Commerce Department Issues Procedures for US-EU Safe Harbor on Data Privacy

On November 1, 2000, the US Department of Commerce released the long-awaited procedures for US companies to join the "Safe Harbor" that was approved by the European Union on July 27, 2000. US companies that fail to enter the Safe Harbor face the possibility that EU companies will, as required under EU law, halt transfers of personal information to the United States. In addition, EU subsidiaries of US companies that fail to enter the Safe Harbor, or take other steps to comply with the EU Data Protection Directive (which became effective in 1998), could be prosecuted by European authorities for transferring data to parent companies. At the same time, entering the Safe Harbor subjects US companies to the jurisdiction of the Federal Trade Commission (FTC) and state Attorneys General for compliance, creating significant legal risks and exposure. US companies that fail to live up to their obligations after entering the Safe Harbor face enforcement actions by the FTC, state Attorneys General, and in some states, private rights of action for deceptive trade practices.