Trans-Atlantic Privacy Protection

Share This Page

If your company transfers consumer data from the European Union to the U.S., you’ll want to know about the U.S.-EU Safe Harbor Program, a voluntary international privacy framework that lets companies transfer data from the EU to the U.S. in a way that complies with EU law.

To participate in the U.S.-EU Safe Harbor Program, a company has to self-certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. To help your customers in the EU understand the program, point them to Information for EU Residents Regarding the U.S.-EU Safe Harbor Program.

A company that participates in the program can let consumers know by sending out a press release that includes the Safe Harbor certification mark, displaying the Safe Harbor certification mark on its website, or mentioning its Safe Harbor certification in its privacy policy. But a business that says it complies has an obligation to live up to that promise. The FTC has sued companies that claimed they had valid Safe Harbor certifications but had allowed their certifications to lapse, improperly used the Safe Harbor certification mark, or didn't comply with the Safe Harbor principles.

The Department of Commerce website has more information about the Safe Harbor program and a list of companies that currently participate. The FTC’s U.S.-EU Safe Harbor Framework page has guidance materials and details about the agency’s Safe Harbor law enforcement efforts.

 

Comments

Why does the FTC enforce European Union's rights or privileges under the UELA?

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.