Editor’s note: Abby Devine is the director of government and public affairs for CASRO, Port Jefferson, New York. This is an edited version of a post that originally appeared here the title, “Handling data from Europe? You best understand safe harbor.”

Does your company receive or manage data that originated in the European Union or Switzerland? If so, is the transfer of that EU and Swiss data in compliance with the European Commission’s Data Protection Directive?World data

Every day U.S. research companies transfer vast amounts of personal data from EU citizens across borders and because EU rules about data protection are different than those in the U.S., all of these transactions must comply with the European Commission’s Data Protection Directive.

Under EU law, personal data can only be gathered legally under strict conditions and companies which collect and manage personal information must protect it from misuse and respect certain rights of the data owners which are guaranteed by EU law. The European Commission’s Data Protection Directive also supports specific rules for the transfer of personal data outside the EU to ensure the best possible protection of personal data when exported abroad.

The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks provide a method for U.S. companies to transfer personal data that originates in the EU and Switzerland in a way that is consistent with the European Commission’s Data Protection Directive. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with the seven Safe Harbor Privacy Principles. The seven Safe Harbor Privacy Principles are:

  1. Notice – Notify individuals about the collection of their personal data.
  2. Choice – Give individuals choices regarding certain uses of their personal data.
  3. Data Integrity – Ensure the accuracy and integrity of personal data.
  4. Access – Allow access, and if necessary, correction of personal data.
  5. Security – Protect the security of personal data.
  6. Onward Transfer – Comply with restrictions on further transfers of personal data.
  7. Enforcement – Provide an independent dispute resolution mechanism for privacy complaints concerning European personal data that is collected, received or processed.

The Federal Trade Commission enforces the promise that companies make when they self-certify their participation in the Safe Harbor and throughout 2014, the FTC has stated that enforcement of the U.S.-EU Safe Harbor Framework is a priority.