InformationintheContextoftheEU-USSafeHarbor Framework
I.Introduction
Theterm"SafeHarborAct"canrefertovariouspiecesoflegislation.WithintheUnited States,forinstance,theSafeHarborActinNewYorkStatewasinitiallydra�edwith theprimarygoalsofceasingthecriminalizationofchildvictimsofdomesticsex tra�ckingandestablishingessentialservicesandlegalauthoritytosupportthese victims1.Thislegislationaimedtorecognizethatchildrensubjectedtocommercial sexualexploitationarevictimsofcrimes,notperpetrators,andtoprovidethemwith necessarycareandprotection1.Thepassageofsuchlawsacrossnumerousstates signi�esanationalmovementtowardssafeguardingexploitedyouth1.However,inthe contextofinternationaldataprivacyandtheuser'squeryreferencingGDPR,theterm "SafeHarbor"mostlikelypertainstotheInternationalSafeHarborPrivacyPrinciples, alsoknownastheEU-USSafeHarborFramework.Thisframeworkwasestablishedto governthetransferofpersonaldatabetweentheEuropeanUnionandtheUnited States4 .
Theuser'squerycentersontheimplicationsofastatementindicatingthattheir organizationonlyprovidespubliclyavailableinformationundertheSafeHarborAct, particularlyconcerningpotentialderogationsofprivacyandviolationsoftheGeneral DataProtectionRegulation(GDPR) Thisreportaimstoprovideacomprehensivelegal analysisoftheGDPRimplicationsassociatedwithprocessingpubliclyavailable information,especiallywithinthehistoricalcontextoftheEU-USSafeHarbor Framework.Theobjectiveistoassessthevalidityandpotentialrami�cationsofthe user'sproposedstatementundercurrentdataprotectionregulations.
II.HistoricalOverviewoftheEU-USSafeHarborFramework
TheEU-USSafeHarborFrameworkemergedfromtheneedtobridgethedi�ering approachestodataprotectionbetweentheEuropeanUnionandtheUnitedStates. TheEuropeanUnion'sDataProtectionDirective(Directive95/46/EC)generally prohibitedthetransferofpersonaldatatocountriesoutsidetheEuropeanEconomic Area(EEA)unlessthosecountriesensuredanadequatelevelofdataprotection5 . RecognizingthattheUnitedStatesdidnothaveanequivalentcomprehensivefederal privacylaw,negotiationsbetweentheUSDepartmentofCommerce(DOC)andthe EuropeanCommission(EC)ledtothedevelopmentoftheSafeHarboragreement
theUSDepartmentofCommerce12.ItaimedtoprovidestrongerobligationsonUS companiesregardingtheprotectionofpersonaldataofEuropeansandincluded enhancedmechanismsformonitoringandenforcementbyboththeUSDepartmentof CommerceandtheFederalTradeCommission(FTC),alongwithincreased cooperationwithEuropeanDataProtectionAuthorities(DPAs)6.ThePrivacyShield alsoincorporatedcommitmentsfromtheUSgovernmentregardinglimitationson accesstopersonaldatabypublicauthoritiesfornationalsecuritypurposesand establishedaredressmechanismforEUindividuals6 .
Despitethesee�orts,theEU-USPrivacyShieldalsofacedlegalchallenges.InJuly 2020,theCJEU,intheDataProtectionCommissionerv.FacebookIrelandand MaximillianSchremscase(commonlyknownasSchremsII),invalidatedthePrivacy Shieldframework12.TheCourtagaincitedconcernsabouttheaccessibilityof personaldatabyUSintelligenceagenciesandthelackofanadequatelevelof protectionessentiallyequivalenttothatguaranteedunderEUlaw12.Theinvalidation ofbothSafeHarborandPrivacyShieldcreatedsigni�cantlegaluncertaintyfor businessestransferringdatabetweentheEUandtheUS.
