Skip Ribbon Commands
Skip to main content
Home > Services > Privacy > E.U Safe Harbor


E.U. Safe Harbor


Passed in 1995, the E.U. Data Privacy Directive is the world’s most comprehensive data protection legislation. It requires member states to enact their own data protection laws, leveraging the Directive’s privacy principles. Both government and private entities, including businesses that process employee and consumer data, must abide by the Directive. No data can leave the E.U. unless the transmission goes to a “third country” that employs adequate protection. In other words, data concerning individual Europeans can go only to countries with data protection laws the European Commission considers adequate enough to safeguard personal data (PD). The United States does NOT meet the “adequacy” requirement, and therefore under a strict reading of the Directive’s article 25(1), personal data transmissions to the U.S. would prove to be illegal, unless a qualified exception applies.

The E.U. Data Privacy Directive prohibits European firms from transferring personal data to overseas jurisdictions with weaker privacy laws, but creates exceptions where the overseas recipients have voluntarily agreed to meet EU standards under the Directive's Safe Harbor Principles. Is your company Safe Harbor certified? See below:

EU Safe Harbor


  • Compliance with EU Safe Harbor
  • Identification of non-compliant areas and understanding of what actions are needed to comply
  • Proper 3rd party objective demonstration of EU Safe Harbor compliance
  • Avoidance of fines that could result of a failing a EU Safe Harbor Audit
  • Reduction of the cost, confusion, and complexity of compliance


SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of your organization. SecureState’s experience and knowledge, developed while working with some of the top Fortune 500 financial institutions in the country and a governing body, provides your organization with a true picture of your compliance with EU Safe Harbor.

Did You Know?

  • Personally identifiable information (PII) may only be exported from EU Countries to countries deemed to provide adequate safeguards. The United States does not meet that standard
  • Therefore, for the US to receive EU PII they must achieve US Safe Harbor
  • The FTC has been tasked with EU Safe Harbor enforcement
  • In August 2009, the FTC announced its first enforcement (files in the U.S. District Court for the Central District of California) action against a US company, using Section 5 of the Federal Trade Commission Act, which governs deceptive and unfair business practices
  • The FTC has the authority to force companies to rectify misrepresentation and civil penalties of up to $12,000 per day
  • EU Safe Harbor self-certification must be performed annually

Our Approach and Methodology

One of the ways a U.S. based organization can transfer personal data from the E.U. back to the U.S. and meet the intent of the Directive is to comply with the Safe Harbor requirements. Complying with the Safe Harbor can be a very time consuming and arduous process. SecureState understands that most organizations do not have the dedicated personnel necessary to understand and build a privacy program that meets the conditions set forth by the Safe Harbor. As such, SecureState’s Project Management Services process aims to alleviate the difficulty associated with complying by utilizing a proven methodology to assist clients in navigating the Safe Harbor principles, and evaluating Safe Harbor compliance through a well thought-out, repeatable process.

SecureState CIPP Certified professionals will perform a GAP Assessment that can be used to:

  • Self-Certify to the U.S. Department of Commerce your company has implemented the seven Safe Harbor principles and abided by any applicable FAQs and DPA advisories;
  • Verify employees and customers have appropriate access to a Safe Harbor privacy policy that embodies the Safe Harbor requirements;
  • Accept jurisdiction of the U.S. Federal Trade Commission (FTC) under section 5 of the Federal Trade Commission Act (which prohibits unfair or deceptive practices affecting commerce and allows for FTC sanctions);
  • Implement policies, procedures, and controls to ensure that organizations that process personal data received from the E.U. and Switzerland are in compliance with the Safe Harbor requirements.
  • Should material gaps exists, SecureState and work to build a roadmap to comply, before self-certifying with Department of Commerce.

SecureState’s EU SAFE HARBOR Gap Assessment/Pre-Audit approach maps critical information processes to determine if regulatory controls have business impact. The goals are to:

  • Evaluate the effectiveness of your EU SAFE HARBOR compliance program
  • Review EU SAFE HARBOR controls
  • Remediation cost-justification

The stages of our EU SAFE HARBOR Gap Assessment/Pre-Audit, with limited descriptions, are as follows:

Onsite Visit:

  • Introduce engagement participants and define roles
  • Review engagement activities
  • Review any applicable documentation

Process Mapping:

  • Document the high level in-scope EU SAFE HARBOR systems and technical infrastructure

Requirements Analysis:

  • Document the existing controls used to protect in-scope EU SAFE HARBOR Assets
  • Identify gaps against the EU SAFE HARBOR requirements.


  • Outline strategic recommendations to mitigate identified control gaps
  • Upload remediation activities to MyState Portal

What Makes Us Different

  • Provides comprehensive on-demand Privacy and Security expertise during the engagement and throughout the year
  • Maintains close relationships with our clients because we care about the outcome of the assessment
  • Supports its clients’ compliance program with our proprietary “MyState Portal” and a team of qualified security specialists
  • Works with some of the top US financial institutions on EU Safe harbor compliance