43. Cloud Validation – Safe Harbor Challenge

Regulators agree that you can outsource services, but they insist that you cannot outsource your GXP responsibility. (p. 160)


Software as a Service (SaaS) applications used in a GXP regulated work process still require compliance to EU Privacy Directives and to US Health and Human Services (HHS) legislation known as the Health Information Portability and Accountability Act (HIPAA). Both regulations require the secure protection of a person’s protected health information (PHI). In addition to protecting identifiable personal health data, the EU Directive also has restrictions for geographic limits on the location of PHI data storage and use outside the country in which it was collected.

The geographic limit, in particular, has raised issues for GXP regulated clients and their cloud technology providers. Cloud technology allows quick and easy transfer of stored data across a global network of servers without geographic limits unless country limits are specifically designed into the network configuration. The US-EU Safe Harbor Framework was approved by the EU in 2000. Self-certification with annual review and notification of compliance to Safe Harbor Principles will ensure that EU organizations know that a US organization provides “adequate” privacy protection as defined by the European Commission’s Directive on Data Privacy, effective October 1998.

Self-certified organizations must comply with the following seven Safe Harbor Privacy Principles:

  1. Notice: Must notify individuals about the purposes for which they collect and use information about them. Provide information for how individuals can contact the organization with any inquiries or complaints, the types of third parties to which they disclose the information, and choices and means for limiting its use and disclosure.
  2. Choice: Must give individuals the opportunity to choose (opt out) whether their data will be disclosed to a third party or used for a purpose incompatible with the original purpose for which it was collected.
  3. Onward Transfer (Transfers to Third Parties): Must apply the Notice and Choice principles to disclose information to a third party. Must ensure that the third party subscribes to Safe Harbor Privacy Principles or is subject to the EU Directive or another adequacy finding.
  1. Access: Individual must have access to own personal data and be able to correct, amend, or delete inaccurate information, except where rights of other individuals would be violated.
  1. Security: Must take reasonable precautions to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
  1. Data Integrity: Personal information must be relevant for the purposes of its intended use. Reasonable steps should be taken to ensure that data is reliable for its intended use, accurate, complete, and current.
  1. Enforcement: To ensure compliance with these principles, there must be (a) readily available and affordable independent recourse mechanisms so complaints and disputes can be investigated and resolved and damages awarded; (b) procedures for verifying that commitments to adhere to Safe Harbor have been implemented; and (c) obligations to remedy problems arising out of failure to comply. Sanctions must be sufficiently rigorous to ensure compliance by the organization.


Reference: The U.S. – EU Safe Harbor Framework: Guide to Self-Certification, US Department of Commerce, March 2009 (Updated March 2013) Available at www.export.gov/safeharbor .