InresponsetotheSchremsIIruling,negotiationsbetweentheEuropeanCommission andtheUnitedStatesledtotheagreementonanewframework:theEU-USData PrivacyFramework.Thisframeworkwasagreeduponin2022anddeclaredadequate bytheEuropeanCommissiononJuly10,2023,therebyallowingthetransferof personaldatafromtheEUtotheUSbasedonArticle45oftheGDPR10.TheData PrivacyFrameworkprovidesamechanismforUSorganizationstoself-certifytheir compliancewithasetofprinciplestotheUSDepartmentofCommerce,commi�ingto protectpersonaldatatransferredfromtheEUinamannerconsistentwithEUlaw10.It includesstrongerobligationsforUScompaniestoprotectEuropean'spersonaldata andenhancedmonitoringandenforcementbytheUSDepartmentofCommerceand theFederalTradeCommission,includingincreasedcooperationwithEuropeanData ProtectionAuthorities6.Furthermore,theframeworkincorporatescommitmentsfrom theUSregardinglimitationsonsignalsintelligenceactivitiestowhatisnecessaryand proportionateandestablishesaDataProtectionReviewCourt(DPRC)tohandle complaintsfromEUcitizensregardingthecollectionoftheirdatafornationalsecurity purposes12.Consequently,anystatementregardingEU-USdatatransfersshould referencethecurrentDataPrivacyFramework,nottheinvalidatedSafeHarbor.
IV.GDPRandtheDe�nitionofPersonalData
TheGeneralDataProtectionRegulation(GDPR)appliestotheprocessingofpersonal dataofindividualswithintheEuropeanUnion,regardlessofwherethedatacontroller
individualsabouthowtheirdataisused23.Transparencyiscrucialandrequires concise,easilyaccessibleinformationusingclearandplainlanguage44 .
Theprincipleofpurposelimitationmandatesthatpersonaldatashouldonlybe collectedforspeci�ed,explicit,andlegitimatepurposesandnotfurtherprocessedin amannerincompatiblewiththosepurposes32.Thismeansthatevenifdataispublicly available,itcannotbeusedforanypurposewithoutalegitimatejusti�cationthatwas eitherinitiallyspeci�edoriscompatiblewiththeoriginalcontextofitspublic availability34.Theprincipleofdataminimizationrequiresthattheprocessingof personaldataisadequate,relevant,andlimitedtowhatisnecessaryfortheintended purposes32.Furthermore,theprincipleofaccuracynecessitatesthatpersonaldatais accurateandkeptuptodate32,whilestoragelimitationdictatesthatdatashould onlybekeptforaslongasnecessaryforthepurposesforwhichitisprocessed32.The principlesofintegrityandcon�dentialityrequireensuringappropriatesecurityof personaldata32,and�nally,theprincipleofaccountabilityholdsthedatacontroller responsiblefordemonstratingcompliancewithalltheseprinciples32 .
Beyondthesecoreprinciples,GDPRimposesspeci�ctransparencyobligations, particularlyunderArticles13and14.Whenpersonaldataisnotobtaineddirectlyfrom thedatasubject(asisthecasewithpubliclyavailableinformation),Article14requires thecontrollertoprovidethedatasubjectwithspeci�cinformation,includingthe purposesoftheprocessing,thecategoriesofpersonaldataconcerned,therecipients ofthedata,andnotably,thesourcefromwhichthepersonaldataoriginates,including whetheritcamefrompubliclyaccessiblesources31.Thisinformationmustbe providedwithinareasonableperioda�erobtainingthedata,generallywithinone month,oratthelatest,whenthedatais�rstdisclosedtoanotherrecipient35 . Therefore,evenifanorganizationonlyprocessespubliclyavailableinformation,itstill hasafundamentalobligationtoinformdatasubjectsaboutthisprocessing,including thesourceofthedata.
