A safe harbour, by definition, is a provision of a regulation or a statute that specifies that certain types of conduct will be deemed not to violate given rules. More particularly, the safe harbour law was instituted by the European Commission and the U.S. Department of Commerce to assist U.S. companies comply with the Commission’s directives on the protection of the personal data of European citizens.

Currently, a number of states have passed some form of safe harbour law. These include Washington, Vermont, New York, New Jersey, Minnesota, Massachusetts, Illinois, Florida and Connecticut. The Texas Supreme Court also ruled to similar effect, adding the state to this list.

Understanding the Safe Harbour Law

The safe harbour law is the agreement between the EU and the U.S. that regulates the way U.S. enterprises can export products and handle the personal data submitted by European citizens in the course of these international transactions.

The main goal of the law is to provide a single set of requirements for data protection. As such, the law protects the data transferred across the borders of the countries and states who have joined the safe harbour program/collective.

The agreement also requires that the U.S. companies collecting personal data must:

– Inform European clients that they are collecting their personal data

– Inform the clients what intend to do with the data

– Gain the clients’ permission to send the information to a 3rd party

– Give the clients full access to the data so gathered

– Ensure the integrity and security of the data collected

– Provide ways and means to ensure compliance with the specifications of the safe harbour law

History of the Safe Harbour Law

Initially established in 2000, this law was originally that was set up as a response to the European Commission’s directive on Data Protection. In 2015, however, the European Court of Justice effectively overturned this agreement by ruling that each of the 28 countries comprising European Union should be allowed to determine how their citizens’ personal information can be collected online and used.

Although this decision doesn’t automatically put an end to the transfer of data between the United States and Europe, it effectively allows individual national regulators to suspend such transfers. This is especially so if the national regulators find that the U.S. company in question doesn’t have adequate data protection mechanisms in place.

To this end, U.S. companies must receive certification from relevant authorities to show that they comply with this law, and with the requirements it entails.

Safe Harbour Eligibility 

At the moment, only those organisations that are subject to the jurisdiction of the FTC (Federal Trade Commission) or U.S. ticket agents and air carries that are subject to the DoT (Department of Transportation) can participate in the safe harbour program.

Organisations that are typically not subject to FTC jurisdiction include financial institutions (savings and loan institutions, credit unions, investment houses and banks), meat processing facilities, agricultural cooperatives, non-profit organisations, labour associations, and telecommunication common carriers. Additionally, the jurisdiction of the FTC with respect to insurance activities is limited to certain special circumstances.

In case you are not sure about whether your organisation/company falls under the jurisdiction of the DOT or the FTC, get in touch with these agencies. This is because there are certain exceptions to general ineligibility. You can also learn more about the safe harbour by getting in touch with either the European Commission or the U.S. Department of Commerce.