The US Safe Harbor - Fact or Fiction? (2008)

5.6. Participation in privacy programs

The self-certification form asks organisations to ‘List any privacy programs in which your organization is a member for Safe Harbor purposes’. This is followed by a box where free text can be entered.

The exact purpose of this part of the self-certification is not clear. There is no requirement to join a privacy program. However, if text is entered here then it is important that the information is accurate. Care needs to be taken not to raise expectations that the ‘privacy programs’ play any formal role in the Safe Harbor arrangements (there is another box later in the form covering dispute resolution providers – who do play a formal role in the Safe Harbor).

Common entries in this section are TRUSTe (176), BBB (93) and DMA (67).

A range of additional organisations are listed as ‘privacy programs in which your organization is a member for Safe Harbor purposes’. However, none of these appear to be programs that cover privacy issues relevant to the Safe Harbor. Some entries are irrelevant or difficult to explain. Many entries appear to confuse privacy compliance with security compliance – and these entries generally indicate a lack of understanding about the Safe Harbor program. Entries include:

Privacy Program


American Arbitration Association

No relevant privacy program

American Society for Industrial Security (ASIS)

No relevant privacy program

Center for Internet Security

No relevant privacy program


Comodo is a firewall provider

European Privacy Officers Network

No relevant privacy program

Gramm-Leach-Bliley Act (GLBA)

GLBA is federal legislation


HIPAA is federal legislation

International Association of Privacy Professionals

No relevant privacy program

International Security Forum

No relevant privacy program

ISO 9001

Not relevant

Privacy Alliance


Statement on Auditing Standards No. 70: Service Organizations (SAS 70)

Not relevant

Tulsa Metro Chamber of Commerce

No relevant privacy program.

US Council for International Business (USCIB)

No relevant privacy program