VI.LawfulBasesforProcessingPubliclyAvailableInformation
UnderGDPR,theprocessingofpersonaldataisonlylawfulifitfallsunderoneofthe sixlawfulbasesoutlinedinArticle657.Thesebasesinclude:thedatasubject's consent;processingnecessaryfortheperformanceofacontract;processing necessaryforcompliancewithalegalobligation;processingnecessarytoprotect thevitalinterestsofthedatasubjectoranothernaturalperson;processing necessaryfortheperformanceofataskcarriedoutinthepublicinterestorinthe exerciseofo�cialauthority;andprocessingnecessaryforthepurposesofthe legitimateinterestspursuedbythecontrollerorbyathirdparty,exceptwheresuch
Processingspecialcategoriesofpersonaldataobtainedfrompublicsources warrantsparticulara�entionunderArticle9ofGDPR24.Generally,theprocessingof suchsensitivedataisprohibitedunlessspeci�cconditionsaremet,suchasexplicit consentoranotherlegalbasislistedinArticle934.Anexceptionexistsifthedata subjecthasmanifestlymadethedatapublicandclearlyindicatedtheirintentionforit tobefurtherprocessed34.However,thisrequiresaveryclearandunambiguous indicationfromthedatasubject.
Furthermore,processingpubliclyavailabledataforpurposesthatarebeyondwhat thedatasubjectwouldreasonablyexpectcanbeconsideredaprivacyviolation34.For instance,ifanindividual'snameandaddressarepubliclyavailableinaphone directory,usingthisinformationforunsoliciteddirectmarketingpurposesmightstill beseenasintrusiveandunexpected,requiringalawfulbasissuchaslegitimate interests,whichwouldstillbesubjecttothebalancingtestandtheindividual'srightto object.Similarly,combiningpersonaldatafromvariouspubliclyaccessiblesourcesto createadetailedpro�leofanindividualcanbeparticularlyintrusiveandmayleadtoa signi�cantderogationofprivacyifnotconductedtransparentlyandwithavalidlawful basis35.Theaggregationofseeminglyinnocuouspiecesofpubliclyavailable informationcanrevealmuchmoreaboutanindividualthantheindividualpieces alone.
GDPRdoesprovidecertainexceptionsandderogationsinspeci�ccircumstances. Article89outlinessafeguardsandderogationsrelatingtoprocessingforarchiving purposesinthepublicinterest,scienti�corhistoricalresearchpurposes,orstatistical purposes,subjecttoappropriatesafeguards66.Article49providesderogationsfor speci�csituationsregardinginternationaldatatransfersintheabsenceofan adequacydecisionorappropriatesafeguards67.Additionally,Article23allowsfor MemberStatelawstorestrictthescopeofcertainrightsandobligationsunderGDPR inspeci�careas,suchasnationalsecurityandpublicsafety68.However,these derogationsarespeci�candmustbeinterpretednarrowly.Therefore,ageneral statementaboutprocessingpubliclyavailableinformationdoesnotautomatically invoketheseexceptions.Theorganizationmuststilladheretothecoreprinciplesand obligationsofGDPRunlessaspeci�cderogationclearlyappliestotheirprocessing activities.
VIII.FormulatingaGDPR-CompliantStatementRegardingPubliclyAvailable Information
Whencommunicatingabouttheprocessingofpubliclyavailableinformation, organizationsmustprioritizeaccuracyandtransparencytocomplywithGDPR
transatlanticdatatransfers,itisnolongerlegallyvalid.Therefore,anystatement relyingsolelyonthisframeworkinthecontextofGDPRwouldbeinaccurateand potentiallymisleading.Processingpubliclyavailableinformationdoesnot automaticallyexemptanorganizationfromitsobligationsunderGDPRifthat informationconstitutespersonaldata.Theregulation'scoreprinciples,including lawfulness,fairness,transparency,purposelimitation,andaccountability,stillapply. Furthermore,datasubjectshavetherighttobeinformedabouttheprocessingof theirpersonaldata,includingthesource,evenifitispubliclyavailable.
ToensureGDPRcompliance,theusershouldtakethefollowingrecommendationsinto account:
● AvoidRelyingSolelyontheTerm"SafeHarborAct":Clarifythecontextand,if applicabletoEU-USdatatransfers,refertothecurrentEU-USDataPrivacy Framework.
