Commerce and International Privacy Activities: The US-EU Safe Harbor Agreement

Report home | Read the report (PDF) | Previous section | Next section

With the adoption of the European Union’s Data Protection Directive [21] in 1995 and its implementation in 1998, much of the concern about transborder data flows of personal information centered on the export restriction policies of the Directive. Article 25 generally provides that exports of personal data from EU Member States to third countries are only allowed if the third country ensures an adequate level of protection. While some countries have been found to provide an adequate level of protection according to EU standards, the United States has never been evaluated for adequacy or determined to be adequate.

The Directive contains several provisions other than the adequacy standard that allow transfer of personal information to third countries under specified conditions (e.g., unambiguous consent). [22] While these provisions solve many problems that might otherwise arise, restrictions on exports of personal data still created some significant problems and uncertainties for both US and EU businesses, including online businesses. The Commerce Department was pressured by the American business community to resolve the threats to data exports presented by the Data Protection Directive, and the Commission did not want to cause a disruption in international data flows while the Directive was being implemented in Europe. [23]

In 1998, the Commerce Department (acting through NTIA) and the European Commission entered into negotiations to create a “safe harbor” agreement that would allow for the export from Europe of personal information and for its processing by US businesses that voluntary and publicly endorse a code of conduct that the EU would accept as meeting the adequacy standard of the Directive. The negotiations, which one scholar described as lengthy and troubled, [24] lasted for two years.

The Safe Harbor framework [25] that emerged from the negotiations allows US organizations to publicly declare that they will comply with the requirements. An organization must self-certify annually to the Department of Commerce in writing that it agrees to adhere to the Safe Harbor’s requirements. There are seven areas of privacy standards covering notice, choice, onward transfer (transfers to third parties), access, security, data integrity, and enforcement. Safe Harbor documentation describes the requirements and provides an interpretation of the obligations. [26] To qualify for the Safe Harbor, an organization can (1) join a self-regulatory privacy program that adheres to the Safe Harbor’s requirements; or (2) develop its own self-regulatory privacy policy that conforms to the Safe Harbor.

The Safe Harbor framework is now operated by the International Trade Administration of the Department of Commerce. The Commerce Department website maintains a list of organizations that filed self-certification letters. Only organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are eligible to participate. This limitation means that many companies and organizations that transfer personal information internationally cannot qualify for participation.

The content of the Safe Harbor Framework has been criticized on several grounds. It is not the purpose of this document to comment on the substance of the Safe Harbor agreement between the United States and the European Commission. A substantive discussion can be found elsewhere, including in documents issued by the Article 29 Data Protection Working Party (an organization of EU data protection officials established under the Data Protection Directive) [27] and by others. [28]

The question considered here is how the Department of Commerce carries out its obligations under the Safe Harbor Framework and whether the Department’s activities enhance or detract from the credibility of Safe Harbor.






[21] Council Directive 95/46, art. 28, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data, 1995 O.J. (L 281/47), available at <http://eur->.

[22] Article 26.

[23] Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 Houston Law Review 717, 739-40 (2001), available at <>.

[24] Id. at 738.

[25] <>.

[26] <>.

[27] See <>.

[28] See, e.g., Joel R. Reidenberg, E-Commerce and Trans-Atlantic Privacy, 38 Houston Law Review 717, 739-40 (2001), available at <>; Tracey DiLascio, How Safe Is The Safe Harbor? U.S. and E.U. Data Privacy Law and the Enforcement of the FTC’s Safe Harbor Program, 22 B.U.I.L.J. 399 (2004); Kyle Thomas Sammin, Any Port in a Storm: The Safe Harbor, the Gramm-Leach-Bliley Act, and the Problem of Privacy in Financial Services, 36 Geo. Wash. Int’l L. Rev. 653 (2004), available at <>;



Roadmap: The US Department of Commerce and International Privacy Activities – Indifference and Neglect: The US-EU Safe Harbor Agreement


Report home | Read the report (PDF) | Previous section | Next section