Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » safe harbor fact or fiction 2008  

Subscribe to Galexia news and announcements.
More information »

Specialised Legal and Regulatory Consulting: Our extensive legal background and our understanding of the impact of new technology on business processes allow us to deliver detailed and up to date legal and regulatory analysis. The task of interpreting legislation and regulations which have an impact on new technology products and services is one of Galexia’s core areas of expertise. Find out more »

[2016 Global Cloud Computing Readiness Scorecard]

2016 Global Cloud Computing Readiness Scorecard
Find out more »

The US Safe Harbor - Fact or Fiction? (2008)

[« previous] [next »] [up] [title page] [full contents]

5.8. Co-operation with the EU DPA Panel

The Safe Harbor enforcement principle requires organisations to identify an independent dispute resolution provider. However, it allows organisations to select an alternative approach – they may agree to cooperate with the dispute resolution Panel established by the EU Data Protection Authorities. Indeed, this approach is required for all human resources data.

Evidence of this ‘agreement to cooperate’ is essential, as the 2002 and 2004 EU reviews both found that it was necessary for a US organisation to agree to cooperate in order for the EU DPA Panel to gain jurisdiction. It was not sufficient to merely indicate the existence of the Panel or to refer consumers with disputes to individual EU Data Protection Authorities.

The agreement to cooperate with the EU DPA Panel may appear in either the self-certification entry or in the privacy policy. As usual there are considerable problems with data quality regarding this requirement. This includes inconsistency between the entry in the form, and entries on privacy policies. Also, 208 organisations failed to click on a selection in this part of the form, so their entry reads ‘select appropriate response’ – it is therefore unclear whether these organisations are bound.

Also, most privacy policies do not accurately convey information about the Panel to consumers. There is often no mention at all of the existence of the Panel. Where EU Data Protection Authorities are mentioned at all, the situation is often misdescribed in terms similar to the following:

If you cannot resolve the issue directly with the Company X Safe Harbor Privacy Contact, you may contact your local data protection authority for further information.[16]

Without a clear indication to consumers that the EU DPA Panel exists as an independent dispute resolution service AND a clear commitment to cooperate with the Panel, organisations are not compliant with the Safe Harbor.

In addition, some privacy policies contain references that would make no sense to a consumer, such as:

For human resources data we have agreed to cooperate with Data Protection Authorities.

In this example (and similar sites) there is no information about who or where these data protection Authorities are, and what their role is in the case of a dispute.

Overall, the Galexia study found that there was a very low level of compliance with the requirement to identify the EU DPA Panel correctly as the appropriate dispute resolution provider. Only four organisations in the entire study provided contact details for the Panel.

[16] <http://www.rrdonnelley.com/wwwRRD1/PrivacyPolicy.asp>

[« previous] [next »] [up] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]