EU-US Safe Harbor Privacy Policy

 

CISSP 2025 Content Breakdown

The EU-US Safe Harbor Privacy Policy, now superseded by the EU-US Privacy Shield and its successor the EU-US Data Privacy Framework, was a mechanism for US companies to legally transfer personal data from the European Union. While the Safe Harbor agreement is no longer in use, the principles it was built on are still foundational to data privacy laws like GDPR and the successor frameworks. The CISSP exam often uses these historical frameworks to test a candidate's understanding of core privacy principles.

The EU-US Safe Harbor Framework was based on seven key privacy principles:

1. Notice: Organizations must inform individuals about the types of information they collect, the purposes for which they collect it, and the types of third parties to whom they may disclose the information.

2. Choice: Individuals must be given the option to opt-out of having their information disclosed to a third party or used for a purpose other than that for which it was originally collected.

3. Onward Transfer: Transfers of data to a third party can only occur if the third party adheres to the same level of data protection.

4. Security: Organizations must take reasonable precautions to protect personal data from loss, misuse, and unauthorized access.

5. Data Integrity: Data must be relevant for the purposes for which it is used and must be accurate, complete, and current.

6. Access: Individuals must have access to their personal data and be able to correct, amend, or delete inaccurate information. This is where option B comes in. The policy must provide a clear mechanism for individuals to exercise this right.

7. Enforcement: There must be an effective mechanism to ensure compliance with the principles.

Explanation of the Options:

• A. An explanation of how long the data subject's collected information will be retained for and how it will be eventually disposed. While this is a critical aspect of data lifecycle management and is required under modern regulations like GDPR, it was not a mandatory element of the original Safe Harbor policy. It's more aligned with the Data Integrity principle but not a specific, required disclosure under that framework.

• B. An explanation of who can be contacted at the organization... This is a direct requirement of the Access Principle. Individuals must be able to correct or amend their data, and the policy must provide a clear method for them to do so. This makes it a must-contain element.

• C. An explanation of the regulatory frameworks and compliance standards the information collecting organization adheres to. While an organization may mention this for transparency, it was not a required element of the Safe Harbor policy itself. The policy's purpose was to be the adherence mechanism, not to describe other, unrelated frameworks.

• D. An explanation of all the technologies employed... This level of technical detail is generally not required in a high-level privacy policy. The focus is on what data is collected and how it's used, not the specific technologies used to collect it.

In summary, the Access Principle is the key concept that directly supports option B, making it the only element on the list that was a mandatory component of a compliant EU-US Safe Harbor Privacy Policy.