The U.S. government and the European Union have agreed to a safe harbor certification that enables U.S. organizations to receive, store or treat data received from EU entities. Safe harbor certification, however, would not protect a U.S. group’s subsidiary, branch or affiliate operations in the EU from the application of data protection laws in any member country.
The current situation in Europe is based upon the enactment in the EU of the 1995 European Data Protection Directive, 95/46/EC. The directive requires all EU member states to “protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”; This protection is applicable not only to electronic data; it is applicable as well to manual data.
Each EU member state was obliged by the directive to enact laws governing data processing in order to protect EU citizens. Eight principles were enunciated by the directive. One in particular prohibits the transfer of data outside the European Economic Area (the 15 EU member states plus Iceland, Norway and Liechtenstein), unless the country to which it is transferred ensures an adequate level of protection.
Before the directive was implemented, the United States was not recognized by the EU as providing the required adequate protection. Extensive negotiations then ensued between the European Commission and the U.S. government in order to resolve the serious and potentially damaging rift. With respect to non-financial transactions, the lead U.S. negotiating body was the Department of Commerce.
The resulting agreement for firms other than financial institutions was the safe harbor. The EU agreed that where the United States controlled and enforced the certification of the U.S. entity, it would then be recognized as providing
Network
