For Businesses For Consumers TRUSTe Blog About TRUSTe   
 
TRUSTe - Make Privacy Your Choice
Seal Programs  ::  How To Renew  ::  Resources  ::  Partner Services  ::  Events  ::  Tech Tips  ::  FAQs

EU Safe Harbor

Frequently Asked Questions

Who should apply for the EU Safe Harbor program?

What are the benefits of complying with EU safe harbor framework?

What happens if my company does not comply with the safe harbor framework?

My company is an Internet company based in the U.S. Does my company need to comply with the EU safe harbor framework?

My company is not an Internet company. Do I still need to join the EU Safe Harbor program?

What are the components of the TRUSTe EU Safe Harbor Privacy Program?

I am already a member of the TRUSTe Web seal program, why do I have to sign an additional addendum and pay an added fee?

What is the TRUSTe EU Safe Harbor Offline Dispute Resolution Program?

Why should my company join the TRUSTe EU Safe Harbor Offline Dispute Resolution Program?

How does my company join the TRUSTe offline dispute resolution program?

My company does not have a Web site. Can we still join your offline dispute resolution program?

What dispute resolution process will be used?

Why should my company join the TRUSTe EU Safe Harbor Web Privacy program?

What does my company need to do to join the TRUSTe safe harbor web privacy program and self-certify to the Department of Commerce?

Q: Who should apply for the EU Safe Harbor program?
A: If your company is doing business in Europe and you receive personal information, you should review with your legal counsel how your company is meeting the adequacy requirements of the European Directive on Data Protection.

Q: What are the benefits of complying with EU safe harbor framework?
A: The EU safe harbor framework provides predictability and continuity for U.S. and EU companies. All 15 EU member states are bound by the European Commission's finding of "adequacy," a provision that indicates fulfillment of legal requirements.

Therefore your company must only comply with the safe harbor framework rather than 15 different member state laws. Companies are deemed adequate upon complying with the safe harbor framework, so there is either no need for prior approval or such approvals are automatic.

Finally, the EU safe harbor framework provides U.S. organizations with a clear set of rules for dealing with EU authorities and prevents EU authorities from unfairly targeting U.S. companies.

Q: What happens if my company does not comply with the safe harbor framework?
A: According to the EU Directive on Data Protection, Data Protection Authorities in the individual member states must stop all data flows to companies that are not deemed adequate. In practice, Data Protection Authorities will have several mechanisms to ensure compliance, including legal recourse and negative publicity campaigns. Clearly, failure to comply with the EU Data Protection Directive can harm a U.S. company's ability to do business in or expand business to Europe.

Q: My company is an Internet company based in the U.S. Does my company need to comply with the EU safe harbor framework?
A: While the law is unclear as to what types of companies should become safe harbor compliant, our advice is to consider the following scenarios:

  • Internet companies whose brand is global in nature are likely to be accessed by European citizens and should comply with the safe harbor framework.
  • Internet companies that are targeting European citizens through media and advertisement should comply with the safe harbor framework because they are likely to receive information about European citizens.

At a minimum in either scenario, joining a safe harbor program ensures that you are handling European data appropriately. You should also check with your legal counsel.

Q: My company is not an Internet company. Do I still need to join the EU Safe Harbor program?
A: If you receive personal information from European citizens, then you need to comply with the EU Data Protection Directive. To fulfill some of the requirements of the EU law, we have created a dispute resolution mechanism for offline privacy-related complaints.

Q: What are the components of the TRUSTe EU Safe Harbor Privacy Program?
A: There are two main components to the TRUSTe EU Safe Harbor Privacy Program. They include:

  • Web Site Privacy Certification and Oversight: Similar to the current TRUSTe Privacy Seal program, TRUSTe will provide a certification program for data gathering and dissemination practices conducted via a Web site. The Web site privacy program will include enforcement of privacy policies#150;through quarterly monitoring and seeding–as well as the TRUSTe Watchdog Alternative Dispute Resolution mechanism.
  • Online and Offline Dispute Resolution: As a requirement for companies to meet the safe harbor privacy framework set forth by the Department of Commerce, TRUSTe will provide an alternative dispute resolution mechanism for Web based and offline privacy-related disputes. Under the requirements of the TRUSTe EU Safe Harbor program, all companies must seek certification for the Web site privacy practices as a prerequisite to consideration for the offline dispute resolution program.