● DoNotAssumeGDPRExemption:Recognizethatprocessing"publiclyavailable information"doesnotautomaticallyexempttheorganizationfromGDPR obligations.
● ConductaPrivacyImpactAssessment(DPIA):Iftheprocessingofpublicly availableinformationislikelytoresultinahighrisktotherightsandfreedomsof naturalpersons,aDPIAshouldbeconducted35 .
● ImplementaGDPR-CompliantPrivacyNotice:Developacomprehensive privacynoticethatprovidesallthenecessaryinformationtodatasubjectsabout theprocessingoftheirpubliclyavailablepersonaldata,asoutlinedinSectionVIII.
● IdentifyandDocumenttheLawfulBasis:Determineandclearlydocumentthe speci�clawfulbasisunderArticle6ofGDPRthatjusti�estheprocessingofthe publiclyavailableinformation.Ifrelyingonlegitimateinterests,ensurethe three-parttestisthoroughlyconductedanddocumented.
● EstablishProceduresforDataSubjectRightsRequests:Ensurethatthe organizationhasclearande�ectiveproceduresinplacetohandlerequestsfrom individualsseekingtoexercisetheirrightsunderGDPR.
● RegularlyReviewandUpdatePolicies:Dataprivacyregulationsandbest practicesevolve,soitisessentialtoregularlyreviewandupdatedataprocessing policiesandprivacynoticestomaintaincompliance.
● SeekLegalCounsel:GiventhecomplexitiesofGDPRanditsapplicationto variousdataprocessingactivities,itisadvisabletoconsultwithlegalexperts specializingindataprivacytoensurefullcomplianceandtoformulateaccurate andlegallysoundstatements.
Byadheringtotheserecommendations,theorganizationcanmovetowardsamore
LegalObligation
VitalInterests
PublicInterest
LegitimateInterests
Workscited
Necessaryforcompliance withalegalobligation.
Necessarytoprotectthelife ofthedatasubjectoranother person.
Necessaryforataskinthe publicinterestoro�cial authority.
Necessaryforthecontroller's orathirdparty'slegitimate interests,unlessoverriddenby thedatasubject'srights
generally.
Mayapplyinspeci�c scenarioswhereprocessingis legallymandated.
Lesslikelytobetheprimary basisforprocessingpublicly availableinformation generally.
Mayapplytoorganizations withpublicfunctions processingdataforthose purposes.
Likelytobeacommonbasis, requiringathree-part balancingtestand considerationofdatasubject rights.
1 ww2.nycourts.gov,accessedMarch18,2025, h�ps://ww2.nycourts.gov/ip/womeninthecourts/pdfs/MULLEN%20 HUMAN%20T RAFFICKING 1 d.pdf
2 ChangingCourse:-CreatingNewYorkState'sSafeHarbourforYouthWith CommercialSexualExploitationExperiences-OCFS,accessedMarch18,2025, h�ps://ocfs.ny.gov/programs/human-tra�cking/assets/docs/Safe-Harbour-NY-10 -Year-Report.pdf
3 WhatIstheSafeHarborLaw&WhatStatesHaveIt?,accessedMarch18,2025, h�ps://www.barrywax.com/blog/what-is-the-safe-harbor-law/
4 Safeharbor(law)-Wikipedia,accessedMarch18,2025, h�ps://en.wikipedia.org/wiki/Safe_harbor_(law)
5 Privacy&DataSecurity:TheFutureoftheUS-EUSafeHarbor,accessedMarch18, 2025, h�ps://www.hunton.com/assets/htmldocuments/uploads/sites/18/2013/12/Privacy -Data-Security-The-Future-of-the-US-EU-Safe-Harbor.pdf
6 InternationalSafeHarborPrivacyPrinciples-Wikipedia,accessedMarch18,2025, h�ps://en.wikipedia.org/wiki/International Safe HarborPrivacyPrinciples
