The US Safe Harbor - Fact or Fiction? (2008)

5.4. Availability of privacy policies

The entire legal basis of the Safe Harbor relies on a privacy policy being available, so that a comparison can be made between privacy promises and privacy practices. If there is a difference between the promise and the practice, the Federal Trade Commission will have jurisdiction to act using their general consumer protection powers. If no privacy policy is available, the organisations will not be compliant with the US Safe Harbor and there may be no legal basis for enforcement action:

The FTC has powers to pursue companies which make false or misleading statements in their privacy policies, but it is doubtful whether it would have jurisdiction over those that fail to actually publish the required statements. In those cases ... it would be very hard for any kind of enforcement action to proceed in the United States.[13]

The 2004 EU review of the Safe Harbor stressed the importance of privacy policies being available for public review:

Lack of a public self-statement in itself means that Safe Harbor participants are falling short of what the decision requires. To comply with the Safe Harbor, a company must be subject to enforcement actions by the FTC. The FTC’s authority to enforce the Principles upon a given organisation is triggered by such an organisation’s public commitment to comply with the Principles. Without such a public commitment, the FTC would not have the authority to enforce the Principles. This basically puts the company that lacks a publicly available privacy policy that fully embraces the Principles in non-compliance.[14]

The Galexia study found that many organisations do not make their privacy policies available. The following table summarises the availability of privacy policies:


Number of Organisations

Not Available – Contact Required
Requires contact with the organisation, often an email address is supplied or the location requires a password.


Not Available – Absent
The website does not have a privacy policy or access to the privacy policy is permanently broken. In this study access was attempted using both Internet Explorer and Mozilla Firefox. Searches included home pages, contact sections, ‘about us’, FAQs etc.


Available – Findable using search
The Department of Commerce self-certification entry was incorrect, but the privacy policy could be found using simple site searches.


Available – Accurate link provided
Accurately linked or clearly on the home page (includes correcting basic typos).



[13] Pedersen A, US Safe Harbor under fire, Privacy Law and Business Reporter, issue 75, October 2004, page 10, <>.

[14] EU 2004 review, page 6.