How do we comply with "US-EU Safe Harbor" laws?

弁護士

The US-EU Safe Harbor regulations are relevant to you because, as you said, you are an Invoicing SaaS company looking to expand your services beyond North America to include Europe. You did not mention all the details of your business, but relevantly speaking, presumably you would be delivering your software across nation borders via the Internet.

As a bit of background on the U.S.-EU Safe Harbor regulations, the European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) "adequacy" standard for privacy protection. The United States and EU have different approaches to privacy. A "safe harbor" framework was developed between the two entities to bridge the differences and provide a streamlined and cost-effective means for U.S. organizations to satisfy the Directive’s “adequacy” requirement.

Compliance is important to you as a U.S. organization, as it provides a way to avoid experiencing interruptions in your business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws.

There are seven requirements for you to comply with: (1) Notice; (2) Choice; (3) Transfers to third parties; (4) Access; (5) Security; (6) Data Integrity; and (7) Enforcement.

(1) Notice: You must notify individuals about the purposes for which you collect and use information about them, if at all. You must provide information about how individuals can contact you with any questions or complaints, the types of third parties to which you disclose the information (if at all), and the choices and means you offer for limiting its use and disclosure.

(2) Choice: you must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.

(3) Transfer to Third Parties. This requirement may not apply to you depending on your operations, but I will provide the information anyway. To disclose information to a third party, you must apply the notice and choice principles above. If you wish to transfer information to a third party that is acting as your agent, you may do so if you make sure that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the Directive or another adequacy finding. Alternatively, you can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.

(4) Access: Individuals must have access to personal information about them that you would be holding and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.

(5) Security: You must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

(6) Data Integrity: Personal information that you would hold would have to be relevant for the purposes for which it is to be used. You should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

(7) Enforcement: In order to ensure compliance with the safe harbor principles, you must provide (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments you make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by you. If you fail to provide annual self certification letters, you will no longer appear in the list of participants and safe harbor benefits will no longer be assured.