company should be completely compatible with the community law concerning the privacy protection. This happens because a mobile phone is defined as a piece of equipment, in accordance with provisions of the Court of Justice. Secondly, let us imagine that there is a company offering cloud computing services and allows individuals to send information and arrange private meetings.
The activity of such company in the European Union should be fully compatible with the EU privacy protection law, provided that this company processes these data using servers located in the area of the European Union. At the same time, we must notice that using the community law on privacy protection is not valid when the equipment only and solely serves the transit role, what means that it sends the selected data. At the same time, this law will be applicable when the devices start to generate cookies, execute computing processes and use any Java Scripts.

New directories concerning privacy protection
The European Union is planning to accept a new act on the privacy protection called General Data Protection Regulation (GDPR). The proposal to introduce GDPR dates back to 2012 and if it is accepted, it will enter into force in 2017. GDPR is applicable to natural or legal persons seated in the European Union and natural or legal persons that process personal data of the EU citizens. In brief, GDPR provisions will be used for all companies that process personal data of the European Union citizens.
Providing conformity with EU regulations
The United States Department of Commerce, in concept with the European Commission, developed so called safeharbour framework, known also as US-EU Safe Harbour Framework. The safe-harbour provides American companies’ conformity with the EU law concerning privacy protection. It is defined by seven rules: notification, choice, further relaying, access, safety, data integrity and executing. Let us discuss all these rules.
The first element is notification. An American company, in order to meet this rule, should inform people whose contact data are collected, informing them also about the aim of their use. The aims should be specified in details. Additionally, the company should provide own contact details, types of third parties whom it reveals personal information and means which it uses in USA in order to limit the use and revealing of the personal data.
The choice rule consists in that all persons were able to choose whether their personal data can be revealed to third parties for the aims not consistent with the primal aim for which the personal data were originally collected. What is more, if an American company plans to reveal confidential data to third parties or to use them in any other way than the original purpose, the company should state all persons or institutions to which it relays the personal data and the detailed information concerning what information was collected at such situation. These information should be relayed explicitly.
Another rule is further relaying.
If an American company intends to relay personal data to any third party, it must assure that this third party meets the requirements of USA-EU Safe Harbour Framework.
There is an alternative solution in such situation. If an American company intends to relay personal data to a third party, it should conclude a written agreement with this third party, which specifies that the third party provides the same level of information safety as it is required by USA-EU Safe Harbour Framework.
Another element is the access. This requires from all American companies which process personal data in the European Union to provide an access to the personal data to persons whose data are collected and to provide the possibility to correct, change or delete personal data.
The next rule is safety. Obeying the safety rule obliges American companies to use best efforts to assure that all personal data of various persons are collected in a way protecting them from an unauthorised activities such as abuse or damage.
Next, let’s focus on the data integrity. This rule requires from American companies that they collect all personal data which are essential for the aims they are used for.
The last rule is execution. It requires American companies to have mechanisms for submitting individual complaints and their recording, verification procedures allowing unambiguous stating that a particular company has an implemented SafeHarbour Framework and an obligation to solve all problems related with nonconformity with Safe-Harbour Framework. Most often, the verification of these companies is conducted by the United States Department of Commerce).
However, there is another important issue. An additional execution of realising Safe-Harbour Framework can be done by the Federal Trade Commission or other federal agencies, which are empowered to execute promises made by American companies. For example, the Federal Trade Commission may state that a company does not obey the promise of being strict with Safe-Harbour Framework what is a violation of regulations of the Federal Trade Commission, in which this body forbids all unfair and misinforming practices. In 2010, the Federal Trade Commission brought legal proceedings against several American companies which did not obey Safe-Harbour Framework, despite they had obliged to it.
Certificate of conformity with the EU privacy protection law
Each American company which obliged itself to obey SafeHarbour Framework should annually submit the certificate of conformity with Safe-Harbour to the United States Department of Commerce. The evaluation whether a particular company meets all seven rules can be conducted by the company itself or by private companies. Below, you can find examples of such companies.
Certification programs offered by private companies
This section discusses two programs which can confirm the conformity with USA-EU Safe Harbour Framework. The first of them is TRUSTe, while PrivacyTrust is the second one.
The TRUSTe privacy policy evaluation program allows companies checking their conformity with USA-EU Safe Harbour Framework and help them in own certification at the United States Department of Commerce. Additionally, this program encompasses the procedure of settling disputes over the storage of personal data in accordance with SafeHarbour Framework.
PrivacyTrust serves similar aims and attests the conformity of American companies with Safe-Harbour Framework. It additionally allows provision of support before and after the self-certification.
Conclusions
This article shows that it is possible to require American companies to obey provisions of privacy protection determined by the Court of Justice of the European Union, even if such companies do not have a seat in the EU. For example, using a server to store personal data, located in the European Union, is a sufficient reason to act strictly with the EU regulations.
A good information for American companies is that they do not have to know all regulations concerning the privacy in all 28 member states in order to be compatible with the privacy policy. Such conformity may be achieved by using solely Safe-Harbour Framework.
If American companies act strictly with all seven rules described in this article, they can apply to the United States Department of Commerce for the conformity certificate. The list of companies having this certificate is available at: https://safeharbor.export.gov/list.aspx. If a company does not have a conformity with Safe-Harbour Framework, two above mentioned companies may help it in acquiring such certificate.

Przeczytaj ten artykuł w wersji polskiej: http://www.businessmantoday.org/safe-harbor/