|Title:||Safe Harbor Privacy Principles|
|Topic:||Export of personal data from a data controller who is subject to E.U. privacy regulations to a U.S. based destination|
|Direct / indirect relevance||Direct. Entities wishing to accede to the Safe Harbor are required to assess security measures with regard to data processing and to take the required security precautions.|
|Scope:||Voluntary adherence by the affected U.S. entities|
|Legal force:||Voluntary self-certification. The voluntary character is relative, since the data controller must comply with E.U. privacy regulations, but alternative methods of compliance (such as the model clauses discussed below) exist.|
|Affected sectors:||Generic export of personal data to a U.S. entity|
|Relevance to RM/RA:||Before personal data may be exported from an entity subject to E.U. privacy regulations to a destination subject to U.S. law, the European entity must ensure that the receiving entity provides adequate safeguards to protect such data against a number of mishaps.
One way of complying with this obligation is to require the receiving entity to join the Safe Harbor, by requiring that the entity self-certifies its compliance with the so-called Safe Harbor Principles. If this road is chosen, the data controller exporting the data must verify that the U.S. destination is indeed on the Safe Harbor list (see http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list)