FAQ 5 - The role of Data Protection authorities⁽¹⁾

Q: How will companies that commit to cooperate with European Data Protection Authorities make those commitments and how will they be implemented?

A: Under the safe harbor, US organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the safe harbor principles. More specifically, they must provide (1) recourse for individuals to whom the data relate, (2) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true, and (3) obligations to remedy problems arising out of failure to comply with the principles and consequences for such organizations. The enforcement principle allows organizations to make a commitment to cooperate with the data protection authorities ("DPAs") in the European Union as one means of satisfying the enforcement principle under the safe harbor. Organizations electing this option would have to follow the notification procedure and other requirements set forth below.

NOTIFICATION PROCEDURE

An organization may commit to cooperate with the DPAs, inter alia, by declaring in a safe harbor notification to the Department of Commerce that the organization:
(1) elects to satisfy (a) and (c) of the safe harbor enforcement principle by committing to cooperate with the relevant DPA(s); (2) will cooperate with the relevant DPA(s) in the investigation and resolution of complaints brought under the safe harbor; and (3) will comply consistent with the Article 25.6 Decisions with any decisions of the DPA where the DPA determines that the organization must take additional steps to comply with the safe harbor principles, including remedial or compensatory measures for the benefit of individuals affected by noncompliance with the principles, and consequences for the organization.

HOW IT WOULD WORK

In safe harbor situations where the US organization had elected to cooperate with data protection authorities, European consumers, employees, or other affected individuals, after raising an issue or complaint with the US organization, would raise unresolved issues with the relevant DPA. The DPA would then turn to the US importing organization with any questions it had about the complaint. Where complaints or other specific concerns lead the DPA to investigate further, the US organization is committed, under its safe harbor notice to the Department of Commerce, to cooperate with the DPA. This would mean, for example, that the US organization would have to respond to inquiries from and otherwise make itself available to the DPA, furnish information or stored data upon the DPA's request, or report on security measures. The US organization would provide requested information to the DPA(s) in Europe. DPAs would not be required to travel to the US to investigate complaints.

Where the parties themselves agreed to steps for resolving the complaint, such as removing an individual from a mailing list or correcting or suppressing certain data, the US organization, pursuant to its cooperation commitment, would be obligated to give effect to such an agreement with respect to relevant data stored in the United States. If the parties are unable to agree on whether there is compliance with the safe harbor principles or on the remedial or compensatory measures to be taken by the US companies, the DPA would take a decision. Again, the US organization would be bound by its public commitment to abide by the results of these procedures.

This should not be unduly burdensome for DPAs. Absent this enforcement option under the safe harbor, DPAs would be obliged in any event to investigate and take decisions on complaints arising from data transfers to the United States.

RATIONALE

The option of committing to cooperate with DPAs is an important enforcement alternative for US organizations for a number of reasons. First, recourse to private sector complaint resolution in the US is not an ideal way to resolve data protection issues arising out of employment relationships based in Europe. Cooperating with DPAs would be a far better alternative for these type of complaints. Second, this enforcement option could allow US organizations to qualify for the safe harbor more quickly than if they have to rely on US developed self regulatory mechanisms. It is unlikely that self regulatory mechanisms will be available for all categories of data transfer to the US as soon as the safe harbor goes into effect. While some private sector programs are in development, complete development and implementation of these and other programs will undoubtedly lag until closure of the safe harbor discussions. Committing to cooperate with DPAs can help to fill this gap. Finally, this option would allow more US organizations to participate in the safe harbor. Some US organizations, either because their business is relatively unique or for other reasons, may find it difficult to find self regulatory organizations able to address their particular needs. And, there may be no US statutory or regulatory agency authorized to hear such complaints. Committing to cooperate with DPAs would allow these organizations nonetheless to qualify for the safe harbor.

1. The EC has indicated that this is a matter for the data protection authorities themselves, who see some legal and practical obstacles to their playing the role outlined in this FAQ. The DPAs understand the reasons for the US request, however, and are discussing what part they could play in hearing and resolving complaints brought by individuals whose data has been transferred from Europe against US organizations in the safe harbor.