Q: I am already a member of the TRUSTe Web seal program, why do I have to sign an additional addendum and pay an added fee?
A: There are additional requirements that must be fulfilled for companies that are meeting the safe harbor requirements rather than the general web seal program. Additionally, TRUSTe takes on additional liability and reporting requirements of aggregate data to the Department of Commerce and the European Commission for companies that are signing up to the Safe Harbor requirements.

Q: What is the TRUSTe EU Safe Harbor Offline Dispute Resolution Program?
A: Any company that wants to become fully safe harbor compliant must provide third-party dispute resolution both online and offline. TRUSTe will provide qualified companies with third-party dispute resolution for all privacy complaints.

Q: Why should my company join the TRUSTe EU Safe Harbor Offline Dispute Resolution Program?
A: This program builds on the knowledge and experience that TRUSTe has gained providing privacy-related dispute resolution since 1997.

Q: How does my company join the TRUSTe offline dispute resolution program?
A: Your company must first become a member of the TRUSTe EU Safe Harbor Web Privacy program. Your company should then submit an offline dispute resolution license agreement, a safe harbor compliant privacy statement, a document outlining your company's internal procedures for implementing its privacy practices, and a copy of the verification letter required by the Department of Commerce, and a check for the appropriate fee. Once this has been done, TRUSTe will contact you for any further information and the final approval. Click here for more information.

Q: My company does not have a Web site. Can we still join your offline dispute resolution program?
A: Yes. However, if your company creates a Web site at a later date, you must immediately notify TRUSTe and apply for the Safe Harbor Web Privacy program.

Q: What dispute resolution process will be used?
A: The dispute resolution process for online and offline complaints will follow the same process. For offline complaints, TRUSTe may receive complaints via email, fax, or mail. For Web-based complaints, TRUSTe may only receive complaints via email. An additional 10 business days is added to existing dispute resolution process. Presently, all complaints must be in English unless you have signed up for International Services.

Q: Why should my company join the TRUSTe EU Safe Harbor Web Privacy program?
A: The TRUSTe Web safe harbor program provides U.S. companies with the following benefits:

  • Clear guidelines for what a company must do to be safe harbor compliant;
  • Assistance in creating a safe harbor compliant privacy policy;
  • Fulfillment of a company's need for verification of their privacy procedures; and
  • Fulfillment of a company's need for third party enforcement of the safe harbor for individual consumers.

Q: What does my company need to do to join the TRUSTe safe harbor web privacy program and self-certify to the Department of Commerce?
A: Similar to the current TRUSTe Privacy Seal Program, the process for becoming a safe harbor licensee contains several steps.

  • STEP 1. Complete the TRUSTe license agreement, safe harbor addendum, the privacy statement, and the verification documentation and submit these with appropriate payment.
  • STEP 2. A TRUSTe Account Manager will review these documents and conduct a Web site audit. If the site meets the standards of the TRUSTe program, it will be certified as a Safe Harbor Privacy Program licensee. Upon certification, TRUSTe will allow the site to display the TRUSTe EU Safe Harbor privacy seal.
  • STEP 3. Once the Web site portion of a company's information practices have been certified, the account manager will review the application for offline dispute resolution services.
  • STEP 4. The company must inform the consumer of TRUSTe's service in all subsequent communications to the consumer.
  • STEP 5. The company self-certifies to the Department of Commerce that it is safe harbor compliant. This can be done through the Department of Commerce Safe Harbor site at www.export.gov/safeharbor.



 
Sponsor: America Online
Go to your online applicationGet Certified
For Business | For Consumers | About TRUSTe | Careers | Site Map | Privacy Statement - UPDATED | TRUSTe Homepage | Terms & Conditions
© 1997 - 2008 TRUSTe. All Rights Reserved.