"Safe Harbor" Dispute Resolution Service
The term "Safe Harbor" refers to a series of agreements between the United States, the European Union ("EU") and Switzerland that enable businesses and others in the EU and Switzerland to transfer personal data to the USA without breaching EU member states' or Swiss data protection laws. They also assure nationals or residents of those states that any information relating to and identifying them that may be transferred to the USA in accordance with those agreements will be held and processed with substantially the same degree of accuracy, privacy and security in the USA as it would in their own countries.

"Data protection" is the regulation of the collection, collation, exchange, storage and transfer of information personal data. EU member states are bound by the Data Protection Regulation (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) to enact data protection legislation. The United Kingdom, for example, has passed the Data Protection Act 1998 which require users ("data controllers") and processors of personal data ("data processors") to notify particulars of the personal data they hold and the uses to which they put it an official known as the Information Commissioner and to process personal data in accordance with a set of principles to guarantee the accuracy, privacy and security of the data known as "data protection principles". Breach of those principles can result in enforcement action by the Commissioner or claims in the civil courts by individuals the subject of such data processing ("data subjects") who suffer damage as a result of such breaches.

The USA takes a different approach to data protection. Though the US government and most US multinational companies observe the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data ("OECD Guidelines") Congress and state legislatures have never enacted legislation on the lines of the British Data Protection Act 1998. That does not mean that there are no legal consequences for misuse of personal data in the USA. On the contrary, such wrongdoing can often give rise to civil liability under state law. However, there is no equivalent to the Information Commissioner to whom data subjects can complain and who can investigate and, if necessary, correct breaches of the data protection principles.

The absence of comprehensive data protection legislation in the USA would oblige the British Information Commissioner and other national data protection authorities to prohibit the transfer of personal data to the USA with dire economic and social consequences for all concerned were it not for the "Safe Harbor" agreements. These agreements require organizations that want to transfer personal data to the USA to promise to hold and process such data in accordance with a set of principles known as "The Safe Harbor Privacy Principles". An organization that wants to take advantage of the "Safe Harbor" agreements must comply with a number of requirements that are discussed in detail in the "Safe Harbor" framework section of the US government's "export.gov" website.

One of those requirements is a satisfactory independent process for resolving disputes between data subjects and US data holders.  NIPC Arbitration is delighted to have been invited to offer dispute resolution services under the "Safe Harbor" scheme for a number of US companies. We have drawn up a set of rules similar to the domain name dispute resolution procedures adopted by ICANN, Nominet and other domain space authorities. This will be an on-line documents only process with a 14 day turnaround for £500 or the equivalent in other currencies. 

We are also recruiting a panel of neutrals the first of whom will be Jane Lambert of NIPC. Ms. Lambert is an arbitrator and mediator who specializes in resolving intellectual property and technology disputes.  She sits on the WIPO arbitration, mediation and domain name panels as well as those of a number of other organizations and some of her domain name decisions can be accessed from her website.  Having contributed a number of articles and chapters on EU and English data protection and privacy law over the last 30 years and having appeared as counsel in a number of data protection cases Ms. Lambert has a thorough understanding of those laws. However, she also has many links with the USA having attended UCLA graduate school, having taught the Salzburg master's degree course of the University of the Pacific's law school and having been legal advisor to VISA International. It was at VISA in the early 1980s that she first had to resolve difficulties raised by Swedish and Austrian data protection legislation. She therefore understands the practical needs of a big multinational business as well as those of data subjects.

If you believe that you have a dispute with a company that offers to resolve disputes through our "Safe Harbor" dispute resolution service, please read "How to Use the Service".

Last amended 3 Jan 2014