7 U.S.-EUSafeHarborFramework|FederalTradeCommission,accessedMarch18, 2025, h�ps://www.�c.gov/business-guidance/privacy-security/us-eu-safe-harbor-fram
h�ps://www.dataprivacyframework.gov/EU-US-Framework
23 WhatisGDPR,theEU'snewdataprotectionlaw?,accessedMarch18,2025, h�ps://gdpr.eu/what-is-gdpr/
24 GuidanceforEUGeneralDataProtectionRegulations(GDPR)complianceinthe conductofhumanresearch.-InstitutionalReviewBoard(IRB)O�ce,accessed March18,2025, h�ps://irb.northwestern.edu/resources-guidance/policies-guidance/docs/guidanc e-for-general-data-protection-regulations-gdpr-compliance---general---19171. pdf
25.PersonalData-GeneralDataProtectionRegulation(GDPR),accessedMarch18, 2025,h�ps://gdpr-info.eu/issues/personal-data/
26.PersonalDataUndertheGeneralDataProtectionRegulation(GDPR)-Inspired eLearning,accessedMarch18,2025, h�ps://inspiredelearning.com/blog/gdpr-personal-data/
27.WhatIsPersonalInformationUnderDataPrivacyLaws-Termly,accessedMarch 18,2025,h�ps://termly.io/resources/articles/personal-information/
28.Dataprotectionexplained-EuropeanCommission,accessedMarch18,2025, h�ps://commission.europa.eu/law/law-topic/data-protection/data-protection-exp lained en
29.GeneralDataProtectionRegulation-NYU,accessedMarch18,2025, h�ps://www.nyu.edu/research/resources-and-support-o�ces/ge�ing-started-wi thyourresearch/human-subjects-research/forms-guidance/EUGDPR.html
30.Art.4GDPR–De�nitions-GeneralDataProtectionRegulation(GDPR),accessed March18,2025,h�ps://gdpr-info.eu/art-4-gdpr/
31.GDPRStatement|TheUniversityofAlabama,accessedMarch18,2025, h�ps://www.ua.edu/gdpr-statement/
32.Art.5GDPR–Principlesrelatingtoprocessingofpersonaldata,accessedMarch 18,2025,h�ps://gdpr-info.eu/art-5-gdpr/
33.PubliclyAvailablePersonalInformation-JoinDeleteMe,accessedMarch18,2025, h�ps://joindeleteme.com/glossary/publicly-available-personal-information/
34.GENERALINFORMATIONONHOWTOPROCESSPUBLICLYAVAILABLEDATAIN COMPLIANCEWITHGDPR-SolakPartners,accessedMarch18,2025, h�ps://solakpartners.com/general-information-on-how-to-process-publicly-avail able-data-in-compliance-with-gdpr/
35.Whatcommonissuesmightcomeupinpractice?|ICO,accessedMarch18,2025, h�ps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-r ights/the-right-to-be-informed/what-common-issues-might-come-up-in-practi ce/
36.RighttobeInformed-GeneralDataProtectionRegulation(GDPR),accessed March18,2025,h�ps://gdpr-info.eu/issues/right-to-be-informed/
37.Art.14GDPR–Informationtobeprovidedwherepersonaldatahavenotbeen obtainedfromthedatasubject-GeneralDataProtectionRegulation(GDPR), accessedMarch18,2025,h�ps://gdpr-info.eu/art-14-gdpr/
38.HowdotheCPRA,CPA&VCDPAtreatpubliclyavailableinformation?|ByteBack, accessedMarch18,2025,
March18,2025,h�ps://gdpr-info.eu/art-13-gdpr/
53 Righttobeinformed|ICO,accessedMarch18,2025, h�ps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-r ights/individual-rights/right-to-be-informed/
54 Howshouldwedra�ourprivacyinformation?|ICO,accessedMarch18,2025, h�ps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-r ights/the-right-to-be-informed/how-should-we-dra�-our-privacy-information/
