top of page

Where to Find Safe Harbor

Despite the fact that EU invalidated the safe harbor scheme developed by the U.S. Department of Commerce this past October (see the Litigation Support Tip of the Night for October 11, 2015), the program continues to be adminstered. A detailed description of the program is available at, . There is a separate framework for data transfers from Switzerland. Commerce requires organizations to self-certify and just reviews submissions for completeness. Amongst other requirements, the organization has to have the following:

1. A privacy policy for personal information received from the EU.

2. A contact office for handling issues arising under the Safe Harbor program.

3. A list of any privacy programs of which it is a member.

4. Jurisdiction under a body of some kind that hear claims against the organization for violations of privacy laws.

5. An independent recourse mechanism available to investigate unresolved complaints.

6. A method of verification of its statements about its privacy practices.

See this page. Commerce's acceptance of an organization's self-verification seems especially problematic to me. On this page, the Department states that you can verify simply by having a corporate officer sign a statement once a year attesting to the fact that its policy conforms, that there are in-house procedures for handling complaints, periodic checks are made to test its compliance, and that employees are trained on how to follow the policy, and disciplined for violating it. It would be better to require organizations (at least those with sufficient resources) to engage outside parties to test compliance, as the Department suggests, through "auditing, random reviews, use of 'decoys,; or use of technology tools".

The site includes a list of organizations which have been deemed to comply with the safe harbor standards. See: . You can either search by an organization's name, or search for organizations in a particular field, located in a particular area. For example, you can search under 'Legal Services' for businesses in New York that comply with safe harbor. You get a list of organizations (with both current and non-current certification), such as Cleary Gottlieb, DOAR, Harris Beach, Integreon, Tower Legal Solutions, and Weil Gotshal. It also specifies the kind of personal data the organziation is certified for - off- line; on-line; manually processed; human resources; case data; customer data; and so forth.

The site also provides more detailed company specific information, including links to privacy statement, contact information for chief privacy officers, and list of countries from which data is received. See for example this page for Microsoft:

bottom of page