DOCUMENT Magazine - June 2008 - (Page 10) >> Safe Harbor Program: In 2000, the US Department of Commerce and the EU created the Safe Harbor Program, which is a generally a selfregulated program whereby companies enact a privacy policy that provides adequate safeguards for the protection of personal data under the EU Directive. Companies that participate in the Safe Harbor Program must self-certify each year with the Department of Commerce and state in its privacy policy that it adheres to the Safe Harbor Principles. Companies participating in the Safe Harbor Program must provide a means of recourse, both private and public, to individuals alleging violations of the company’s privacy policy. Once a company is accepted in the Safe Harbor Program, it is added to the list of Safe Harbor companies maintained by the Department of Commerce. Companies that are not subject to regulation by the Federal Trade Commission, such as those regulated by the Securities and Exchange Commission or the Department of Transportation, may not be eligible for participation in the Safe Harbor Program. >> Data Protection Agreements and Binding Corporate Rules: Companies that are unwilling or unable to participate in the Safe Harbor Program have two other options. The EU has approved two sets of Data Protection Agreements or “model contractual clauses,” which are used between a data exporter (the company) and a data recipient (i.e., a law firm). The agreements create an enforceable pledge that the data importer will comply with the EU Privacy Directive, will respect the data subject’s privacy rights and allow audits of its data-handling methods. One drawback to such agreements is that they cannot be used to facilitate intra-company transfers of data between business units located in different countries because a company cannot contract with itself. The EU has also been working on the idea of “binding corporate rules,” whereby a large multinational enterprise can commit itself to a binding set of corporate rules regarding data transfer and the protection of privacy. The corporation must ensure that the corporate rules are internally binding throughout the entire enterprise and the proposed rules must be approved by each individual EU Data Protection Authority. So far, very few multinational companies have obtained full EU approval of their proposed binding corporate rules. CROSSING THE INTERNATIONAL BORDER OF DATA DISCOVERY Now more than ever, companies are likely to find themselves subject to a discovery request or order in a domestic litigation that requires them to obtain data or information that is located overseas. Given the wide and often conflicting rules regarding the collection and production of data overseas, companies that can anticipate receiving such a request would be well-served by preparing in advance. Companies should identify where their data and ESI is located and work with local counsel who are experts in the privacy rules and regulations of that jurisdiction to identify areas that could hamper production of information in a domestic lawsuit. Corporations should consider whether participation in the Safe Harbor Program or adopting Data Protection Agreement would be viable given their particular circumstances. Above all, companies faced with a collection of ESI located in a foreign country should approach with caution and not simply assume that because the collection has been ordered by a US court that they can proceed as they would with data located in the US. Edwin M. Larkin is a litigation partner in Winston & Strawn’s New York office. He is also the vice-chair of the firm’s e-discovery and electronic information practice group. For more information, email elarkin@winston.com. ■ 10 document june.08 www.DOCUMENTmedia.com http://www.DOCUMENTmedia.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.