A bit of background … Effective in 2000, the Safe Harbor Framework was established jointly by the U.S. Department of Commerce and the European Union (EU). One of its purposes was to facilitate trade between European countries and the U.S. by streamlining data flows between countries. Safe Harbor allowed U.S. companies to self-certify compliance with the privacy principles of the European Union Data Protection Directive and, as a result, legally transfer private consumer data between European Union countries and the U.S. According to its critics, however, the Safe Harbor Framework allowed private data to flow from European Union countries to the U.S. without adequate protections being in place.
U.S. privacy practices have long been considered inadequate, particularly when compared to privacy practices in Europe. Under European Union law, citizens have a right to privacy and to protection of their personal data. Privacy advocates claim those privacy rights are violated by U.S. surveillance programs that allegedly expose EU citizens to indiscriminate surveillance as was demonstrated in the Edward Snowden matter. In 2013, the Safe Harbor Framework was legally challenged because it facilitated data transfer to the U.S. without proper privacy protections being in place. The resulting ruling, announced just last week, has the potential for widespread impact on European Union and U.S. businesses and their trade relationships.
The ruling… On October 6, 2015, the European Union Court of Justice (COJ) effectively invalidated The Safe Harbor Framework. Although the COJ did not declare it illegal, the immediate effect self-certification to the Safe Harbor Framework no longer provides a blanket seal of approval as to the adequacy of privacy protections, nor does it constitute a legally valid basis for the transfer of private consumer information between European Union countries and the U.S. The ruling allows national data protection authorities in EU countries to review data transfers on an individual basis and suspend organizations whose privacy practices are deemed inadequate.
So, what does that mean to your international background screening program and to EBI as your screening partner?
Your background screening program with EBI will not change. EBI will continue to conduct background screening, based on the checks you order and the legal availability of information, in countries outside the U.S., including European Union countries. Processes will remain the same, one of those important processes being completion of an EBI International Disclosure and Authorization by your applicant/employee before any background checks are conducted.
EBI has long demonstrated our commitment to quality, security, and customer service through (among other things) our third party certifications like ISO 27001 for security, ISO 9001 for quality, and NAPBS Accreditation for industry best practices. Safe Harbor was, and remains, one of our third party certifications with EBI self-certifying compliance beginning in 2007. As one of about 4,500 self-certified companies, EBI agreed to comply with data privacy principles as provided in the European Union Data Protection Directive when transferring private data of consumers from European Union counties to the U.S. and vice versa. EBI’s Safe Harbor certification, however, did not stand alone as the legal basis for data transfer. Rather, explicit consent through the disclosure and authorization process provides the legal cornerstone for data transfer to conduct background screening in European Union countries.
The Data Protection Directive provides five exceptions (called “derogations”) by which personal data may be legally transferred from the European Union to the U.S. One such method is when “the data subject has unambiguously given his consent.” Organizations transferring data are cautioned that European data protection regulators interpret this legal exception very narrowly and stress the importance of explicit, unequivocal consent. This underscores the importance of the EBI International Disclosure and Authorization and why, even if you use your own international disclosure and authorization form, EBI still requires your applicant/employee complete our international disclosure and authorization form.
Finally, even if your organization complies with one of the other Data Protection Directive methods for the legal transfer of consumer data (such as “Model Clauses” or “Binding Corporate Rules”) that compliance method will not suffice for background check purposes. For your protection and that of your applicants/employees, we will continue to require the EBI International Disclosure and Authorization form for a background check outside the U.S.