Safe Harbor Privacy Principles

Safe Harbor Privacy Principles issued by the US Department of Commerce on July 21, 2000

Published under Risk Management
Title: Safe Harbor Privacy Principles
Source reference:
Topic: Export of personal data from a data controller who is subject to E.U. privacy regulations to a U.S. based destination
Direct / indirect relevance Direct. Entities wishing to accede to the Safe Harbor are required to assess security measures with regard to data processing and to take the required security precautions.
Scope: Voluntary adherence by the affected U.S. entities
Legal force: Voluntary self-certification. The voluntary character is relative, since the data controller must comply with E.U. privacy regulations, but alternative methods of compliance (such as the model clauses discussed below) exist.
Affected sectors: Generic export of personal data to a U.S. entity
Relevance to RM/RA: Before personal data may be exported from an entity subject to E.U. privacy regulations to a destination subject to U.S. law, the European entity must ensure that the receiving entity provides adequate safeguards to protect such data against a number of mishaps.

One way of complying with this obligation is to require the receiving entity to join the Safe Harbor, by requiring that the entity self-certifies its compliance with the so-called Safe Harbor Principles. If this road is chosen, the data controller exporting the data must verify that the U.S. destination is indeed on the Safe Harbor list (see

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more