55.WritingaGDPR-compliantprivacynotice(templateincluded),accessedMarch18, 2025,h�ps://gdpr.eu/privacy-notice/
56.GDPRPrivacyNoticeorConsent-InstitutionalComplianceandEthics,accessed March18,2025, h�ps://www.boisestate.edu/compliance/eu-gdpr/privacy-notice-or-consent/
57.Art.6GDPR–Lawfulnessofprocessing-GeneralDataProtectionRegulation (GDPR),accessedMarch18,2025,h�ps://gdpr-info.eu/art-6-gdpr/
58.Consent-GeneralDataProtectionRegulation(GDPR),accessedMarch18,2025, h�ps://gdpr-info.eu/issues/consent/
59.Whatisthe'legitimateinterests'basis?|ICO,accessedMarch18,2025, h�ps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basi s/legitimate-interests/what-is-the-legitimate-interests-basis/
60.AGuidetoUnderstandingLegitimateInterestin2024-Clym,accessedMarch18, 2025,h�ps://clym.io/blog/a-guide-to-understanding-legitimate-interest-in-2024
61.WhatIsLegitimateInterestUndertheGDPR?-ITGovernance,accessedMarch 18,2025, h�ps://www.itgovernance.eu/blog/en/the-gdpr-legitimate-interest-what-is-it-an d-when-does-it-apply
62.FivekeytakeawaysfromrecentEUdevelopmentsontheGDPR's“legitimate interests”legalbasis|InsidePrivacy,accessedMarch18,2025, h�ps://www.insideprivacy.com/data-privacy/�ve-key-takeaways-from-recent-eu -developments-on-the-gdprs-legitimate-interests-legal-basis/
63.LegalDisclaimerandDataProtection-ingenit,accessedMarch18,2025, h�ps://www.ingenit.com/en/legal-disclaimer-and-data-protection
64.GDPRLegitimateInterests-GDPREU,accessedMarch18,2025, h�ps://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/
65.Whencanwerelyonlegitimateinterests?|ICO,accessedMarch18,2025, h�ps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basi s/legitimate-interests/when-can-we-rely-on-legitimate-interests/
66.Article89EUGDPR"Safeguardsandderogationsrelatingtoprocessingfor archivingpurposesinthepublicinterest,scienti�corhistoricalresearchpurposes orstatisticalpurposes",accessedMarch18,2025, h�ps://www.privacy-regulation.eu/en/article-89-safeguards-and-derogations-rel ating-to-processing-for-archiving-purposes-the-public-interest-scienti�c-or-hiGDPR.htm?ref=1ba4110
67.Art.49GDPR–Derogationsforspeci�csituations-GeneralDataProtection Regulation(GDPR),accessedMarch18,2025,h�ps://gdpr-info.eu/art-49-gdpr/
68.GeneralDataProtectionRegulationDerogations-GDPRResourceCenter,
accessedMarch18,2025,h�ps://gdpr.lw.com/Home/Derogations
69 GDPRPrivacyNoticeExamples|Secureframe,accessedMarch18,2025, h�ps://secureframe.com/hub/gdpr/privacy-notice
70 AguidetoGDPRdataprivacyrequirements-GDPR.eu,accessedMarch18,2025, h�ps://gdpr.eu/data-privacy/
71 WritingaGDPRcompliancestatement-FreeChecklist-Cyphere,accessed March18,2025,h�ps://thecyphere.com/blog/gdpr-statement/
72.GDPRComplianceStatement-PrivacyPolicies,accessedMarch18,2025, h�ps://www.privacypolicies.com/blog/gdpr-compliance-statement/
73.GDPRComplianceStatement-FreePrivacyPolicyGenerator,accessedMarch18, 2025,h�ps://www.freeprivacypolicy.com/blog/gdpr-compliance-statement/
74.DisclaimerandGDPR-HECATEProject,accessedMarch18,2025, h�ps://hecate-project.eu/disclaimer-and-gdpr/